How to Setup SPF, DKIM and DMARC in cPanel

Are email messages from your domain going to your recipient’s SPAM folder? Setting up Email Authentication records for your domain will improve email deliverability and increase the odds of emails from your domain arriving in your recipients’ Inbox versus the SPAM folder. In this article, we will discuss How to Setup SPF, DKIM and DMARC in cPanel.

How to Setup SPF, DKIM and DMARC in cPanel

  1. Login to cPanel
  2. Under the Email section, click on the ‘Email Deliverability‘ icon
    How to Setup SPF, DKIM and DMARC in cPanel
  3. Locate the domain you want to setup SPF, DKIM and DMARC for and click ‘ManageHow to Setup SPF, DKIM and DMARC in cPanel
  4. Under the DKIM Section, click ‘Install the Suggested Record‘ to add your DKIM Record Install DKIM
  5. Under the SPF section, click ‘Install the Suggested Record‘ to add your SPF record. How to Setup SPF in cPanel

How to Setup a DMARC Record

  1. Login to cPanel
  2. Under the Domains section, Click on ‘Zone EditorcPanel Zone Editor
  3. Click ‘Manage‘ next to the domain you want to add the DMARC forcPanel Zone Editor Manage
  4. Click on the arrow next to the ‘Add Record‘ button to activate the drop-down menu
  5. Select ‘Add DMARC Record‘ from the listcPanel Zone Editor Add DMARC
  6. Click on ‘Optional Parameters‘ to expand the options for the DMARC recordHow to add a DMARC Record in cPanel
  7. Select ‘Quarantine‘ and ‘Strict‘ in both sections (or choose based on your preference)
  8. Enter an email address to send reports to in both the ‘Send Aggregate Mail Reports To‘ and ‘Send Failure Reports To‘ field

how to add a DMARC record

Note! If you are managing the DNS records for your domain elsewhere (like CloudFlare for example or via another DNS provider) you will need to copy these records over to your DNS provider. You can view the RAW DMARC record to copy it and add it where the DNS is being managed for your domain.

That’s it! You’ve successfully added an SPF, DKIM and DMARC record for your domain. These records are DNS records. It will take some time for these records to become fully effective as this is a DNS change. DNS changes incur a period of time known as DNS propagation (read more about DNS propagation here).

→ What does this do? See: What is SPF, DKIM and DMARC

What is SPF, DKIM and DMARC?

How do I stop my emails from going to SPAM? This is a question that comes many times in the web hosting world. SPF, DKIM and DMARC are email authentication records for your domain that work together to prevent spam, email spoofing, and malicious activity for your domain email. Regardless of your host, email deliverability is a complex issue contingent upon many factors. Spammers are always looking for new ways to get past even the most aggressive of spam filtering. This has resulted in Email Providers such as Google, Yahoo, Microsoft, and more having to double down on policies for incoming email and change how they accept incoming email messages in order to decipher between legitimate emails and spam. Unfortunately, for a domain holder (like yourself) this can result in legitimate emails sent from your domain being marked as SPAM – even if they aren’t.

One of the policies for handling incoming email most popular email providers have in place is the marking of all unauthenticated emails as SPAM regardless of message content.


In this Article:  What is SPF? What is DKIM? What is DMARC?

    How to Setup SPF, DKIM & DMARC


Why do you need SPF, DKIM and DMARC?

Without email authentication records in place, anyone can send email on behalf of your domain pretending to be you. This is why most receiving email servers will mark a message as spam or even discard messages from a domain that does not have these records in place.


What is Unauthenticated Email?

Simply put, an unauthenticated email is an email message that was sent without having to authenticate on a server (like logging in with your email address and password then sending an email). This might happen if you’ve submitted an email message through a contact form or have automated email messages set to send through your website without using an email address and instead using the PHP Post method alone. To help with this and to prevent abuse of contact forms and reduce outgoing SPAM, the server here requires SMTP authentication. This means any email sent from your website must be authenticated with an email address and password. An email may also be considered unauthenticated if the email authentication DNS records such as SPF, DKIM and DMARC are not present.

→ See our Guide on How to Configure SMTP Authentication in WordPress

What is SPF?

SPF (Senders Policy Framework) is a DNS TXT record that specifies which IP addresses and/or servers are allowed to send email “from” that particular domain. It works like a security guard or bouncer for your domain email.  It helps prevent spoofing by ensuring that an email message being sent was sent from the actual IP address of your domain, which is listed in the SPF record. So if someone tries to send email pretending it’s from your domain and it’s not, the IP address will not match and in most cases the email will be rejected or discarded. The absence of an SPF record will make emails from your domain seem less secure and often times will result in mailservers automatically tagging emails from your domain as SPAM, since there is no way to tell if the email message was legitimate or not.

What is DKIM?

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the incoming mail server to check that an email was actually sent from the owner of the domain it claims to have been sent by. It gives an email a digital signature known as the DKIM signature. The DKIM signature is an encrypted header that is added to email messages.

DKIM allows the recipient email server (incoming mail server) to check that an email sent from your domain is signed with a valid DKIM signature. This let’s the incoming mail server determine that parts of the email such as the message body and attachments haven’t been modified.
Using the DKIM record together with DMARC and SPF will improve email deliverability and can also protect your domain against malicious emails sent on behalf of your domains which is a common tactic used in email spoofing.

What is DMARC?

DMARC (Domain-based Message Authentication Reporting and Conformance) is an email policy for your domain. It’s a validation system that is designed to protect email from your domain from being used in email spoofing, phishing scams, and other malicious activity. DMARC uses existing email authentication records (SPF, and DKIM) and adds the ability for domain owners to receive reports regarding who is sending email on behalf of their domain. As a website owner, you want to be sure that your visitors or customers will only see emails that you have sent yourself and not potential malicious emails sent by spammers using spoofing methods. DMARC is a way to secure your email and gives email receivers certainty in determining whether or not an email is legit and has originated from you. The result is a positive impact on email deliverability and also prevents anyone else from sending email using your domain when they aren’t supposed to.

→ See our Guide on how to Set up SPF, DKIM and DMARC for your domain