If your business emails keep landing in spam folders, there’s a good chance your domain is missing proper email authentication. Setting up SPF, DKIM, and DMARC in cPanel is one of the most important things you can do to protect your email deliverability, and it’s easier than you might think.

SPF, DKIM, and DMARC are three email authentication protocols that work together to prove your emails are legitimate. Without them, email providers like Gmail and Outlook have no way to verify that messages from your domain are actually from you. The result? Your invoices, order confirmations, and newsletters end up in the junk folder, or worse, get rejected entirely.

In this guide, we’ll walk through exactly how to set up all three in cPanel, step by step. No technical background required. By the end, your emails will be properly authenticated and far more likely to reach the inbox.

What’s in This Post

Looking for fast, reliable UK hosting?

Our plans start from £4.99/month with everything included: SSL, backups, email, and 24/7 support.

View Hosting Plans →

What Is SPF and Why You Need It

SPF (Sender Policy Framework) is a DNS record that tells email providers which servers are allowed to send email on behalf of your domain. Think of it like a guest list for your email. If a server tries to send an email from your domain and it’s not on the list, the receiving server knows something is wrong.

Without SPF, anyone can send emails pretending to be you. This is called email spoofing, and it’s one of the most common tactics used in phishing attacks. Even if nobody is actively spoofing your domain, the absence of an SPF record makes email providers suspicious of your legitimate messages.

For small businesses, this matters more than you might realise. If your quotes, invoices, or booking confirmations are going to spam, you’re losing money. SPF is the first line of defence.

How to Set Up SPF in cPanel

The good news is that most cPanel hosting providers (including Webfort) automatically create a basic SPF record when you set up your account. But it’s worth checking that it’s correct, especially if you use third-party email services.

Step 1: Open Email Deliverability

Log in to cPanel and scroll down to the Email section. Click on Email Deliverability. This tool shows the current status of your SPF, DKIM, and PTR records for each domain on your account.

Step 2: Check Your SPF Status

Find your domain in the list. If SPF shows a green tick, you’re already set up. If it shows a warning or error, click Manage to see what needs fixing.

Step 3: Review or Repair the SPF Record

cPanel will suggest a recommended SPF record. In most cases, you can click Install the Suggested Record and it will handle everything automatically. The default record typically looks like this:

v=spf1 +a +mx +ip4:YOUR.SERVER.IP ~all

Here’s what each part means:

  • v=spf1 – Identifies this as an SPF record
  • +a – Allows the server at your domain’s A record to send email
  • +mx – Allows your mail exchange servers to send email
  • +ip4: – Allows a specific IP address to send email
  • ~all – Soft fail for anything not listed (tells providers to be suspicious but not reject)

Step 4: Add Third-Party Senders (If Needed)

If you use services like Mailchimp, Google Workspace, or Microsoft 365 to send email from your domain, you need to add their servers to your SPF record. For example:

v=spf1 +a +mx include:_spf.google.com include:servers.mcsv.net ~all

Each service will have documentation telling you exactly what to add. The key word is include: followed by the service’s SPF domain.

Important: You can only have one SPF record per domain. If you need to add multiple services, combine them into a single record. Having two separate SPF records will break email authentication entirely.

What Is DKIM and Why You Need It

DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. When a message leaves your server, DKIM attaches an encrypted signature to the email header. The receiving server then checks this signature against a public key stored in your DNS records.

If the signature matches, the email hasn’t been tampered with in transit. If it doesn’t match, the email might have been altered or forged.

While SPF verifies who is sending the email, DKIM verifies that the email content hasn’t been changed. Together, they provide much stronger authentication than either one alone. This is particularly important for businesses sending sensitive information like contracts, financial documents, or customer data.

How to Enable DKIM in cPanel

DKIM is slightly more technical than SPF, but cPanel makes it straightforward. On many hosting providers, DKIM is enabled by default. Here’s how to check and enable it.

Step 1: Go to Email Deliverability

In cPanel, navigate to Email > Email Deliverability (the same tool you used for SPF). Find your domain and check the DKIM status.

Step 2: Install the DKIM Record

If DKIM shows a warning, click Manage. cPanel will generate a DKIM key pair for you automatically. Click Install the Suggested Record to add the public key to your DNS.

The DKIM record is a TXT record added to your DNS zone, usually with a name like default._domainkey.yourdomain.com. It contains a long string of characters that looks something like this:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...

You don’t need to understand what this string means. cPanel handles the key generation and DNS entry for you.

Step 3: Verify It’s Working

After installing the record, wait 10-15 minutes for DNS propagation, then return to Email Deliverability and refresh. You should see a green tick next to DKIM.

Note: If your domain’s DNS is managed externally (for example, through Cloudflare or another provider), cPanel won’t be able to install the record automatically. You’ll need to copy the DKIM record and add it manually in your DNS provider’s control panel. If you’re unsure how to do this, your hosting provider should be able to help. For guidance on securing your hosting environment more broadly, have a look at our guide to setting up CSF Firewall in cPanel.

What Is DMARC and Why You Need It

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the third piece of the puzzle. While SPF and DKIM verify individual aspects of an email, DMARC ties them together and tells receiving servers what to do when authentication fails.

Without DMARC, email providers make their own decisions about what to do with unauthenticated messages. Some might deliver them to spam. Others might reject them. DMARC gives you control over that decision.

DMARC also provides reporting. You can receive reports showing who is sending email from your domain, including any unauthorised senders. This is invaluable for spotting spoofing attempts early.

For any organisation that takes email seriously (and every business should), DMARC is essential. Google and Yahoo both started requiring DMARC for bulk senders in 2024, and the requirements are only getting stricter.

How to Set Up DMARC in cPanel

Unlike SPF and DKIM, cPanel doesn’t have a dedicated DMARC tool. You’ll need to add the record manually through the Zone Editor. Don’t worry, it’s just a single DNS record.

Step 1: Open Zone Editor

In cPanel, go to Domains > Zone Editor. Find your domain and click Manage.

Step 2: Add a New TXT Record

Click Add Record and select TXT as the record type. Fill in the following:

  • Name: _dmarc.yourdomain.com (replace with your actual domain)
  • TTL: 14400 (or leave the default)
  • Type: TXT
  • Record: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Step 3: Understand the Policy Options

The p= tag is the most important part. It tells receiving servers what to do with emails that fail authentication:

  • p=none – Monitor only. Emails are delivered normally, but you receive reports. Start here.
  • p=quarantine – Failed emails go to the spam folder.
  • p=reject – Failed emails are blocked entirely.

We strongly recommend starting with p=none. This lets you monitor your email traffic without risking legitimate emails being blocked. After a few weeks of reviewing reports and confirming everything is working, you can gradually move to quarantine and eventually reject.

Step 4: Save and Wait

Click Save Record. DNS changes can take up to 24 hours to propagate globally, though it’s usually much faster (often within an hour).

Here’s a more complete DMARC record you can use as a template:

v=DMARC1; p=none; sp=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; adkim=r; aspf=r; pct=100

The additional tags mean:

  • sp=none – Policy for subdomains
  • rua= – Where to send aggregate reports
  • ruf= – Where to send forensic (failure) reports
  • adkim=r – Relaxed DKIM alignment
  • aspf=r – Relaxed SPF alignment
  • pct=100 – Apply policy to 100% of emails

Is your website holding your business back?

Run our free 30-second health check – no signup required. Check speed, security, and SEO issues instantly.

Check My Website →

How to Test Your Email Authentication

Once you’ve set up all three records, you need to verify they’re working correctly. Here are the best tools for the job:

MXToolbox

Visit MXToolbox SuperTool and enter your domain. It can check your SPF, DKIM, and DMARC records individually and flag any errors. This is the quickest way to confirm your DNS records are correct.

Mail-Tester

Go to mail-tester.com and send a test email to the address it provides. You’ll get a detailed score out of 10, with specific feedback on your SPF, DKIM, DMARC setup, and other deliverability factors. Aim for 9 or above.

Google Admin Toolbox

Google’s Check MX tool verifies your domain’s email configuration from Google’s perspective. Since Gmail is the most popular email provider, this is particularly useful.

Send a Test Email

The simplest test of all: send an email from your domain to a Gmail account. Open the email, click the three dots menu, and select Show original. Look for these lines in the headers:

  • SPF: PASS
  • DKIM: PASS
  • DMARC: PASS

If all three show PASS, your email authentication is working correctly. If you’re looking to improve your overall website security alongside email, our WordPress security guide covers the essentials.

Common Mistakes and Troubleshooting

Email authentication is straightforward when done correctly, but a few common mistakes can break things. Here’s what to watch for:

Multiple SPF Records

This is the most common error we see. Your domain must have exactly one SPF record. If you add a second one (for example, when setting up a new email service), both records become invalid. Always edit your existing SPF record to include new services rather than creating a new one.

DNS Not Managed in cPanel

If you’re using Cloudflare, an external DNS provider, or your domain registrar’s nameservers, changes made in cPanel’s Zone Editor won’t take effect. You’ll need to add your SPF, DKIM, and DMARC records directly in whatever controls your DNS. This catches a lot of people out.

Forgetting to Add Third-Party Services to SPF

If you use Mailchimp, Brevo, or any other service to send emails from your domain, those services need to be included in your SPF record. Otherwise, emails sent through them will fail SPF checks and likely end up in spam.

Starting DMARC on Reject

Jumping straight to p=reject without monitoring first is risky. If something is misconfigured, legitimate emails will be blocked. Always start with p=none, review your DMARC reports for a few weeks, then tighten the policy gradually.

SPF Lookup Limit

SPF records are limited to 10 DNS lookups. Each include: statement counts as a lookup, and some services use nested includes that add up quickly. If you exceed 10 lookups, SPF fails entirely. Use an SPF checker to count your lookups.

Not Waiting for DNS Propagation

After making changes, DNS records need time to propagate. Testing immediately after saving will often show old results. Wait at least 30 minutes before testing, and up to 24 hours for full global propagation.

If you’re running a small business website on shared hosting and want to make sure your whole setup is solid, our guide on choosing the right hosting plan is worth a read alongside this.

Final Thoughts

Setting up SPF, DKIM, and DMARC in cPanel isn’t complicated, but it makes a significant difference to your email deliverability. These three protocols tell the world that your emails are legitimate, and that matters more than ever as providers crack down on unauthenticated email.

To recap the essentials:

  • SPF lists which servers can send email from your domain
  • DKIM adds a cryptographic signature proving emails haven’t been tampered with
  • DMARC ties them together and tells providers what to do when checks fail

If your business relies on email (and whose doesn’t?), spending 20 minutes on this setup is one of the best investments you can make. Your emails will reach inboxes instead of spam folders, your domain reputation will improve, and you’ll be protected against spoofing attacks.

Need hosting that handles email authentication properly from day one? Webfort’s hosting plans come with cPanel, automatic SPF and DKIM configuration, and UK-based support if you need a hand. For a broader look at what good hosting should include, check out our guide on the best web hosting for UK small businesses.