If your business emails keep landing in spam folders, there’s a good chance your domain is missing proper email authentication. Setting up SPF, DKIM, and DMARC in cPanel is one of the most important things you can do to protect your email deliverability, and it’s easier than you might think.<\/p>\n
SPF, DKIM, and DMARC are three email authentication protocols that work together to prove your emails are legitimate. Without them, email providers like Gmail and Outlook have no way to verify that messages from your domain are actually from you. The result? Your invoices, order confirmations, and newsletters end up in the junk folder, or worse, get rejected entirely.<\/p>\n
In this guide, we’ll walk through exactly how to set up all three in cPanel, step by step. No technical background required. By the end, your emails will be properly authenticated and far more likely to reach the inbox.<\/p>\n
Our plans start from \u00a34.99\/month<\/strong> with everything included: SSL, backups, email, and 24\/7 support.<\/p>\n View Hosting Plans \u2192<\/a>\n <\/div>\n <\/div>\n \n SPF (Sender Policy Framework)<\/strong> is a DNS record that tells email providers which servers are allowed to send email on behalf of your domain. Think of it like a guest list for your email. If a server tries to send an email from your domain and it’s not on the list, the receiving server knows something is wrong.<\/p>\n Without SPF, anyone can send emails pretending to be you. This is called email spoofing<\/strong>, and it’s one of the most common tactics used in phishing attacks. Even if nobody is actively spoofing your domain, the absence of an SPF record makes email providers suspicious of your legitimate messages.<\/p>\n For small businesses, this matters more than you might realise. If your quotes, invoices, or booking confirmations are going to spam, you’re losing money. SPF is the first line of defence.<\/p>\n The good news is that most cPanel hosting providers (including Webfort<\/a>) automatically create a basic SPF record when you set up your account. But it’s worth checking that it’s correct, especially if you use third-party email services.<\/p>\n Log in to cPanel and scroll down to the Email<\/strong> section. Click on Email Deliverability<\/strong>. This tool shows the current status of your SPF, DKIM, and PTR records for each domain on your account.<\/p>\n Find your domain in the list. If SPF shows a green tick, you’re already set up. If it shows a warning or error, click Manage<\/strong> to see what needs fixing.<\/p>\n cPanel will suggest a recommended SPF record. In most cases, you can click Install the Suggested Record<\/strong> and it will handle everything automatically. The default record typically looks like this:<\/p>\n Here’s what each part means:<\/p>\n If you use services like Mailchimp, Google Workspace, or Microsoft 365 to send email from your domain, you need to add their servers to your SPF record. For example:<\/p>\n Each service will have documentation telling you exactly what to add. The key word is include:<\/strong> followed by the service’s SPF domain.<\/p>\n Important:<\/strong> You can only have one SPF record<\/strong> per domain. If you need to add multiple services, combine them into a single record. Having two separate SPF records will break email authentication entirely.<\/p>\n DKIM (DomainKeys Identified Mail)<\/strong> adds a digital signature to every email you send. When a message leaves your server, DKIM attaches an encrypted signature to the email header. The receiving server then checks this signature against a public key stored in your DNS records.<\/p>\n If the signature matches, the email hasn’t been tampered with in transit. If it doesn’t match, the email might have been altered or forged.<\/p>\n While SPF verifies who<\/em> is sending the email, DKIM verifies that the email content<\/em> hasn’t been changed. Together, they provide much stronger authentication than either one alone. This is particularly important for businesses sending sensitive information like contracts, financial documents, or customer data.<\/p>\n DKIM is slightly more technical than SPF, but cPanel makes it straightforward. On many hosting providers, DKIM is enabled by default. Here’s how to check and enable it.<\/p>\n In cPanel, navigate to Email<\/strong> > Email Deliverability<\/strong> (the same tool you used for SPF). Find your domain and check the DKIM status.<\/p>\n If DKIM shows a warning, click Manage<\/strong>. cPanel will generate a DKIM key pair for you automatically. Click Install the Suggested Record<\/strong> to add the public key to your DNS.<\/p>\n The DKIM record is a TXT record added to your DNS zone, usually with a name like You don’t need to understand what this string means. cPanel handles the key generation and DNS entry for you.<\/p>\n After installing the record, wait 10-15 minutes for DNS propagation, then return to Email Deliverability<\/strong> and refresh. You should see a green tick next to DKIM.<\/p>\n Note:<\/strong> If your domain’s DNS is managed externally (for example, through Cloudflare or another provider), cPanel won’t be able to install the record automatically. You’ll need to copy the DKIM record and add it manually in your DNS provider’s control panel. If you’re unsure how to do this, your hosting provider should be able to help. For guidance on securing your hosting environment more broadly, have a look at our guide to setting up CSF Firewall in cPanel<\/a>.<\/p>\n DMARC (Domain-based Message Authentication, Reporting, and Conformance)<\/strong> is the third piece of the puzzle. While SPF and DKIM verify individual aspects of an email, DMARC ties them together and tells receiving servers what to do when authentication fails.<\/p>\n Without DMARC, email providers make their own decisions about what to do with unauthenticated messages. Some might deliver them to spam. Others might reject them. DMARC gives you control over that decision.<\/p>\n DMARC also provides reporting<\/strong>. You can receive reports showing who is sending email from your domain, including any unauthorised senders. This is invaluable for spotting spoofing attempts early.<\/p>\n For any organisation that takes email seriously (and every business should), DMARC is essential. Google and Yahoo both started requiring DMARC for bulk senders in 2024, and the requirements are only getting stricter.<\/p>\n Unlike SPF and DKIM, cPanel doesn’t have a dedicated DMARC tool. You’ll need to add the record manually through the Zone Editor<\/strong>. Don’t worry, it’s just a single DNS record.<\/p>\n In cPanel, go to Domains<\/strong> > Zone Editor<\/strong>. Find your domain and click Manage<\/strong>.<\/p>\n Click Add Record<\/strong> and select TXT<\/strong> as the record type. Fill in the following:<\/p>\n The We strongly recommend starting with Click Save Record<\/strong>. DNS changes can take up to 24 hours to propagate globally, though it’s usually much faster (often within an hour).<\/p>\n Here’s a more complete DMARC record you can use as a template:<\/p>\n The additional tags mean:<\/p>\n Run our free 30-second health check - no signup required. Check speed, security, and SEO issues instantly.<\/p>\n Check My Website \u2192<\/a>\n <\/div>\n <\/div>\n \n Once you’ve set up all three records, you need to verify they’re working correctly. Here are the best tools for the job:<\/p>\n Visit MXToolbox SuperTool<\/a> and enter your domain. It can check your SPF, DKIM, and DMARC records individually and flag any errors. This is the quickest way to confirm your DNS records are correct.<\/p>\n Go to mail-tester.com<\/a> and send a test email to the address it provides. You’ll get a detailed score out of 10, with specific feedback on your SPF, DKIM, DMARC setup, and other deliverability factors. Aim for 9 or above.<\/p>\n Google’s Check MX tool<\/a> verifies your domain’s email configuration from Google’s perspective. Since Gmail is the most popular email provider, this is particularly useful.<\/p>\n The simplest test of all: send an email from your domain to a Gmail account. Open the email, click the three dots menu, and select Show original<\/strong>. Look for these lines in the headers:<\/p>\n If all three show PASS, your email authentication is working correctly. If you’re looking to improve your overall website security alongside email, our WordPress security guide<\/a> covers the essentials.<\/p>\n Email authentication is straightforward when done correctly, but a few common mistakes can break things. Here’s what to watch for:<\/p>\n This is the most common error we see. Your domain must have exactly one SPF record<\/strong>. If you add a second one (for example, when setting up a new email service), both records become invalid. Always edit your existing SPF record to include new services rather than creating a new one.<\/p>\n If you’re using Cloudflare, an external DNS provider, or your domain registrar’s nameservers, changes made in cPanel’s Zone Editor won’t take effect. You’ll need to add your SPF, DKIM, and DMARC records directly in whatever controls your DNS. This catches a lot of people out.<\/p>\n If you use Mailchimp, Brevo, or any other service to send emails from your domain, those services need to be included in your SPF record. Otherwise, emails sent through them will fail SPF checks and likely end up in spam.<\/p>\n Jumping straight to SPF records are limited to 10 DNS lookups<\/strong>. Each After making changes, DNS records need time to propagate. Testing immediately after saving will often show old results. Wait at least 30 minutes before testing, and up to 24 hours for full global propagation.<\/p>\n If you’re running a small business website on shared hosting and want to make sure your whole setup is solid, our guide on choosing the right hosting plan<\/a> is worth a read alongside this.<\/p>\n Setting up SPF, DKIM, and DMARC in cPanel isn’t complicated, but it makes a significant difference to your email deliverability. These three protocols tell the world that your emails are legitimate, and that matters more than ever as providers crack down on unauthenticated email.<\/p>\n To recap the essentials:<\/p>\n If your business relies on email (and whose doesn’t?), spending 20 minutes on this setup is one of the best investments you can make. Your emails will reach inboxes instead of spam folders, your domain reputation will improve, and you’ll be protected against spoofing attacks.<\/p>\n Need hosting that handles email authentication properly from day one? Webfort’s hosting plans<\/a> come with cPanel, automatic SPF and DKIM configuration, and UK-based support if you need a hand. For a broader look at what good hosting should include, check out our guide on the best web hosting for UK small businesses<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" If your business emails keep landing in spam folders, there’s a good chance your domain is missing proper email authentication. Setting up SPF, DKIM, and DMARC in cPanel is one of the most important things you can do to protect your email deliverability, and it’s easier than you might think. SPF, DKIM, and DMARC are […]<\/p>\n","protected":false},"author":1,"featured_media":96,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,13],"tags":[36,43,40,41,42],"class_list":["post-94","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hosting","category-security","tag-cpanel","tag-dmarc","tag-email-authentication","tag-email-deliverability","tag-spf"],"_links":{"self":[{"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/posts\/94","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=94"}],"version-history":[{"count":1,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/posts\/94\/revisions"}],"predecessor-version":[{"id":95,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/posts\/94\/revisions\/95"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/media\/96"}],"wp:attachment":[{"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}What Is SPF and Why You Need It<\/h2>\n
How to Set Up SPF in cPanel<\/h2>\n
Step 1: Open Email Deliverability<\/h3>\n
Step 2: Check Your SPF Status<\/h3>\n
Step 3: Review or Repair the SPF Record<\/h3>\n
v=spf1 +a +mx +ip4:YOUR.SERVER.IP ~all<\/code><\/p>\n\n
Step 4: Add Third-Party Senders (If Needed)<\/h3>\n
v=spf1 +a +mx include:_spf.google.com include:servers.mcsv.net ~all<\/code><\/p>\nWhat Is DKIM and Why You Need It<\/h2>\n
How to Enable DKIM in cPanel<\/h2>\n
Step 1: Go to Email Deliverability<\/h3>\n
Step 2: Install the DKIM Record<\/h3>\n
default._domainkey.yourdomain.com<\/code>. It contains a long string of characters that looks something like this:<\/p>\nv=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...<\/code><\/p>\nStep 3: Verify It’s Working<\/h3>\n
What Is DMARC and Why You Need It<\/h2>\n
How to Set Up DMARC in cPanel<\/h2>\n
Step 1: Open Zone Editor<\/h3>\n
Step 2: Add a New TXT Record<\/h3>\n
\n
_dmarc.yourdomain.com<\/code> (replace with your actual domain)<\/li>\nv=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com<\/code><\/li>\n<\/ul>\nStep 3: Understand the Policy Options<\/h3>\n
p=<\/code> tag is the most important part. It tells receiving servers what to do with emails that fail authentication:<\/p>\n\n
p=none<\/code>.<\/strong> This lets you monitor your email traffic without risking legitimate emails being blocked. After a few weeks of reviewing reports and confirming everything is working, you can gradually move to quarantine<\/code> and eventually reject<\/code>.<\/p>\nStep 4: Save and Wait<\/h3>\n
v=DMARC1; p=none; sp=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; adkim=r; aspf=r; pct=100<\/code><\/p>\n\n
Is your website holding your business back?<\/h3>\n
How to Test Your Email Authentication<\/h2>\n
MXToolbox<\/h3>\n
Mail-Tester<\/h3>\n
Google Admin Toolbox<\/h3>\n
Send a Test Email<\/h3>\n
\n
Common Mistakes and Troubleshooting<\/h2>\n
Multiple SPF Records<\/h3>\n
DNS Not Managed in cPanel<\/h3>\n
Forgetting to Add Third-Party Services to SPF<\/h3>\n
Starting DMARC on Reject<\/h3>\n
p=reject<\/code> without monitoring first is risky. If something is misconfigured, legitimate emails will be blocked. Always start with p=none<\/code>, review your DMARC reports for a few weeks, then tighten the policy gradually.<\/p>\nSPF Lookup Limit<\/h3>\n
include:<\/code> statement counts as a lookup, and some services use nested includes that add up quickly. If you exceed 10 lookups, SPF fails entirely. Use an SPF checker<\/a> to count your lookups.<\/p>\nNot Waiting for DNS Propagation<\/h3>\n
Final Thoughts<\/h2>\n
\n