How to Set Up SPF, DKIM, and DMARC in cPanel: The Complete Email Authentication Guide

If your emails from a cPanel server are landing in spam folders or getting rejected outright, the culprit is almost always missing or misconfigured email authentication. Modern email providers like Gmail, Outlook, and Yahoo rely on three DNS records — SPF, DKIM, and DMARC — to verify that a message actually came from your server and wasn’t forged by a spammer. Without all three configured correctly, your domain looks like an impersonator, and your carefully crafted messages never reach the inbox.

In this guide, you’ll learn exactly how to set up SPF, DKIM, and DMARC records inside cPanel, verify they’re working, and fix the most common configuration mistakes that break email deliverability.

What Are SPF, DKIM, and DMARC and Why Do You Need All Three?

Email authentication works like a tamper-proof seal on a package. Each protocol handles a different layer of verification, and together they give receiving mail servers confidence that your email is legitimate.

SPF (Sender Policy Framework) publishes a list of IP addresses that are authorized to send email for your domain. If a receiving server gets a message claiming to be from your domain but it originated from an IP not on your SPF record, it can flag or reject it.

DKIM (DomainKeys Identified Mail) adds a cryptographic digital signature to every outgoing message. Your cPanel server signs each email with a private key, and receiving servers check the signature against a public key published in your DNS. If the signature doesn’t match, the email has been tampered with or forged.

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do when an email fails SPF and DKIM checks — quarantine it, reject it completely, or let it through. DMARC also sends you aggregate reports so you can see who is sending email on your behalf and spot authentication failures.

Running all three together is the industry standard. SPF and DKIM alone lack a policy mechanism — DMARC fills that gap. And since February 2024, Google and Yahoo require DMARC for bulk senders sending more than 5,000 messages per day.

Step 1: Configure SPF Records in cPanel

Most cPanel servers have a default SPF record, but it’s often too permissive or missing custom sending sources like third-party email services. Here’s how to check and set it up properly.

Check Your Current SPF Record

Open a terminal or use a DNS lookup tool and run:

dig TXT yourdomain.com | grep "v=spf1"

Or use an online tool like MXToolbox SPF lookup. If you see no SPF record, you’ll need to create one.

Create the SPF Record in cPanel

1. Log in to cPanel and navigate to Zone Editor (under the Domains section).
2. Click Manage next to your domain.
3. Click Add Record and select type TXT.
4. Enter @ as the Name (or leave it blank, depending on your cPanel version).
5. For the TXT Value, use a record like this:

v=spf1 +a +mx +a:server.yourhost.com ?all

The components of this record:

• +a — allows the domain’s A record IP to send mail
• +mx — allows the domain’s MX servers to send mail
• +a:server.yourhost.com — allows your specific cPanel server hostname
• ?all — neutral result for unlisted senders (use ~all for softfail or -all for hard reject once you’re confident)

If you use a third-party email service (Google Workspace, SendGrid, Mailchimp, etc.), add their SPF include mechanism too:

v=spf1 +a +mx include:_spf.google.com ~all

Each include: statement pulls in the SPF record of that provider. You can include up to 10 DNS lookups total — exceeding that causes SPF to fail permanently (permerror).

Step 2: Enable and Configure DKIM in cPanel

cPanel includes a built-in DKIM manager under the Email Deliverability tool. This is the easiest way to generate and install DKIM keys.

Enable DKIM for Your Domain

1. In cPanel, go to Email Deliverability (under the Email section).
2. Find your domain in the list and click Manage.
3. If DKIM is not enabled, click Enable DKIM. cPanel automatically generates a 2048-bit key pair and adds the public key to your DNS zone as a TXT record.
4. Check the status — it should show DKIM: Enabled with a green checkmark.

Verify DKIM DNS Propagation

Your DKIM public key is published as a TXT record with a name like:

default._domainkey.yourdomain.com

Verify it propagated with:

dig TXT default._domainkey.yourdomain.com

You should see a long base64-encoded string inside the response. If the record is missing, you may need to add it manually from the Email Deliverability tool’s details page.

DKIM Key Length Considerations

cPanel defaults to 2048-bit DKIM keys, which is more secure than the older 1024-bit standard. A few providers still have trouble with long DKIM signatures that exceed DNS response size limits. If you encounter validation warnings from specific receivers, try switching to 1024-bit keys through the Email Deliverability interface.

Step 3: Publish a DMARC Policy Record

DMARC ties everything together. Even if your SPF and DKIM are perfect, without DMARC, receiving servers decide individually how to handle unauthenticated mail — and they often default to “put it in spam.”

Create the DMARC TXT Record

1. In cPanel’s Zone Editor, click Add Record.
2. Choose type TXT.
3. For the Name, enter _dmarc (this creates _dmarc.yourdomain.com).
4. For the TXT Value, start with a monitoring policy:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100; fo=1

A breakdown of the DMARC tags:

• v=DMARC1 — the version identifier, always required
• p=none — policy: monitor only, no action taken on failures (start here)
• p=quarantine — after monitoring, switch here to send failures to spam
• p=reject — final policy: block all unauthenticated mail entirely
• rua=mailto:... — where to send daily aggregate DMARC reports
• ruf=mailto:... — forensic report address for individual failure details
• pct=100 — percentage of messages to apply the policy to
• fo=1 — generate forensic reports on any SPF/DKIM failure

DMARC Deployment Strategy

Never jump straight to p=reject. Follow this phased approach:

1. Week 1-2: p=none — monitor reports to see what legitimate senders you might be blocking
2. Week 3-4: p=quarantine — soft enforcement, check that your spam rate doesn’t spike
3. Week 5 onward: p=reject — full enforcement after confirming all authorized senders pass

Check your aggregate reports regularly at the rua address. Mailbox providers like Google and Yahoo generate XML reports daily. You can parse them with free tools like dmarcian or DMARC Analyzer.

Step 4: Verify Your Email Authentication Setup

After configuring all three records and allowing up to 48 hours for DNS propagation, run these validation checks:

Send a Test Email and Check Headers

Send a message from your cPanel-hosted email to a Gmail address (or use Mail-Tester.com). In Gmail, click the three dots → Show original. Look for these lines in the full headers:

• Authentication-Results: spf=pass
• Authentication-Results: dkim=pass
• Authentication-Results: dmarc=pass

If any show fail or neutral, that protocol needs attention.

Use Online Validation Tools

• MXToolbox SPF Check — validates your SPF record syntax and includes
• MXToolbox DKIM Check — enter default._domainkey as the selector and your domain
• DMARC Analyzer — verifies your DMARC record and shows what policy receivers see

Troubleshooting Common Email Authentication Issues

Even with the right DNS records, things can go wrong. Here are the most frequent problems and how to fix them:

SPF PermError (Too Many DNS Lookups)

SPF allows a maximum of 10 DNS lookups. Each include:, a, mx, ptr, or exists mechanism counts. If you exceed 10, SPF returns a permanent error and the check fails. Audit your record and remove unnecessary includes. Consolidate providers where possible.

DKIM Signature Mismatch

If your DKIM signature shows dkim=fail in headers but your DNS record exists, the issue is often a third-party service rewriting your email. For example, if a mailing list adds a footer, it breaks the DKIM signature. Solutions: use a separate sending domain for third-party services, or configure them to pass through without modification.

DMARC Alignment Failures

SPF and DKIM can both pass individually but DMARC can still fail if the domain in the From: header doesn’t align with the domain that passed authentication. DMARC requires either strict alignment (exact domain match) or relaxed alignment (subdomain match). If you’re using a third-party service from a different domain, make sure the From: header domain matches what SPF/DKIM authenticated.

Key Takeaways

• SPF, DKIM, and DMARC are all required for reliable email deliverability — missing any one of them means your email can be flagged as spam.
• SPF authorizes specific IPs and servers to send email for your domain; keep it under 10 DNS lookups to avoid PermError.
• Enable DKIM through cPanel’s Email Deliverability tool — it generates both keys automatically and publishes the public record to your DNS zone.
• DMARC gives you control over how receivers handle unauthenticated mail: start with p=none to monitor, then escalate to p=quarantine and p=reject.
• Always verify your setup by sending a test email and checking headers for spf=pass, dkim=pass, and dmarc=pass.
• Third-party email services require special attention — use their SPF includes, configure DKIM on their side, and ensure DMARC alignment matches your sending domain.