How to Set Up SPF, DKIM, and DMARC Records in cPanel: A Step-by-Step Guide

by

If you’ve ever sent an email from your cPanel account only to have it land in the recipient’s spam folder — or worse, get bounced entirely — the culprit is almost always missing or misconfigured email authentication. SPF, DKIM, and DMARC are the three DNS-based records that tell receiving mail servers “this email is legitimate and came from an authorized source.” Without them, your domain is wide open to spoofing, phishing impersonation, and deliverability failures.

cPanel makes setting up these records straightforward, but you need to understand what each one does and how they work together. In this guide, we’ll walk through configuring SPF, DKIM, and DMARC step by step, verify everything is working, and troubleshoot the most common issues that trip up site owners.

What Are SPF, DKIM, and DMARC — and Why Do They Matter?

Email authentication is the practice of verifying that an email claiming to come from your domain actually originated from a server you authorized. Here’s what each protocol does:

SPF (Sender Policy Framework) publishes a DNS record listing every mail server authorized to send email on your domain’s behalf. When a receiving server gets a message, it checks the SPF record. If the sending IP isn’t listed, the email fails the SPF check and is more likely to be rejected or flagged as spam.

DKIM (DomainKeys Identified Mail) uses a cryptographic signature attached to each outgoing message. Your mail server signs the email with a private key, and the receiving server looks up your public key in DNS to verify the signature hasn’t been tampered with. This proves the email genuinely came from your domain and wasn’t altered in transit.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when SPF or DKIM checks fail. It also sends you reports about authentication passes and failures so you can monitor for spoofing attempts. DMARC ties everything together with a policy of none, quarantine, or reject.

Without all three, your domain is essentially an open target for spammers who can forge your “From” address, damage your sender reputation, and harm your email deliverability for legitimate messages.

Step 1: Access the cPanel Email Deliverability Interface

cPanel consolidates SPF and DKIM management inside the Email Deliverability tool. Here’s how to get there:

  1. Log into your cPanel dashboard.
  2. Scroll to the Email section.
  3. Click Email Deliverability.

You’ll see a list of all domains associated with your cPanel account. Each domain shows its current authentication status — green for fully configured, yellow or red if something is missing or misconfigured.

If this is your first time here, most of your domains will likely show a warning. Don’t worry — we’re about to fix that.

What to Look For

The interface displays three columns per domain: SPF Status, DKIM Status, and Overall Status. If any column shows a warning icon or “Not Configured,” that record needs attention. cPanel can automatically generate the correct DNS records for most configurations, saving you from having to memorize syntax.

Step 2: Configure SPF Records in cPanel

cPanel typically enables SPF by default for new accounts, but it’s worth verifying — and expanding — the record to include all services you use to send email.

  1. In Email Deliverability, click the domain you want to configure.
  2. Under the SPF section, click Manage or Edit SPF Record.
  3. Review the generated record. A basic cPanel SPF record looks like this:
    v=spf1 +a +mx +a:server.yourdomain.com ~all
  4. If you use third-party sending services (SendGrid, Mailgun, Google Workspace, Office 365, etc.), add their IP ranges or include mechanisms. For example:
    v=spf1 +a +mx include:_spf.google.com ~all
  5. Click Save or Update. If cPanel manages your DNS zone, it applies the record automatically. If you use an external DNS provider, cPanel will display the exact TXT record value to add manually.

SPF Record Best Practices

Keep these rules in mind when constructing your SPF record:

  • Limit DNS lookups to 10 or fewer. Each include: and mx mechanism counts as a lookup. Exceeding 10 causes a permerror and the SPF check will fail.
  • Use ~all (soft fail) during testing. This tells receiving servers to mark unauthenticated email as suspicious but still deliver it. Switch to -all (hard fail) only after you’ve verified all legitimate senders are listed.
  • Don’t use +all under any circumstances. This says “any server can send email as my domain” and completely defeats the purpose of SPF.
  • Run your record through an SPF validator like MXToolbox or Kitterman before finalizing.

Step 3: Generate and Enable DKIM for Your Domain

DKIM setup in cPanel is handled directly inside the Email Deliverability interface as well, but the key generation happens in a separate tool.

  1. Go to Email Deliverability and select your domain.
  2. Under the DKIM section, click Enable or Generate DKIM Key.
  3. cPanel generates a 1024-bit or 2048-bit RSA key pair. The private key stays on your server, and the public key is published as a TXT record in your DNS zone, typically at default._domainkey.yourdomain.com.
  4. If cPanel manages your DNS, the record is added automatically. If you use an external DNS provider, copy the TXT record value shown and add it to your DNS management console.
  5. Once the DNS propagates, cPanel will automatically sign all outgoing emails from your domain with the DKIM signature.

Verifying DKIM Is Working

You can check DKIM status from the cPanel interface — it should show DKIM: Enabled in green. For external verification, send a test email to a service like Mail-Tester.com or Gmail (view the original message headers and look for dkim=pass).

If you see dkim=fail or the signature is missing entirely, double-check that the TXT record’s value matches exactly what cPanel generated — including all quotation marks and semicolons. A single misplaced character causes the signature verification to fail.

Step 4: Publish a DMARC Record for Policy Enforcement

Unlike SPF and DKIM, cPanel’s Email Deliverability tool does not automatically create a DMARC record for you. You’ll need to add it to your DNS zone either through cPanel’s Zone Editor or your external DNS provider.

  1. In cPanel, go to Zone Editor under the Domains section.
  2. Select your domain and click + Add Record.
  3. Choose record type TXT.
  4. Set the Name to _dmarc (this becomes _dmarc.yourdomain.com).
  5. Set the TTL to 3600 (1 hour).
  6. Enter a DMARC policy as the value. A good starting policy is:
    v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100; fo=1
  7. Click Save Record.

Understanding DMARC Policy Levels

Your DMARC p= value determines what happens when email fails authentication:

  • p=none — Monitoring mode. No action is taken against failing messages. Use this for at least two weeks after setup to collect data about your email traffic and identify any legitimate senders you might have missed.
  • p=quarantine — Failing emails are sent to the recipient’s spam folder. This is a good intermediate step after you’ve confirmed legitimate email is passing authentication.
  • p=reject — Failing emails are rejected outright. This provides the strongest protection against spoofing. Only switch to reject after weeks of monitoring with p=none and p=quarantine have shown no legitimate messages being blocked.

The rua= tag specifies where aggregate DMARC reports are sent. Make sure the email address you use can receive reports — they can be large and numerous, especially for high-volume senders.

Step 5: Verify All Three Records Are Active

The final — and most important — step is confirming that all three DNS records are published correctly and propagating.

Using cPanel’s Built-In Check

Return to Email Deliverability and click your domain. The interface should now show green checkmarks for SPF, DKIM, and overall status. If any still show warnings, wait for DNS propagation (up to 48 hours, though usually 5-30 minutes) and refresh.

Using External Verification Tools

You can verify your records from outside cPanel using these free tools:

  • MXToolbox SPF Check — Enter your domain and confirm the SPF record returns valid and doesn’t exceed 10 DNS lookups.
  • DKIM Core Validator — Enter default._domainkey.yourdomain.com as the selector and your domain to verify the DKIM public key is published and properly formatted.
  • Global Cyber Alliance DMARC Checker — Verifies your DMARC record and shows whether your policy is configured correctly.
  • Mail-Tester.com — Send an email from your cPanel account and get a detailed score showing all three authentication checks passing.

Key Takeaways

  • SPF, DKIM, and DMARC work together to authenticate your email and prevent spoofing — missing any one reduces your deliverability and leaves your domain vulnerable.
  • cPanel’s Email Deliverability tool can automatically generate SPF and DKIM records; DMARC records must be added manually via the Zone Editor.
  • Start with a DMARC policy of p=none and monitor reports for at least two weeks before moving to p=quarantine or p=reject.
  • Never exceed 10 DNS lookups in your SPF record, and avoid +all under any circumstance.
  • Verify all three records using external validation tools after configuration, not just cPanel’s internal status check.
  • If you use third-party email services, add their include: statements to your SPF record and ensure they support DKIM signing for your domain.