How to Set Up DKIM, SPF, and DMARC in cPanel for Better Email Deliverability

by

How to Set Up DKIM, SPF, and DMARC in cPanel for Better Email Deliverability

Email deliverability can make or break your online communication. You can craft the perfect message, but if it lands in a spam folder — or gets rejected outright — your effort was wasted. That’s where email authentication protocols come in. DKIM, SPF, and DMARC are three DNS-based standards that tell receiving mail servers that your email is legitimate and not forged by a spammer.

cPanel provides built-in tools for configuring all three. This guide walks through each protocol, how to set them up from your cPanel dashboard, and how to verify everything is working.

Understanding DKIM: DomainKeys Identified Mail

DKIM lets you digitally sign outgoing emails so receiving servers can verify the message wasn’t tampered with during transit. It works by adding an encrypted signature to your email headers, and the receiving server looks up your public DKIM key in your DNS records to validate that signature.

Enabling DKIM in cPanel

  1. Log into your cPanel dashboard and navigate to Email Deliverability under the Email section.
  2. You’ll see a list of all domains configured on your account. Find the domain you want to authenticate and click Manage.
  3. Under the DKIM section, click Enable if it isn’t already active. cPanel automatically generates a 1024-bit or 2048-bit key pair.
  4. A new DNS record is automatically created: a TXT record with a name like default._domainkey that contains your public key.
  5. Wait a few minutes, then click Check Records next to the DKIM status. A green checkmark confirms the record is live.

Tip: If DNS propagation is slow, use a tool like MXToolbox or dnschecker.org to verify the DKIM TXT record has propagated globally.

Verifying DKIM Signatures

Once DKIM is active, send a test email to a service like Gmail or Outlook, then inspect the raw headers. Look for a line that says DKIM-Signature followed by information including d= (your domain) and s= (the selector). A passing DKIM check shows dkim=pass in the Authentication-Results header.

Configuring SPF: Sender Policy Framework

SPF tells receiving servers which IP addresses are authorized to send email for your domain. Without it, anyone can forge your domain in the “From” address. SPF is defined as a single TXT DNS record, and cPanel can help generate the right value.

Setting Up SPF in cPanel

  1. Go to Zone Editor under the Domains section in cPanel.
  2. Find your domain and click Manage.
  3. Look for an existing TXT record that starts with v=spf1. If cPanel pre-created one, you can edit it. Otherwise, click Add Record and select TXT.
  4. A standard SPF record for a cPanel shared hosting account looks like this:

v=spf1 +a +mx +ip4:YOUR_SERVER_IP include:websitewelcome.com ?all

Replace YOUR_SERVER_IP with your actual server IP address. The components break down as follows:

  • +a — Allows your domain’s A record IP
  • +mx — Allows your mail exchange servers
  • +ip4:... — Explicitly allows a specific IPv4 address
  • include: — Delegates authority to another domain’s SPF record
  1. The final mechanism (?all, ~all, or -all) controls the fallback behavior:
  • ?all — Neutral (softest, the default cPanel value)
  • ~all — Soft fail (mark as suspicious but don’t reject)
  • -all — Hard fail (reject unauthorized sources, strictest)

Start with ~all for testing, then move to -all once you’ve confirmed your legitimate senders pass.

SPF Record Limits

SPF records are limited to 10 DNS lookups per the specification. Each include:, a:, mx:, or ptr: counts toward this limit. Use tools like SPF Record Checker to verify you haven’t exceeded it.

Implementing DMARC: Domain-based Message Authentication, Reporting & Conformance

DMARC ties DKIM and SPF together. It tells receiving servers what to do when a message fails both checks and provides you with reports about who is sending email using your domain.

Creating a DMARC Record in cPanel

cPanel does not create DMARC records automatically, but you can add one through the Zone Editor.

  1. Navigate to Zone Editor and click Manage on your domain.
  2. Click Add Record and select TXT.
  3. For the name, enter _dmarc (the leading underscore is required by the standard).
  4. For the value, use a policy like this:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100; fo=1

DMARC Policy Tags Explained

  • v=DMARC1 — Protocol version (required, this is the only version)
  • p=none — The policy for unauthenticated mail: none (monitor only), quarantine (send to spam), or reject (block delivery)
  • rua=mailto:... — Aggregated report destination (where DMARC reports are sent daily)
  • ruf=mailto:... — Forensic report destination (detailed individual failure reports, optional)
  • pct=100 — Percentage of messages to apply policy to
  • fo=1 — Generate forensic reports on any authentication failure
  • sp= — Policy for subdomains (optional, defaults to the main policy)

DMARC Gradual Rollout Strategy

Start with p=none for at least a week. Monitor the reports to identify legitimate senders you may have missed in SPF or DKIM. Once you’re confident no legitimate email is failing, move to p=quarantine for another week. Finally, upgrade to p=reject for maximum protection.

Checking DMARC Reports

Once DMARC is live, you’ll start receiving daily XML reports from major providers like Google, Microsoft, and Yahoo. These reports contain aggregated data about how each source of email for your domain is authenticating.

Tip: Use a DMARC report parser like dmarcian.com, Postmark's DMARC tool, or URIports to visualize these reports instead of reading raw XML.

Key metrics to watch:

  • SPF alignment rate — What percentage of email passes SPF
  • DKIM alignment rate — What percentage passes DKIM
  • Identifier alignment — Whether the domain in the From header matches SPF/DKIM domains
  • Source IPs — Any unknown IPs sending email for your domain

If you see a legitimate third-party service (like Mailchimp or SendGrid) failing, add their IPs to your SPF record and ensure they DKIM-sign with your domain.

Common Troubleshooting Issues

SPF PermError — Too Many Lookups

If you hit the 10-lookup limit, consolidate multiple include: statements. For example, Google Workspace and Microsoft 365 each add their own includes. Consider moving to a flat list of IP addresses instead.

DKIM DNS Record Missing or Mismatched

Run dig TXT default._domainkey.yourdomain.com from your terminal. If the record doesn’t match what cPanel generated, re-run the Email Deliverability check tool in cPanel and let it attempt a fix.

DMARC Reports Not Arriving

Check that your rua address is correct and that your mail server isn’t filtering the incoming reports. DMARC reports come from addresses like noreply-dmarc-support@google.com. Whitelist these in your email filters.

Spam Score Still High After Setup

Authentication alone isn’t enough. Ensure your sending IP has a good reputation, your email content avoids spammy patterns, and you have proper reverse DNS (PTR record) configured.

Key Takeaways

  • DKIM digitally signs your outgoing mail and must be enabled per-domain in the cPanel Email Deliverability tool
  • SPF defines authorized sending IPs in a TXT record managed through the Zone Editor
  • DMARC unifies DKIM and SPF with a policy that controls how failures are handled
  • Start DMARC in monitoring mode (p=none) before enforcing stricter policies
  • Use the cPanel Zone Editor to create and verify all DNS records
  • Monitor DMARC reports regularly to catch unauthorized email senders and misconfigurations
  • Third-party email services require explicit SPF includes and proper DKIM signing
  • Always verify propagation with DNS checking tools before considering the setup complete