Introduction
DKIM, SPF, and DMARC are email authentication records that help prevent email spoofing and improve your email deliverability. Setting these up correctly ensures your emails are more likely to reach recipients' inboxes rather than being marked as spam.
What Is SPF (Sender Policy Framework)?
SPF tells receiving mail servers which servers are authorised to send email on behalf of your domain. Without an SPF record, your emails are more likely to be flagged as spam.
Setting Up SPF in cPanel
- Log into cPanel
- Go to Email > Email Deliverability
- Find your domain and click Manage
- If SPF is not already configured, cPanel will suggest a record — click Install the Suggested Record
A typical SPF record looks like this:
v=spf1 +mx +a +ip4:YOUR.SERVER.IP ~all
If you use external email services (such as Google Workspace or Microsoft 365), you'll need to include their servers in the SPF record as well.
What Is DKIM (DomainKeys Identified Mail)?
DKIM adds a digital signature to your outgoing emails, allowing receiving servers to verify that the email was genuinely sent from your domain and hasn't been tampered with in transit.
Setting Up DKIM in cPanel
- Log into cPanel
- Go to Email > Email Deliverability
- Find your domain and click Manage
- If DKIM is not configured, click Install the Suggested Record
cPanel will automatically generate the DKIM keys and create the necessary DNS record. If your domain's DNS is hosted elsewhere, you'll need to copy the DKIM record and add it to your DNS provider manually.
What Is DMARC (Domain-based Message Authentication, Reporting and Conformance)?
DMARC builds on SPF and DKIM by telling receiving servers what to do when an email fails authentication checks. It also allows you to receive reports about emails sent using your domain.
Setting Up DMARC
- Log into cPanel
- Go to Zone Editor (under Domains)
- Click Manage next to your domain
- Click Add Record and create a TXT record with:
- Name:
_dmarc.yourdomain.com - Type: TXT
- Value:
v=DMARC1; p=none; rua=mailto:you@yourdomain.com
DMARC policy options:
- p=none — Monitor only (recommended to start with). Emails that fail checks are still delivered, but you receive reports
- p=quarantine — Failed emails are sent to the recipient's spam folder
- p=reject — Failed emails are rejected entirely (most strict)
We recommend starting with p=none and monitoring the reports before moving to stricter policies.
Verifying Your Records
After setting up your records, you can verify them:
- In cPanel, go to Email > Email Deliverability
- Your domain should show a green tick or "Valid" status for SPF and DKIM
- You can also use free online tools like MXToolbox to check all three records
Common Issues
- Multiple SPF records: You can only have one SPF record per domain. If you need to authorise multiple services, combine them into a single record
- DNS propagation: Changes to DNS records can take up to 24-48 hours to propagate
- External DNS: If your nameservers aren't pointed to Webfort, you'll need to add the records at your DNS provider
If you need help setting up email authentication records, please open a support ticket and our team will assist you.
