How to Set Up SPF, DKIM, and DMARC Records in cPanel for Better Email Deliverability

by

Email deliverability is one of the most common pain points for cPanel users. You might have configured everything correctly only to find your messages landing in spam folders or bouncing back entirely. More often than not, the culprit is missing or misconfigured email authentication records. SPF, DKIM, and DMARC are three DNS records that tell receiving mail servers your emails are legitimate and not forged spam. When all three are set up properly in cPanel, your sending reputation improves dramatically and your messages reach inboxes instead of junk folders.

In this guide, you will learn exactly how to configure SPF, DKIM, and DMARC records directly from your cPanel dashboard. We will walk through each step, explain what each record does, and show you how to verify everything is working correctly using free online tools. Whether you are managing a single domain or dozens, this process ensures your email infrastructure is secure and trustworthy.

Understanding SPF, DKIM, and DMARC

Before diving into configuration, it helps to understand what each record does and why you need all three together.

What is SPF?

Sender Policy Framework (SPF) is a DNS record that lists every server authorized to send email from your domain. When a receiving mail server gets a message claiming to be from yourdomain.com, it checks the SPF record to see if the sending IP address is on the approved list. If the server is not listed, the message may be flagged as spam or rejected outright. SPF is the first line of defense against email spoofing and is the oldest of the three authentication methods.

What is DKIM?

DomainKeys Identified Mail (DKIM) adds a digital signature to every outgoing email. This signature is generated using a private key stored on your cPanel server, and receiving servers verify it using a public key published in your DNS. If the signature matches, the email is confirmed to have been sent by your server and was not tampered with during transit. DKIM is especially important because it survives email forwarding, unlike SPF, which can break when messages are forwarded through intermediate servers.

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) tells receiving servers what to do when SPF or DKIM checks fail. You can instruct them to quarantine suspicious messages, reject them outright, or let them through and send you a report. DMARC also provides detailed XML reports that help you monitor who is sending email on behalf of your domain, making it an essential tool for detecting phishing attempts and spoofing campaigns.

Configuring SPF Records in cPanel

Most cPanel hosting providers enable email services by default, which means your SPF record is usually auto-configured for the primary mail server. However, if you send email through third-party services like Google Workspace, Outlook 365, or a transactional email provider such as SendGrid or Mailgun, you need to update the SPF record to include those servers.

  1. Log in to your cPanel dashboard and navigate to the Domains section, then click Zone Editor (or DNS Zone Editor, depending on your theme).
  2. Locate the domain you want to configure. Look for an existing TXT record that starts with v=spf1. If one exists, click Edit. If not, click Add Record and select type TXT.
  3. Enter the following value, adjusting the include statements to match your services:
    v=spf1 +a +mx include:_spf.yourhostingprovider.com include:spf.protection.outlook.com ~all
  4. Replace _spf.yourhostingprovider.com with your hosting provider’s SPF include, and add an include for each third-party service you use. The ~all tag means “soft fail” — messages from unauthorized servers are marked as suspicious but not rejected.
  5. Click Save Record. DNS changes can take anywhere from a few minutes to 48 hours to propagate, though most updates resolve within an hour.

Enabling DKIM Signing in cPanel

cPanel makes DKIM configuration remarkably simple through the Email Deliverability tool. This feature automatically generates the key pair and publishes the public key to your DNS.

  1. In cPanel, scroll to the Email section and click Email Deliverability.
  2. You will see a list of all domains on your account. Click the Manage button next to the domain you want to configure.
  3. cPanel displays the current SPF and DKIM status. If DKIM shows as Not Enabled, click Enable in the DKIM section. cPanel generates a 2048-bit RSA key pair and automatically adds the DKIM TXT record to your DNS zone.
  4. After enabling DKIM, click Validate to confirm the DNS record is published correctly. You should see a green checkmark next to the DKIM status.
  5. Repeat this process for every domain that sends email from your cPanel server.

Note: If your DNS is managed externally (for example, through Cloudflare), cPanel cannot add the DKIM record automatically. You will see the required values on the Email Deliverability page and must add them manually through your external DNS provider’s control panel.

Setting Up a DMARC Policy in cPanel

DMARC policies are not auto-configured by cPanel, so you must add one manually through the Zone Editor. A DMARC record is a TXT record with a special subdomain format: _dmarc.yourdomain.com.

  1. Go to Zone Editor in cPanel and select your domain.
  2. Click Add Record and choose type TXT.
  3. In the Name field, enter _dmarc. (cPanel appends your domain automatically.)
  4. In the Value field, enter your DMARC policy. A recommended starting policy for most site owners is:
    v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-reports@yourdomain.com; fo=1
  5. Here is what each tag means:
    • v=DMARC1 — The version identifier, always required.
    • p=quarantine — Instructs receivers to send failing messages to spam. Use p=none initially to monitor without impact, then move to quarantine and eventually reject.
    • pct=100 — Applies the policy to 100% of messages. Start at a lower percentage like 20 if you are testing.
    • rua — The email address that receives aggregate DMARC reports (XML summaries).
    • ruf — The email address that receives forensic failure reports for individual messages that fail authentication.
    • fo=1 — Requests forensic reports when either SPF or DKIM fails.
  6. Click Save Record and allow time for DNS propagation.

Start with p=none for your first week. Review the aggregate reports to confirm legitimate emails are passing authentication, then increase the policy to p=quarantine and eventually p=reject for maximum protection.

Verifying Your Records Are Working

Once your DNS records have propagated, you should test them before relying on your new configuration. Several free tools make this easy.

Using MXToolbox

Navigate to MXToolbox.com and use the following lookups:

  • SPF Record Check: Enter your domain name and confirm the SPF record validates correctly.
  • DKIM Lookup: Enter default._domainkey.yourdomain.com as the selector and verify a public key is returned.
  • DMARC Lookup: Enter your domain and confirm the DMARC policy appears with the correct tags.

Sending a Test Email

Send a test email from your cPanel-hosted address to a Gmail or Outlook inbox. Open the original message source (in Gmail, click the three dots → Show original). Look for these headers:

  • Received-SPF: Pass
  • DKIM-Signature: present and dkim=pass
  • Authentication-Results: showing dmarc=pass

If any of these show as fail or neutral, revisit your DNS records and double-check the values. A single typo in a TXT record can cause authentication to fail.

Google’s Postmaster Tools

For high-volume senders, set up Google Postmaster Tools. It provides detailed data on your domain’s spam rate, delivery errors, and authentication pass rates across Gmail, helping you spot problems before they affect your deliverability.

Troubleshooting Common Issues

Even with careful setup, issues can arise. Here are the most common problems and how to resolve them.

SPF too many lookups: DNS lookup limits restrict SPF records to a maximum of 10 DNS queries. Every include statement counts as one lookup. If you exceed the limit, SPF breaks silently. Consolidate multiple includes where possible or use a dedicated SPF management service.

DKIM selector mismatch: Some email clients or third-party senders use a non-standard DKIM selector. If cPanel’s default selector (default._domainkey) does not match what your email client expects, DKIM validation fails. Check your email client’s documentation and add an additional DKIM record if needed.

DMARC policy too strict too quickly: If you set p=reject without first monitoring your traffic, you may block legitimate emails from services like newsletter platforms or partner integrations that you forgot to authorize. Always start with p=none and review reports for at least a week before moving to a stricter policy.

External DNS not syncing: If you manage DNS at your registrar or a service like Cloudflare, changes made in cPanel’s Zone Editor will not propagate. You must make all SPF, DKIM, and DMARC changes directly at your external DNS provider. Verify where your nameservers point before editing records.

Key Takeaways

  • SPF, DKIM, and DMARC work together to authenticate your email and prevent spoofing, phishing, and spam folder placement.
  • cPanel’s Email Deliverability tool enables DKIM in one click and validates your SPF record automatically for most hosting providers.
  • DMARC requires a manual TXT record in the Zone Editor using the _dmarc subdomain format with a carefully chosen policy level.
  • Always start with a DMARC policy of p=none and review aggregate reports before tightening to p=quarantine or p=reject.
  • Verify all three records using free tools like MXToolbox, Google Postmaster Tools, or by inspecting raw email headers in Gmail or Outlook.
  • If your DNS is managed externally, configure SPF, DKIM, and DMARC records at your external provider, not through cPanel’s DNS tools.