Client area
Web HostingDecember 16, 2025 39 views

How to set up SPF, DKIM, and DMARC on cPanel

How to set up SPF, DKIM, and DMARC on cPanel

How to configure SPF, DKIM, and DMARC on cPanel

Estimated Time: 15 minutes
Difficulty: Intermediate ⭐⭐
Prerequisites: Access to cPanel, domain with managed DNS

📋 Introduction

SPF, DKIM, and DMARC are three essential email authentication protocols for:

  • Improving email deliverability
  • 🛡️ Protecting your domain against spoofing and phishing
  • 📬 Preventing your emails from ending up in spam
  • Meeting the requirements of Gmail and Yahoo (mandatory since February 2024)

🔍 Understanding SPF, DKIM, and DMARC

Overview

Protocol Function Analogy
SPF Verifies that the server is authorized to send List of authorized factors
DKIM Adds a digital signature to the email Seal of authenticity
DMARC Sets the policy in case of failure Instructions to the recipient

SPF (Sender Policy Framework)

SPF allows you to specify which servers are authorized to send emails for your domain.

Operation:

  1. You publish a list of authorized servers in a DNS TXT record
  2. The receiving server checks if the email is from an authorized server
  3. If not authorized → the email may be rejected or marked as spam

Example of SPF record:

v=spf1 +a +mx +ip4:123.456.789.0 include:_spf.google.com ~all

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to each outgoing email.

Operation:

  1. Your server signs each email with a private key
  2. The public key is published in your DNS
  3. The recipient verifies the signature with the public key
  4. If the signature is valid → the email is authentic and unaltered

Example of DKIM record:

default._domainkey.yourdomain.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC defines what the recipient should do if SPF or DKIM fails.

Operation:

  1. You set a policy (none, quarantine, reject)
  2. The recipient applies this policy to unauthenticated emails
  3. You receive reports on impersonation attempts

Example of DMARC record:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

📊 Summary Table

Element SPF DKIM DMARC
Record Type TXT TXT TXT
Name @ or domain default._domainkey _dmarc
Required ✅ Yes ✅ Yes ⚠️ Recommended
Automatically Configured ✅ cPanel ✅ cPanel ❌ Manual
Protects Against Unauthorized servers Content falsification Identity spoofing

⚙️ Method 1: Automatic Configuration (Email Deliverability)

cPanel offers an Email Deliverability tool that automatically configures SPF and DKIM.

Step 1: Access Email Deliverability

  1. Log in to cPanel
  2. In the Email section, click on Email Deliverability

Image

Step 2: Check Current Status

You will see a list of your domains with their status:

Status Meaning
Valid SPF and DKIM correctly configured
⚠️ Problems Exist Missing or incorrect configuration

Step 3: Automatically Repair

If problems are detected:

  1. Click on Repair next to the relevant domain
  2. cPanel displays the suggested records
  3. Click on Repair to apply automatically
    Image

💡 Note: This method only works if your DNS is managed by the same server as cPanel. Otherwise, use the manual method.

Step 4: Verify Configuration

After repair, the status should change to Valid

You can click on Manage to view the details of each record.

⚙️ Method 2: Manual Configuration

If your DNS is managed elsewhere (Cloudflare, OVH, Gandi, etc.), you need to add the records manually.

Step 1: Retrieve Values from cPanel

  1. Go to EmailEmail Deliverability
  2. Click on Manage next to your domain
  3. Note the suggested values for SPF and DKIM

Step 2: Add SPF Record

In cPanel (Zone Editor)

  1. Go to DomainsZone Editor
  2. Click on Manage next to your domain
  3. Click on + Add RecordAdd TXT Record
Field Value
Name yourdomain.com (or @)
TTL 14400
Type TXT
Record v=spf1 +a +mx +ip4:YOUR_IP include:_spf.google.com ~all
  1. Click on Save Record

SPF Records based on your configuration

Situation SPF Record
cPanel Email only v=spf1 +a +mx ~all
With MailChannels v=spf1 +a +mx include:relay.mailchannels.net ~all
With Google Workspace v=spf1 include:_spf.google.com ~all
With Microsoft 365 v=spf1 include:spf.protection.outlook.com ~all
With SendGrid v=spf1 include:sendgrid.net ~all
With Mailchimp v=spf1 include:servers.mcsv.net ~all
Combined (cPanel + Google) v=spf1 +a +mx include:_spf.google.com ~all

Understanding SPF Syntax

Element Meaning
v=spf1 SPF Protocol Version
+a Allow domain IP (A record)
+mx Allow domain MX servers
+ip4:123.456.789.0 Allow specific IP
include:domain.com Include authorized servers from another domain
~all Soft fail: mark as suspicious if not authorized
-all Hard fail: reject if not authorized
?all Neutral: do not check

⚠️ Important: A domain can have only one SPF record. If you use multiple services, combine them into a single record.

Step 3: Add DKIM Record

Retrieve the DKIM Key

  1. In Email Deliverability, click on Manage
  2. Under DKIM, copy the complete value of the public key

Add the Record

  1. In Zone Editor, click on + Add RecordAdd TXT Record
Field Value
Name default._domainkey.yourdomain.com
TTL 14400
Type TXT
Record v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB... (your key)
  1. Click on Save Record

💡 Note: The selector default may vary depending on your configuration. Some services use other selectors like google, selector1, etc.

Step 4: Add DMARC Record

DMARC is not configured automatically by cPanel. You must add it manually.

  1. In Zone Editor, click on + Add RecordAdd TXT Record
Field Value
Name _dmarc.yourdomain.com (or _dmarc)
TTL 14400
Type TXT
Record v=DMARC1; p=none; rua=mailto:[email protected]
  1. Click on Save Record

📝 Recommended DMARC Configurations

Progressive Policy (recommended for beginners)

Start with a lenient policy, then gradually strengthen:

Phase 1: Monitoring (2-4 weeks)

v=DMARC1; p=none; rua=mailto:[email protected]; pct=100
  • p=none: Do nothing, just monitor
  • rua=mailto:...: Receive aggregate reports

Phase 2: Quarantine (2-4 weeks)

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=25
  • p=quarantine: Quarantine unauthenticated emails
  • pct=25: Apply to 25% of emails (gradual test)

Phase 3: Full Quarantine

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

Phase 4: Reject (maximum protection)

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100
  • p=reject: Fully reject unauthenticated emails
  • ruf=mailto:...: Receive detailed forensic reports

Explained DMARC Parameters

Parameter Values Description
v DMARC1 Version (mandatory)
p none, quarantine, reject Policy for the domain
sp none, quarantine, reject Policy for subdomains
pct 0-100 Percentage of emails to filter
rua mailto:[email protected] Address for aggregate reports
ruf mailto:[email protected] Address for forensic reports
adkim r (relaxed), s (strict) DKIM Alignment
aspf r (relaxed), s (strict) SPF Alignment
fo 0, 1, d, s Failure report options

DMARC Configuration Examples

Use Case DMARC Record
Beginner (monitoring) v=DMARC1; p=none; rua=mailto:[email protected]
Standard v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100
Strict v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100
Full with subdomains v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; pct=100

✅ Verify Configuration

Method 1: cPanel Email Deliverability

  1. Go back to EmailEmail Deliverability
  2. Check that the status is Valid ✅ for your domain

Method 2: Online Tools

Tool URL Checks
MXToolbox mxtoolbox.com/SuperTool.aspx SPF, DKIM, DMARC
Mail Tester mail-tester.com Overall score + authentication
DMARC Analyzer dmarcanalyzer.com/dmarc/dmarc-record-check DMARC
Google Admin Toolbox toolbox.googleapps.com/apps/checkmx MX, SPF, DKIM
DKIM Validator dkimvalidator.com DKIM
EasyDMARC easydmarc.com/tools SPF, DKIM, DMARC

Method 3: Verification Commands

Verify SPF

# Linux/Mac
dig TXT yourdomain.com +short

# Windows
nslookup -type=TXT yourdomain.com

Expected result :

"v=spf1 +a +mx ~all"

Check DKIM

# Linux/Mac
dig TXT default._domainkey.yourdomain.com +short

# Windows
nslookup -type=TXT default._domainkey.yourdomain.com

Expected result :

"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."

Check DMARC

# Linux/Mac
dig TXT _dmarc.yourdomain.com +short

# Windows
nslookup -type=TXT _dmarc.yourdomain.com

Expected result :

"v=DMARC1; p=quarantine; rua=mailto:[email protected]"

Method 4: Send a Test Email

  1. Send an email to [email protected]
  2. You will receive a detailed report with SPF, DKIM, and DMARC results

Or use mail-tester.com:

  1. Go to mail-tester.com
  2. Copy the provided temporary email address
  3. Send an email to this address
  4. Check your score and authentication details

📧 Configuration for External Services

Google Workspace (Professional Gmail)

SPF

v=spf1 include:_spf.google.com ~all

DKIM

  1. In the Google Admin console, go to AppsGoogle WorkspaceGmailAuthenticate emails
  2. Generate the DKIM key
  3. Add the TXT record provided by Google

Microsoft 365 (Professional Outlook)

SPF

v=spf1 include:spf.protection.outlook.com ~all

DKIM

  1. In the Microsoft 365 Admin Center
  2. SettingsDomains → Select your domain
  3. Copy the provided DKIM CNAME records

Email Delivery Services

Service Include SPF DKIM Documentation
SendGrid include:sendgrid.net SendGrid Panel
Mailchimp include:servers.mcsv.net Account → Settings → Verified domains
Sendinblue include:sendinblue.com Settings → Senders → Domains
Mailjet include:spf.mailjet.com Account Settings → Domains
Amazon SES include:amazonses.com AWS SES Console

Example: Combined cPanel + Mailchimp

v=spf1 +a +mx include:servers.mcsv.net ~all

🔧 Troubleshooting

SPF: "Too many DNS lookups"

Issue: SPF is limited to a maximum of 10 DNS lookups.

Solution:

  • Reduce the number of include:
  • Use direct IPs (ip4:) instead of include:
  • Use an "SPF flattening" service

SPF: "Multiple SPF records"

Issue: You have multiple SPF records.

Solution: Merge all your records into one:

Incorrect (2 records):

v=spf1 +a +mx ~all
v=spf1 include:_spf.google.com ~all

Correct (1 record):

v=spf1 +a +mx include:_spf.google.com ~all

DKIM: "No DKIM record found"

Cause Solution
Incorrect selector Check the selector name (default, google, etc.)
DNS propagation Wait 24-48 hours after creation
Truncated key Ensure the key is complete
Incorrect domain Check the format selector._domainkey.domain.com

DKIM: Key Too Long

If your DKIM key exceeds 255 characters, it must be split:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..." "...key continuation..."

Some DNS systems handle this automatically, others require manual splitting.

DMARC: "DMARC record not found"

Cause Solution
Incorrect name Must be exactly _dmarc.yourdomain.com
DNS propagation Wait a few hours
Incorrect syntax Verify with a DMARC validator

Emails Still Going to Spam

Check in order:

  1. ✅ SPF configured and valid
  2. ✅ DKIM configured and valid
  3. ✅ DMARC configured
  4. ✅ PTR (Reverse DNS) configured
  5. ✅ IP not blacklisted (check on mxtoolbox.com/blacklists.aspx)
  6. ✅ Email content (no spam words, good text/image ratio)

📊 Reading DMARC Reports

Report Format

DMARC reports are sent in XML. Simplified example:

<record>
  <row>
    <source_ip>123.456.789.0</source_ip>
    <count>10</count>
    <policy_evaluated>
      <disposition>none</disposition>
      <dkim>pass</dkim>
      <spf>pass</spf>
    </policy_evaluated>
  </row>
</record>

DMARC Analysis Services

XML reports are hard to read. Use a free service:

Service URL Features
DMARC Analyzer dmarcanalyzer.com Limited free
Postmark DMARC dmarc.postmarkapp.com Free
EasyDMARC easydmarc.com Limited free
URIports uriports.com Free
DMARCLY dmarcly.com Limited free

⚠️ Best Practices

Do's ✅

Practice Reason
Start DMARC in p=none mode Observe before enforcing
Test after each modification Avoid disruptions
Monitor DMARC reports Detect issues
Update SPF when changing services Keep the list up to date
Use ~all rather than -all initially More error-tolerant

Avoid ❌

Practice Risk
Directly switch to p=reject Block your own emails
Forget to include all sending services Emails rejected
Have multiple SPF records Invalid configuration
Ignore DMARC reports Miss issues
Copy configurations without adaptation Incorrect values

📝 Summary

EMAIL AUTHENTICATION - CPANEL CONFIGURATION

┌─────────────────────────────────────────────────────────────┐
│                         SPF                                 │
├─────────────────────────────────────────────────────────────┤
│ Type: TXT                                                   │
│ Name: yourdomain.com (or @)                                 │
│ Value: v=spf1 +a +mx ~all                                   │
│ → Allows servers to send on behalf of your domain           │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│                         DKIM                                │
├─────────────────────────────────────────────────────────────┤
│ Type: TXT                                                   │
│ Name: default._domainkey.yourdomain.com                     │
│ Value: v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY                    │
│ → Cryptographically signs each email                        │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│                        DMARC                                │
├─────────────────────────────────────────────────────────────┤
│ Type: TXT                                                   │
│ Name: _dmarc.yourdomain.com                                 │
│ Value: v=DMARC1; p=none; rua=mailto:[email protected]         │
│ → Defines policy if SPF/DKIM fails                          │
└─────────────────────────────────────────────────────────────┘

AUTOMATIC CONFIGURATION (cPanel):
1. Email → Email Deliverability
2. Click on "Repair" if issues are detected
3. Manually add DMARC in Zone Editor

RECOMMENDED DMARC PROGRESSION:
Phase 1: p=none (monitoring) → 2-4 weeks
Phase 2: p=quarantine; pct=25 → 2-4 weeks
Phase 3: p=quarantine; pct=100 → 2-4 weeks
Phase 4: p=reject; pct=100 → Maximum protection

VERIFICATION:
├── cPanel Email Deliverability → Status "Valid"
├── mail-tester.com → Score 10/10
├── mxtoolbox.com → Complete verification
└── dig TXT yourdomain.com → View records
Back to Documentation