SPF, DKIM, DMARC — setting up email authentication.

Without SPF/DKIM/DMARC, your emails get filtered as spam. Modern receivers (Gmail, Outlook, Yahoo) require all three for inbox placement at scale.

SPF (Sender Policy Framework)

A TXT record on your root domain listing every server allowed to send mail "from" your domain.

cPanel auto-creates this. To verify:

dig +short TXT yourdomain.com | grep spf

You should see something like:

"v=spf1 +a +mx +ip4:5.9.109.61 ~all"

If you also send mail through Google Workspace, Mailchimp, etc., merge them into one SPF:

"v=spf1 +a +mx +ip4:5.9.109.61 include:_spf.google.com include:servers.mcsv.net ~all"

One SPF record per domain. Two records cause permerror and rejection.

DKIM (DomainKeys Identified Mail)

Cryptographic signature on each outgoing message. Receivers verify against your published public key.

cPanel sets this up automatically. To verify:

dig +short TXT default._domainkey.yourdomain.com

Should return a long base64 string starting with v=DKIM1.

If missing, cPanel → Email Deliverability → next to your domain → Manage → Reset DKIM.

DMARC

A policy record that tells receivers what to do when SPF or DKIM fail.

Add a TXT record manually (cPanel doesn't auto-create this):

cPanel → Zone Editor → Manage for your domain → + Add Record → Add TXT Record:

Name:  _dmarc.yourdomain.com
Type:  TXT
Value: "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100"

Start with p=none for two weeks — collect reports, see who's sending mail "as you".

After two weeks of clean reports, change to p=quarantine (failed mail goes to spam).

After another two weeks, change to p=reject (failed mail bounced).

This staged rollout prevents accidentally rejecting legitimate mail from third-party services you forgot to add to SPF.

Checking the full setup

Send a test email to mail-tester.com (they give you a unique address). Check the score.

SpamAssassin score:    -0.0    ✓
Authentication (SPF):  pass    ✓
Authentication (DKIM): pass    ✓
Authentication (DMARC):pass    ✓
Reverse DNS:           ok      ✓
Total: 9.5/10

Aim for 9.5 or higher. Below that, the report tells you what's failing.

Common errors

SPF: permerror — too many DNS lookups. SPF allows max 10 include: lookups. If you have many, combine into one record or use SPF flattening (services like dmarcian or easydmarc do this for you).

DKIM: permfail — signature verification failed. The public key in DNS doesn't match what cPanel is signing with. Reset DKIM in cPanel → Email Deliverability.

DMARC: none. No record published. Add one (see above).

"Why is my mail still landing in spam?" Authentication is necessary but not sufficient. Other factors: IP reputation (check mxtoolbox.com/blacklists), content (no spam-trigger words), recipient engagement (mail you send to people who don't open hurts reputation).

Bulk sending

For 1000+ recipient batches, don't send through cPanel — use a dedicated service:

• Mailgun — pay-as-you-go
• Postmark — premium reputation, $10/mo
• Amazon SES — cheapest, $0.10 per 1000

These services handle blocklist disputes and reputation management you'd otherwise have to do yourself.