If your cPanel emails are landing in spam or getting rejected outright, the problem is almost certainly missing or broken email authentication. DKIM, SPF, and DMARC are the three DNS-based standards that tell receiving mail servers "this email is really from us." Without them, even legitimate business emails get flagged as suspicious.
This guide walks cPanel server administrators through setting up all three authentication methods correctly — and covers the troubleshooting steps competitors skip when the cPanel "Repair" button doesn't solve the problem.
What Is Email Authentication and Why It Matters?
Major inbox providers — Gmail, Outlook, Yahoo — now require proper email authentication. Since Google and Yahoo's 2024 bulk sender requirements, missing SPF or DKIM causes immediate deliverability failures. DMARC adds a policy layer that tells receiving servers what to do when authentication fails.
Here's what each record does:
- SPF (Sender Policy Framework) — A DNS TXT record that lists which mail servers are allowed to send email for your domain
- DKIM (DomainKeys Identified Mail) — Adds a cryptographic signature to outgoing emails, proving they haven't been tampered with in transit
- DMARC (Domain-based Message Authentication, Reporting and Conformance) — A policy that tells receiving servers what to do (nothing, quarantine, or reject) when SPF or DKIM fails
All three must be correctly configured for reliable email delivery from your cPanel server.
💡 None of these worked? Skip the guesswork.
Get Expert Help →Step 1: Enable DKIM in cPanel
cPanel automatically generates DKIM keys when the feature is enabled. Here's how to verify and enable it:
Navigate to WHM > Home > Service Configuration > Exim Configuration Manager. Under the "Security" section, ensure "DKIM (DomainKeys Identified Mail) Support" is enabled.
In cPanel (per-account), go to Email > Email Deliverability. This is cPanel's unified deliverability tool. You'll see each domain listed with a status indicator — green check means DKIM is properly configured, red means action is needed.
Click "Repair" next to any domain showing issues. cPanel will attempt to automatically install DKIM, SPF, and PTR records if they are missing or misconfigured.
After repair, the DKIM record should appear as a TXT record in your DNS zone:
default._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."The selector is default by default in cPanel. If your domain uses an external DNS provider (Cloudflare, GoDaddy), you must manually copy this record into their DNS management panel — cPanel cannot auto-install it to external DNS.
In cPanel, go to Email > Email Deliverability and look at the SPF status. Alternatively, check via DNS lookup:
dig TXT yourdomain.com | grep spfv=spf1 +a +mx +ip4:YOUR.SERVER.IP ~allIf you send email through third-party services (Google Workspace, Mailchimp, Mailgun), add their include statements:
v=spf1 +a +mx +ip4:YOUR.SERVER.IP include:_spf.google.com include:mailgun.org ~allThis is the most common mistake. If you have multiple TXT records starting with v=spf1, receiving servers will reject your emails. You must merge all allowed senders into a single SPF record. Having two SPF records causes a "SPF PermError" which fails authentication.
~all(softfail) — Suspicious emails still delivered but marked as spam. Good starting point.-all(hardfail) — Emails from unlisted servers are rejected outright. Use after confirming all senders are listed.?all(neutral) — No policy. Do not use — it provides no protection.
In cPanel, go to Domains > Zone Editor, select your domain, and click Add Record > Add TXT Record.
- Name:
_dmarc.yourdomain.com - TTL: 3600
- Type: TXT
- Value: See below
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1p=none means no action is taken — emails still deliver normally. The rua tag sends aggregate reports to your email address daily, showing which sources are sending email on behalf of your domain.
Once you've reviewed DMARC reports and confirmed all legitimate mail sources are authenticated, move to a quarantine or reject policy:
v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected]The pct=50 parameter applies the policy to only 50% of failing emails, letting you test enforcement gradually before moving to p=reject.
2. Check via command line
# Check SPF
dig TXT yourdomain.com
# Check DKIM
dig TXT default._domainkey.yourdomain.com
# Check DMARC
dig TXT _dmarc.yourdomain.com3. Send a test to Gmail — Open the email in Gmail, click the three-dot menu > "Show original." Look for dkim=pass, spf=pass, and dmarc=pass in the Authentication-Results header.
Common Mistakes to Avoid
- Multiple SPF records — Always merge into one. Never add a second
v=spf1record. - Too many SPF lookups — SPF allows a maximum of 10 DNS lookups. Each
include:statement uses one. Exceeding 10 causes an SPF PermError. - Jumping straight to DMARC p=reject — Start with
p=nonefor 2-4 weeks and review reports before enforcing. - Forgetting subdomain DMARC — Add
sp=rejectto your DMARC record to apply policy to subdomains:v=DMARC1; p=reject; sp=reject; rua=mailto:... - Not checking DMARC reports — The aggregate reports (rua) reveal legitimate services sending unauthenticated email. Review them before enforcing policy.
FAQs
How long does it take for DKIM and SPF changes to take effect?
DNS changes typically propagate within 15 minutes to 4 hours. However, if your domain's previous TTL was set high (86400 seconds = 24 hours), the old records may be cached for up to 48 hours. Always lower your TTL to 300 seconds before making DNS changes to speed up propagation.
Can I have SPF set up for multiple mail providers in cPanel?
Yes. Merge all providers into a single SPF record using multiple include: statements: v=spf1 +a +mx include:_spf.google.com include:mailgun.org +ip4:YOUR.IP ~all. Remember the 10 DNS lookup limit — if you're approaching it, use SPF flattening tools to consolidate.
Why does Gmail still show "via" or "on behalf of" even with DKIM enabled?
The "via" label appears when the DKIM signature domain (d= tag) doesn't match the From: address. In cPanel, ensure DKIM is enabled for the exact domain used in your From: address. If using a marketing platform like Mailchimp, you need to set up domain authentication within that platform, not just in cPanel.
What's the difference between SPF softfail (~all) and hardfail (-all)?
Softfail (~all) tells receivers the email is suspicious but still allows delivery — most receivers mark it as spam. Hardfail (-all) instructs receivers to reject emails from unlisted senders outright. Start with softfail until you're confident all your legitimate mail servers are listed in SPF, then switch to hardfail.
My cPanel DKIM repair shows "success" but emails still go to spam. What next?
Check three things: (1) Your domain uses external DNS and the DKIM record wasn't auto-installed — verify the record actually exists using dig TXT default._domainkey.yourdomain.com. (2) Your server IP is on a blacklist — check MXToolbox. (3) Your email content or sender reputation is the issue, not authentication — review mail-tester.com for content-based spam triggers.