Skip to content

cPanel Review

How to Set Up SPF, DKIM, and DMARC in cPanel: A Complete Email Authentication Guide

May 7, 2026 by cPanelPro

If your cPanel-hosted emails are landing in spam folders or bouncing back with authentication errors, the culprit is almost always missing or misconfigured email authentication records. SPF, DKIM, and DMARC are the three DNS-based standards that tell receiving mail servers your messages are legitimate. Without them, your domain looks like a phishing or spoofing target — and major providers like Gmail, Outlook, and Yahoo will routinely reject or quarantine your mail.

cPanel includes built-in tools to generate and manage all three records. In fact, once you enable DKIM and configure an SPF record, cPanel can even help you set up a DMARC policy. This guide walks through each protocol step-by-step, from generating the DNS records inside cPanel to publishing them at your domain registrar. By the end, your outgoing email will pass authentication checks, your deliverability will improve, and your domain will be protected against email spoofing.

Understanding SPF, DKIM, and DMARC in cPanel

Before jumping into cPanel’s configuration screens, it helps to understand what each protocol does and how they work together. SPF (Sender Policy Framework) publishes a list of mail servers authorized to send email for your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every outgoing message so the recipient can verify it hasn’t been tampered with. DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when SPF or DKIM checks fail — and sends you reports so you can monitor abuse.

cPanel integrates all three at the DNS level. You do not need server-level access or command-line tools. Everything happens through the Email Deliverability and Zone Editor interfaces inside your cPanel dashboard. The key is enabling DKIM first, ensuring your SPF record covers all your sending sources, and finally adding a DMARC policy that ties everything together.

Step 1: Enable DKIM in cPanel

DKIM is the easiest to set up because cPanel can generate the key pair and publish the DNS record automatically. Follow these steps:

  1. Log into your cPanel dashboard and navigate to Email Deliverability (found under the Email section).
  2. A list of your domain names appears. Find the domain you want to authenticate and click Manage.
  3. In the DKIM section, check whether DKIM is enabled. If it shows Disabled, click the toggle or button to enable it. If cPanel manages DNS for your domain, it will publish the DKIM record automatically.
  4. If your DNS is managed externally (e.g., at Cloudflare or your domain registrar), cPanel will display the DKIM DNS record. Copy the full record — it looks like default._domainlink CNAME 10 yourdomain.com.dkim._domainlink.yourhost.com or a TXT record with a long base64 key.
  5. Add that record to your external DNS zone. DKIM uses a TXT record under default._domainkey.yourdomain.com.

Once published, wait a few minutes for DNS propagation, then verify with a tool like MXToolbox or by using this command:

dig txt default._domainkey.yourdomain.com +short

If the record returns a long key string, DKIM is active. Any email sent from your cPanel server will now carry a DKIM signature header.

Step 2: Configure Your SPF Record

SPF records tell receiving servers which IP addresses are allowed to send mail for your domain. cPanel adds a basic SPF record automatically when you create a domain, but you need to verify it covers all of your sending sources.

Check Your Current SPF Record

Open the Zone Editor in cPanel and look for a TXT record on your domain that starts with v=spf1. A typical cPanel-generated record looks like this:

v=spf1 +a +mx +a:server.yourhost.com ~all

The +a and +mx mechanisms authorize the domain’s A record and MX servers. The ~all at the end is a soft-fail — it tells recipients to accept the message but mark it suspicious if it comes from an unlisted server.

Customize for Your Sending Sources

If you send email through third-party services (Google Workspace, Mailchimp, SendGrid, and so on), you need to include their SPF includes. For example:

v=spf1 +a +mx include:_spf.google.com include:sendgrid.net ~all

To add or modify the record:

  1. Go to Zone Editor in cPanel and click Manage next to your domain.
  2. Find the TXT record for your domain (the one starting with v=spf1).
  3. Click Edit and append any include: statements for services you use.
  4. Save the record. DNS propagation usually takes a few minutes.

One important rule: SPF has a 10-lookup limit. Every include:, a:, mx:, or ptr: mechanism counts as a DNS lookup. If you exceed 10, SPF will permerror and fail. Consolidate includes where possible.

Step 3: Add a DMARC Policy

DMARC builds on SPF and DKIM by telling receiving servers what to do when authentication checks fail. It also generates aggregate reports you can review to spot unauthorized senders.

Create the DMARC TXT Record

cPanel does not generate DMARC records automatically, but adding one takes only a minute:

  1. In the Zone Editor, click Add Record.
  2. Select type TXT.
  3. Enter _dmarc as the name.
  4. For the value, use a policy like this:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100; sp=none

Here is what each field means:

  • v=DMARC1 — Identifies this as a DMARC record.
  • p=none — The policy. none means monitor only (no action taken). Start here until you are confident SPF and DKIM are working.
  • rua=mailto:... — The email address where aggregate DMARC reports are sent.
  • pct=100 — The percentage of messages to which the policy applies.
  • sp=none — The policy for subdomains, which defaults to the main policy if omitted.

Progressing to a Stronger Policy

After a week or two of monitoring with p=none, review your DMARC reports. If you see no false positives (legitimate emails failing authentication), move to p=quarantine (send failures to spam). Once you are confident everything is authenticated, use p=reject — the strictest policy, which tells receiving servers to reject unauthenticated mail outright.

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100

Step 4: Verify Email Authentication Is Working

Once all three records are published, test your setup before relying on it. You have several options:

  • Send a test email and check headers: Send an email from your cPanel-hosted account to a Gmail or Outlook address. Open the raw message headers and look for spf=pass, dkim=pass, and dmarc=pass.
  • Use MXToolbox: Visit the MXToolbox DMARC Analyzer or SPF lookup tool. Enter your domain and it checks all three records and reports any issues.
  • Run a command-line check: Most hosting servers have dig available. Run dig txt _dmarc.yourdomain.com +short to confirm your DMARC record is published.

If any authentication check shows fail or permerror, double-check each DNS record for typos. SPF records are especially fragile — a missing space or extra character breaks the entire record.

Step 5: Monitor DMARC Reports for Ongoing Protection

DMARC reports are XML-based aggregate data sent to the email address you specified in the rua tag. These reports show you every source that tried to send mail from your domain, along with whether SPF and DKIM passed or failed.

Reading raw XML reports is tedious. Use a free DMARC analyzer such as:

  • MXToolbox DMARC Monitoring — Parses reports into a readable dashboard.
  • dmarcian — Free tier for one domain with visual breakdowns.
  • Postmark DMARC Tool — Straightforward report parsing with email alerts.

Check your reports weekly during the monitoring phase. If you see legitimate senders failing authentication, update your SPF record to include their servers. Once you see zero false positives, tighten your DMARC policy from p=none to p=quarantine, and eventually to p=reject.

Key Takeaways

  • SPF, DKIM, and DMARC are three complementary DNS records that authenticate your outgoing email and protect your domain from spoofing.
  • cPanel’s Email Deliverability interface automates DKIM key generation and publishing — enable it first.
  • Your SPF record must include every service that sends mail on your behalf (third-party email platforms, newsletter tools, etc.) and respect the 10-DNS-lookup limit.
  • DMARC policies should start at p=none for monitoring and only escalate to p=quarantine or p=reject after verifying no legitimate email fails authentication.
  • Use tools like MXToolbox, dmarcian, or Postmark to parse DMARC aggregate reports and identify unauthorized senders or configuration issues.
  • Verify authentication by checking email headers for spf=pass, dkim=pass, and dmarc=pass on every major email provider before finalizing your policy.
Categories Email Configuration Tags cPanel Email Configuration, DMARC policy cPanel, Email Authentication, Email Deliverability, SPF DKIM DMARC
How to Set Up WordPress Staging in cPanel with WP Toolkit: A Complete Guide
How to Optimize PHP Performance in cPanel: Switching Versions, Tuning PHP-FPM, and Enabling OpCache

Recent Posts

  • How to Fix 403 Forbidden and 500 Internal Server Errors in cPanel
  • How to Set Up Automatic Backups in cPanel: A Complete Guide
  • How to Set Up and Manage Webmail in cPanel: Roundcube, Horde, and Configuration Tips
  • How to Fix AutoSSL Errors in cPanel: A Step-by-Step Troubleshooting Guide
  • How to Compress, Extract, and Transfer Files Using cPanel File Manager
No comments to show.
  • Database Management
  • Domain Management
  • Email Configuration
  • General
  • Performance
  • Security
  • Site Management
  • WordPress Management
© 2026 cPanel Review • Built with GeneratePress