If your cPanel emails are landing in spam or getting rejected outright, the culprit is almost always missing or misconfigured SPF, DKIM, and DMARC records. These three DNS authentication mechanisms tell receiving mail servers that your email is legitimate — without them, even perfectly written emails get flagged. This guide walks you through setting up all three in cPanel, with special attention to the external DNS scenario that breaks the built-in repair tool for most sysadmins.
Why cPanel Emails Go to Spam (and Why DNS Is Almost Always the Cause)
Modern mail servers — Gmail, Outlook, Yahoo — use SPF, DKIM, and DMARC to verify that the server sending email is actually authorized by the domain owner. When these records are absent or incorrect, the receiving server has no way to trust your mail, and spam filters treat it accordingly.
cPanel includes an Email Deliverability tool that audits your domain's authentication records and offers a "Repair" button. The problem: that button only works if cPanel also manages your DNS. If you've pointed your nameservers to Cloudflare, your registrar, or another external provider — which most serious hosting setups do — the Repair button cannot update those records, and you'll see a persistent "Problem Exists" warning that never goes away on its own.
The fix is straightforward: copy the values cPanel generates and paste them into your external DNS provider manually. This guide covers exactly that.
💡 None of these worked? Skip the guesswork.
Get Expert Help →Step 1: Open the Email Deliverability Tool in cPanel
2. Click Email Deliverability. The tool scans all domains on your account and shows a status for each — either Valid (green) or Problems Exist (red).
3. Click Manage next to the domain showing issues.
You'll see a breakdown of four record types: SPF, DKIM, DMARC, and PTR/rDNS. Each section shows the current record (if any), the expected record, and the status.
Step 2: Fix Your SPF Record
SPF (Sender Policy Framework) is a TXT record that lists which IP addresses or mail servers are authorized to send email for your domain.
1. In the Email Deliverability tool, expand the SPF section. cPanel will show you a "Suggested Value" — something like:
v=spf1 +a +mx +ip4:YOUR.SERVER.IP ~all2. Copy this entire value.
4. Find or create a TXT record for your root domain (@ or yourdomain.com).
5. Paste the SPF value and save. If a TXT record with v=spf1 already exists, edit it — do not create a second SPF record, as having two will cause failures.
Common mistake: Using -all (hard fail) when your domain sends from multiple services like transactional email platforms, marketing tools, or Google Workspace. Use ~all (soft fail) until you've confirmed all sending sources are included in the record.
Step 3: Enable and Copy the DKIM Record
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. The receiving server uses a public key stored in your DNS to verify the signature — proving the email was not tampered with in transit.
1. In the Email Deliverability tool, expand the DKIM section.
2. If DKIM is disabled, click Enable. cPanel will generate a key pair and display the public key as a TXT record.
3. Copy both the Name and Value fields. The Name will look like: default._domainkey.yourdomain.com
The value will start with: v=DKIM1; k=rsa; p=MIIBIjANBgkq...
4. In your external DNS provider, create a new TXT record:
- Name/Host:
default._domainkey(some providers want the full name including your domain, others just the subdomain part — check your provider's format) - Value: Paste the DKIM value exactly
- Proxy status (Cloudflare): Set to DNS Only (grey cloud) — DKIM records must NOT be proxied
Important for Cloudflare users: cPanel sometimes wraps the DKIM value in quotes. Remove all quote characters before saving in Cloudflare, or the record will fail validation. The value should be a single continuous string with no surrounding quotes.
5. Verify with MXToolbox: Go to mxtoolbox.com/dkim.aspx, enter your domain and selector (default), and check. Don't rely solely on cPanel's status indicator — its cache can lag by hours.
Step 4: Add a DMARC Record
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM by telling receiving servers what to do when a message fails those checks — and optionally sending you reports about failures.
1. In the Email Deliverability tool, expand the DMARC section. cPanel provides a suggested value like:
v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com2. Create a TXT record in your DNS provider:
- Name/Host:
_dmarc - Value: The suggested DMARC record from cPanel
Start with p=none (monitoring mode). This tells receiving servers to take no action on failures but to send reports to your postmaster address. After reviewing reports for 2–4 weeks and confirming legitimate mail is passing, upgrade to p=quarantine (send to spam) and eventually p=reject.
Jumping straight to p=reject without validating your SPF and DKIM setup will cause legitimate emails to be lost.
Step 5: Fix the PTR/rDNS Record
The PTR (reverse DNS) record maps your mail server's IP address back to a hostname. Many mail servers check this during the SMTP connection — if the IP doesn't have a matching PTR record, or if it resolves to a generic hostname instead of your domain, spam scores increase significantly.
1. Check your current PTR record:
dig -x YOUR.SERVER.IP +shortor via web tool: MXToolbox Reverse Lookup
2. The PTR record should resolve to your mail server's hostname — ideally something like mail.yourdomain.com, which itself should have an A record pointing back to the same IP.
3. If the PTR is wrong or missing, you cannot change it yourself — PTR records are controlled by whoever owns the IP block (your data center or VPS provider). Open a support ticket with them and request a PTR update. Most providers have a self-service option in their control panel under "Reverse DNS" or "rDNS".
4. If cPanel shows a persistent PTR error even after you've fixed the record, the issue is stale cache. Log in to WHM as root, navigate to Service Configuration → Exim Configuration Manager → Domains and IPs tab, and click Rebuild RDNS Cache.
Step 6: Verify All Records Are Working
After making DNS changes, allow 15–30 minutes for propagation (longer if your TTL is high). Then verify each record:
- SPF: MXToolbox SPF Lookup
- DKIM: MXToolbox DKIM Lookup (selector:
default) - DMARC: MXToolbox DMARC Lookup
- Full email test: Send a test message to mail-tester.com for a complete deliverability score
Back in cPanel's Email Deliverability tool, click Check next to each record to refresh the status. Green checkmarks on SPF, DKIM, DMARC, and PTR mean you're fully authenticated.
Troubleshooting Common Issues
DKIM still showing as failed after adding the record: Check for extra spaces, stray quote characters, or line breaks in the record value. DKIM keys are long and easy to truncate when copy-pasting — confirm the full key is present using dig TXT default._domainkey.yourdomain.com.
SPF "Too many lookups" error: SPF records have a limit of 10 DNS lookups. If you're including many services (e.g., include:sendgrid.net include:_spf.google.com include:mailgun.org), you may exceed this limit. Use an SPF flattening tool to consolidate lookups into direct IP ranges.
DMARC reports showing failures despite valid SPF and DKIM: DMARC requires "alignment" — the domain in the From header must align with the domain in the SPF or DKIM signature. If you're sending through a third-party service that uses its own domain in the signature, DMARC alignment will fail even if SPF and DKIM individually pass.
Emails still going to spam after fixing all records: Authentication records eliminate one category of spam scoring, but IP reputation, content quality, engagement rates, and sending volume all also affect deliverability. Use mail-tester.com for a full audit after fixing DNS.
Maintaining Email Deliverability Long-Term
Set up calendar reminders to revisit your Email Deliverability tool monthly. cPanel updates its suggested values occasionally, and server migrations that change IP addresses will invalidate your PTR record and may require SPF updates. DMARC reports (if you configured a rua address) are worth reviewing regularly — they show exactly which sources are sending as your domain, including any spoofing attempts.
For hosting companies managing dozens or hundreds of domains, consider using a DMARC aggregation service to make sense of the reporting data at scale.
If managing cPanel email authentication across a fleet of servers is taking too much time, CloudHouse's managed server support handles full email deliverability setup, monitoring, and troubleshooting so your team doesn't have to.