CWP DNS Auditing, Automation for CoudFlare DNS Synchronization, and Gmail (Email) Deliverability

Over the years I made some sloppy edits and god knows what tech support might have done DNS records.

I used Gemini's cli tools to do an audit of the DNS and email Deliverability. This saved me soooo much time and frustration.

The following is published here "https://i-cloud.ltd/cwp-dns-manual/" and you can get the script and manual for this

Download Manual (TXT) & Download Sync Script (Python)

CWP DNS Auditing, Automation for CoudFlare DNS Synchronization, and Gmail (Email) Deliverability Manual

Authoritative Synchronization between CWP Control Web Panel and Cloudflare

Contributor Attribution: J:Mc @ i-cloud.ltd

1. Introduction

Managing DNS records across multiple domains is one of the most critical yet error-prone tasks for a system administrator. While CentOS Web Panel (CWP) provides a robust environment for local mail and web hosting, maintaining consistency with external DNS providers like Cloudflare often requires tedious manual entry.

Small discrepancies such as a mismatched DKIM key or malformed SPF records can instantly degrade a domain's sender reputation, causing legitimate emails to be flagged as spam or rejected entirely by providers like Gmail and Outlook. This manual outlines a standardized, CLI-driven workflow to automate the synchronization of local server records with Cloudflare, ensuring 100% compliance with modern email deliverability standards.

2. Core Purpose & Strategic Value

The primary objective of this automation is to ensure that the "local reality" of the server (the keys and IPs actually in use) is perfectly reflected in the "public reality" of the global DNS.

Key Use Cases:

• Production Environment Drift: Over time, manual edits or CWP updates can lead to duplicate SPF records or redundant MX entries. This process identifies and prunes those errors automatically.

• Server Migration Scenarios: When moving domains to a new server or a new IP address, the ability to bulk-update records across dozens of zones via the CLI saves hours of manual UI work.

• New Server Provisioning: During initial builds, the workflow allows you to generate keys locally and "push" them to Cloudflare in seconds.

• Automated "Overwrite" Logic: Our CLI approach performs a true "diff," deleting stale records and updating active ones to ensure a clean, authoritative state.

Associated Files:Download Manual (TXT)Download Sync Script (Python)

3. Preliminary Configuration

Cloudflare API Integration

Security is paramount. Create a scoped token in the Cloudflare Dashboard with Zone - DNS - Edit and Zone - Zone - Read permissions. Use IP filtering to restrict the token to your server's IPv4 address.

Server-Side Preparation

# Initialize a isolated environment
python3 -m venv venv
source venv/bin/activate

# Install required dependencies
pip install cloudflare httpx

4. Local BIND Audit & Correction

Before syncing, the local BIND zone files (/var/named/*.db) must be syntactically correct.

• Quoting TXT Records: Ensure all TXT values, particularly DMARC and SPF, are enclosed in double quotes.

• SPF Optimization: Use a clean IP-based string: "v=spf1 +a +mx +ip4:YOUR_SERVER_IP ~all"

• Zone Reloading: sudo rndc reload domain.com

5. Executing the Synchronization

We utilize the sync_cloudflare_dns.py script to perform the synchronization.

# 1. Export Token
export CLOUDFLARE_API_TOKEN='your_secret_token'

# 2. Validation (Dry-Run)
python3 sync_cloudflare_dns.py domain.com local_template.txt

# 3. Execution
python3 sync_cloudflare_dns.py domain.com local_template.txt --run

6. Global Deliverability Checklist

• SPF: Single, valid record including your server's IPv4.

• DKIM: Public key in Cloudflare must exactly match the server key.

• DMARC: A policy of at least p=none; p=quarantine is recommended.

• Network Protocol: Force mail traffic over IPv4 if IPv6 PTR is missing: sudo postconf -e "inet_protocols = ipv4" && sudo systemctl restart postfix

I hope this is useful to you.