If your emails sent from cPanel are landing in spam folders or bouncing back, your domain likely lacks proper email authentication. Without DKIM, SPF, and DMARC records configured in cPanel’s DNS zone editor, email providers like Gmail, Outlook, and Yahoo treat your messages as suspicious — leading to poor deliverability and damaged sender reputation. Setting up these three authentication protocols is one of the most important steps any domain owner can take to protect their brand and ensure their messages reach the inbox.
This guide walks through the exact process of configuring DKIM, SPF, and DMARC in cPanel — from locating the right DNS tools to verifying everything is working. Whether you manage your own cPanel server or run a reseller hosting account, these steps apply universally and take roughly 15 minutes to complete.
Understanding the Three Layers of Email Authentication
Before diving into cPanel configuration, it helps to understand what each protocol does and why all three are necessary together.
SPF (Sender Policy Framework)
SPF publishes a list of mail servers authorized to send email from your domain. When a receiving server gets a message from you@yourdomain.com, it checks your SPF record to confirm the sending IP is legitimate. Without an SPF record, spammers can forge your domain in the From header and your legitimate emails may be flagged as suspicious.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic digital signature to every outgoing email. This signature is verified against a public key published in your DNS records. Even if a spammer spoofs your domain, they cannot replicate your DKIM signature because they don’t hold your private signing key. cPanel generates and manages these key pairs automatically through its built-in DKIM manager.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC tells receiving servers what to do when an email fails both SPF and DKIM checks. You can specify: take no action (monitoring only), quarantine the message (send to spam), or reject it outright. DMARC also provides aggregate reports showing who is sending email using your domain, making it invaluable for detecting spoofing attempts.
Step 1: Enabling DKIM in cPanel
cPanel includes a one-click DKIM setup that handles key generation and DNS publishing. Here is how to enable it:
- Log into your cPanel dashboard and navigate to the Email Deliverability section under the Email tab.
- In the search bar, type your domain name and select it from the results.
- If DKIM shows as Disabled, click the Manage button next to it.
- Toggle the DKIM status to Enabled. cPanel automatically generates a 1024-bit or 2048-bit key pair, installs the private key on your server, and publishes the public key in your DNS zone.
- Click Update and wait 30–60 seconds for the DNS to propagate.
To verify DKIM is active, click the View link next to the DKIM record. You should see a TXT record with a name like default._domainkey.yourdomain.com containing a long base64 string — this is your public key.
Step 2: Configuring an SPF Record
Most cPanel servers already include a basic SPF record created during account setup. However, the default record often needs editing to support third-party senders like Gmail, newsletter services, or transactional email providers.
- In cPanel, navigate to the Zone Editor under the Domains section.
- Locate your domain and click Manage.
- Look for an existing TXT record starting with
v=spf1. If one exists, you can edit it. If not, you need to add a new record. - A typical SPF record for a cPanel server looks like this:
v=spf1 +a +mx +ip4:YOUR_SERVER_IP ~all
Customize it for your setup:
+a— authorizes your domain’s A record IP+mx— authorizes your mail server IP+ip4:IP_ADDRESS— authorizes a specific IP (include this if your A record points to a proxy like Cloudflare)include:_spf.google.com— add this if you send email through Google Workspaceinclude:spf.mandrillapp.com— add this for Mailchimp or Mandrill transactional emails~all— soft fail (marks unauthorized senders as suspicious but does not reject)-all— hard fail (rejects unauthorized senders, recommended after testing)
Important: DNS records have a 255-character limit per segment. For multiple includes, you may need to split your SPF record using the include: mechanism. Also, you are limited to a maximum of 10 DNS lookups in your SPF record (each include:, a, mx counts as one lookup).
Step 3: Adding a DMARC Policy
DMARC ties SPF and DKIM together and dictates what receivers should do with unauthenticated mail. Without DMARC, any server claiming to send from your domain can do so without consequences.
- In the Zone Editor, click Add Record.
- Select type TXT.
- For the Name field, enter
_dmarc(this creates_dmarc.yourdomain.com). - For the TXT Value, start with a monitoring-only policy:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100; fo=1
Breakdown of the DMARC tags:
p=none— monitoring mode only; no action taken on failures. Start here for a week to see your email landscape without blocking anything.p=quarantine— after monitoring, move to quarantine so failed emails go to spam.p=reject— the most secure policy; unauthenticated emails are rejected entirely.rua=mailto:— receives aggregate XML reports showing who is sending from your domain.pct=100— applies the policy to 100% of messages (reduce for gradual rollout).fo=1— generates failure reports for any authentication failure.- cPanel Email Deliverability tool: Return to the Email Deliverability section. It shows a green checkmark next to each protocol when DNS is properly configured.
- MXToolbox: Visit MXToolbox and enter your domain. Use the SPF, DKIM, and DMARC lookup tools to check each record individually. MXToolbox also flags common misconfigurations like SPF records exceeding the 10-lookup limit.
- Command line dig: For a quick check, run:
- Google Postmaster Tools: If you send significant volumes of email to Gmail addresses, set up Postmaster Tools to monitor your domain’s reputation and authentication pass rates.
- Log into your cPanel webmail client (Roundcube or Horde) or configure your desktop email client to send through your cPanel mail server.
- Send a test message to a Gmail address, an Outlook address, and a Yahoo address.
- Check the full message headers on the receiving side. In Gmail, click the three dots next to the reply button and select Show original. Look for these headers:
spf=pass(orspf=neutralif using~all)dkim=pass(along withheader.d=yourdomain.com)dmarc=pass- SPF, DKIM, and DMARC work together as a three-layer defense against email spoofing and domain forgery. None should be skipped.
- cPanel’s Email Deliverability tool automates DKIM key generation and DNS publishing, making it the easiest place to start.
- SPF records must include every server that sends email from your domain, including third-party services like Google Workspace or Mailchimp.
- Begin DMARC with a
p=nonepolicy to monitor your traffic without interrupting delivery, then escalate top=quarantineandp=rejectafter confirming no false positives. - Use MXToolbox and Gmail message headers to verify your records are working before relying on them in production.
- Review DMARC aggregate reports regularly — they reveal unauthorized senders trying to spoof your domain and help you fine-tune your policy over time.
Start with p=none and review your DMARC reports after one to two weeks. Once you confirm no legitimate email is failing authentication, upgrade your policy to p=quarantine and eventually p=reject.
Step 4: Verifying Your DNS Records
DNS changes can take anywhere from a few minutes to 48 hours to propagate. Here are several ways to verify your records are active:
dig TXT yourdomain.com +short (SPF record)
dig TXT default._domainkey.yourdomain.com +short (DKIM)
dig TXT _dmarc.yourdomain.com +short (DMARC)
Step 5: Testing Email Deliverability
Once your DNS records are verified, send a test email to confirm everything works end to end:
If any header shows fail or softfail, revisit the relevant DNS record. Common issues include a missing IP in the SPF record, a DKIM key that has not propagated, or a DMARC policy that is too strict for your sending setup.