Email authentication is the single most important factor in whether your messages reach the inbox or land in spam. SPF, DKIM, and DMARC are three DNS-based authentication protocols that work together to verify your identity as a sender, prevent email spoofing, and give receiving mail servers the confidence to deliver your messages. If you are running email on cPanel hosting, setting up all three is essential — and cPanel makes the process straightforward once you understand what each record does.

This guide walks you through the complete setup process for SPF, DKIM, and DMARC in cPanel, explains how the three protocols interact, and helps you verify that everything is working correctly.

Why Email Authentication Matters

Every day, billions of spam and phishing emails are sent using forged "From" addresses. Without authentication, any mail server in the world can claim to be sending email on behalf of your domain. SPF, DKIM, and DMARC exist to solve this problem by giving receiving mail servers a way to verify that messages claiming to come from your domain actually originated from authorized sources.

Major email providers — Gmail, Outlook, Yahoo, and others — have progressively tightened their authentication requirements. As of 2024, Google and Yahoo require bulk senders to have valid SPF, DKIM, and DMARC records. Even if you are not a bulk sender, missing authentication records significantly increase the likelihood of your messages being flagged as spam or rejected outright.

If your emails are currently landing in spam folders, misconfigured or missing authentication records are the most likely cause. Our troubleshooting guide for emails going to spam covers additional factors, but authentication is always the first thing to check.

Understanding SPF, DKIM, and DMARC

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists all the mail servers authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks the SPF record to see if the sending server's IP address is on the authorized list. If the IP is not listed, the email fails SPF validation.

An SPF record looks like this:

v=spf1 +a +mx +ip4:192.0.2.1 include:_spf.google.com ~all

Breaking this down:

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email. Your mail server signs each message with a private key, and the corresponding public key is published as a DNS TXT record. Receiving servers use the public key to verify that the message has not been altered in transit and that it genuinely originated from your domain.

DKIM is more robust than SPF because it survives email forwarding. When an email is forwarded, the SPF check fails (because the forwarding server's IP is not in your SPF record), but the DKIM signature remains valid as long as the message body has not been modified.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC builds on top of SPF and DKIM. It tells receiving servers what to do when a message fails authentication — and it provides a reporting mechanism so you can monitor authentication results. A DMARC record specifies your policy (none, quarantine, or reject) and an email address where you want to receive aggregate reports.

A basic DMARC record looks like this:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

The three policy levels are:

Step-by-Step: Setting Up SPF in cPanel

Step 1: Access the DNS Zone Editor

Log into your cPanel account and navigate to Domains > Zone Editor (or DNS Zone Editor depending on your cPanel version). If you are new to cPanel's DNS management, our DNS Zone Editor guide provides a comprehensive overview.

Step 2: Check for an Existing SPF Record

Click Manage next to your domain. Look for an existing TXT record that starts with v=spf1. cPanel often creates a default SPF record automatically. If one exists, you will edit it rather than creating a new one — having multiple SPF records causes authentication failures.

Step 3: Create or Edit the SPF Record

If no SPF record exists, click Add Record and select TXT. Set the name to your domain (e.g., yourdomain.com.) and enter the SPF value. For a standard cPanel hosting setup where your server handles all outgoing email, use:

v=spf1 +a +mx ~all

If you also send email through external services (such as a newsletter platform or CRM), add their SPF includes:

v=spf1 +a +mx include:sendgrid.net include:_spf.google.com ~all

Important: You can only have one SPF record per domain. If you need to authorize multiple senders, combine them into a single record using multiple include: directives. Also, keep your total DNS lookups under 10 — exceeding this limit causes SPF to fail.

Step 4: Save and Verify

Save the record and allow time for DNS propagation (usually a few minutes to a few hours). Verify your SPF record using an online tool like MXToolbox SPF Lookup or by sending a test email to a Gmail account and checking the headers for spf=pass.

Step-by-Step: Setting Up DKIM in cPanel

Step 1: Access the Email Deliverability Tool

In cPanel, navigate to Email > Email Deliverability. This tool was introduced in cPanel version 78 and provides a unified interface for managing SPF and DKIM records.

Step 2: Check Your DKIM Status

The Email Deliverability page shows the status of your SPF and DKIM records for each domain. If DKIM shows a warning or error, click Manage or Repair to view the required DNS records.

Step 3: Install the DKIM Record

cPanel generates the DKIM key pair automatically. Click Install the suggested record or Repair to have cPanel add the DKIM DNS record for you. If your DNS is managed externally (e.g., at your domain registrar), copy the DKIM TXT record value and add it manually to your DNS zone.

The DKIM record will be a TXT record with a name like default._domainkey.yourdomain.com and a long value starting with v=DKIM1; followed by the public key.

Step 4: Verify DKIM

After adding the record, return to the Email Deliverability page and click Manage to verify that DKIM now shows a green checkmark. You can also verify by sending a test email and checking the headers for dkim=pass.

Step-by-Step: Setting Up DMARC in cPanel

Step 1: Open the DNS Zone Editor

Navigate to Domains > Zone Editor and click Manage for your domain.

Step 2: Add the DMARC Record

Click Add Record and select TXT. Set the record name to _dmarc.yourdomain.com. and enter the DMARC policy value.

Start with a monitoring-only policy to collect data without affecting delivery:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

The rua address receives aggregate reports — XML files that show which servers are sending email using your domain and whether those messages pass or fail authentication. Review these reports for 2–4 weeks before tightening your policy.

Step 3: Progressively Tighten Your Policy

After reviewing your DMARC reports and confirming that all legitimate email sources pass SPF and DKIM, upgrade your policy:

  1. Move to p=quarantine — failing messages go to spam instead of inbox
  2. After another monitoring period, move to p=reject — failing messages are rejected entirely

A final production DMARC record might look like:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; adkim=s; aspf=s

The adkim=s and aspf=s flags enforce strict alignment, meaning the domain in the DKIM signature and SPF check must exactly match the "From" domain (no subdomain matching).

Verifying Your Complete Setup

Once all three records are in place, verify the complete authentication chain:

  1. Send a test email to Gmail — Open the received message, click the three dots, select "Show original," and look for SPF: PASS, DKIM: PASS, and DMARC: PASS in the authentication results.
  2. Use an online testing tool — Services like mail-tester.com give you a score and flag any issues with your authentication setup.
  3. Check cPanel's Email Deliverability page — All indicators should show green checkmarks for both SPF and DKIM.
  4. Monitor DMARC reports — Review the aggregate reports sent to your rua address to identify any unauthorized senders or configuration issues.

Common Mistakes to Avoid

Even experienced administrators make these mistakes when configuring email authentication:

For hosting on MassiveGRID's high-availability cPanel hosting, the Email Deliverability tool handles most of the SPF and DKIM configuration automatically. DMARC still needs to be added manually via the Zone Editor, but the process takes less than five minutes once you know the syntax.

How SPF, DKIM, and DMARC Work Together

Understanding the interplay between these three protocols is crucial:

  1. SPF checks whether the sending server's IP is authorized — but fails on forwarded email.
  2. DKIM verifies the message has not been tampered with and is signed by your domain — survives forwarding but can break if intermediaries modify the message body.
  3. DMARC requires at least one of SPF or DKIM to pass and align with the "From" domain. This layered approach means your email is still authenticated even when one protocol fails due to forwarding or message modification.

Together, these three records form a complete authentication framework that protects your domain from spoofing and ensures your legitimate messages are trusted by receiving servers. If you are setting up a new email system, configure all three before sending your first message. For help with email forwarding and autoresponders, make sure your forwarding setup preserves DKIM signatures to maintain authentication through the forwarding chain.

Frequently Asked Questions

Do I need all three records (SPF, DKIM, and DMARC), or is one enough?

You need all three for optimal deliverability. SPF and DKIM each solve different parts of the authentication problem, and DMARC ties them together with a policy. Gmail and Yahoo now require all three for bulk senders, and even non-bulk senders benefit significantly from having the complete set. On MassiveGRID's cPanel hosting, the Email Deliverability tool makes setting up SPF and DKIM nearly automatic.

How long does it take for DNS changes to take effect?

DNS propagation typically takes anywhere from a few minutes to 48 hours, depending on the TTL (Time to Live) values of your existing records and the DNS resolver being used. In practice, most changes propagate within 1–4 hours. You can reduce propagation time by lowering your TTL values before making changes.

Will setting up DMARC with p=reject break my email?

It can if you have not accounted for all legitimate email sources. This is why you should always start with p=none and monitor the DMARC reports for several weeks. The reports will show you every server that sends email using your domain, so you can authorize legitimate sources before enforcing a reject policy.

My cPanel Email Deliverability page shows errors. What should I do?

Click the Repair button first — cPanel can often fix SPF and DKIM issues automatically by updating your DNS records. If the repair fails, it usually means your DNS is managed externally (at your registrar or a third-party DNS provider), in which case you need to manually add the records shown on the Email Deliverability page to your external DNS zone.

Can I use SPF and DKIM with external email services like Mailchimp or SendGrid?

Yes. Each external service provides specific SPF include values and DKIM CNAME or TXT records that you add to your domain's DNS zone. Add the SPF includes to your existing SPF record (do not create a second one), and add the DKIM records as directed by the service. This authorizes the external service to send authenticated email on behalf of your domain.