You've written the perfect email. The subject line is compelling, the content is professional, and you've carefully avoided every spam trigger word on the planet. And yet — it lands in the junk folder. Or worse, it never arrives at all.
Nine times out of ten, the culprit isn't your content. It's your email authentication. SPF, DKIM, and DMARC are three DNS records that tell the world's mail servers whether your outgoing email is legitimate. Without them, even well-crafted emails get flagged as suspicious, and malicious actors can send emails that appear to come from your domain without your knowledge.
This guide explains what each record does, why all three matter, and how to set them up step-by-step inside cPanel.
Why Email Authentication Matters
Email was invented in an era when trust was assumed. The original protocol (SMTP, still in use today) has no built-in way to verify that a message actually came from the server it claims to have come from. Anyone can send an email that says it's from support@yourbank.com — and for decades, they did.
SPF, DKIM, and DMARC are DNS-based additions to the email system designed to close this gap. Together they:
- Prove you sent it — receiving servers can verify that mail from your domain originated from an authorized server
- Prove it wasn't tampered with — DKIM cryptographically signs your messages so alterations in transit are detectable
- Tell receivers what to do with failures — DMARC lets you instruct mail servers to quarantine or reject emails that fail SPF or DKIM checks Since February 2024, Google and Yahoo have required SPF and DKIM authentication — and DMARC for bulk senders — as a condition of inbox delivery. If you're sending transactional emails, newsletters, or any business correspondence, these records are no longer optional.
The Three Records at a Glance
| Record | What It Does | Where It Lives |
|---|---|---|
| SPF | Lists the servers authorized to send email for your domain | DNS TXT record |
| DKIM | Adds a cryptographic signature to outgoing messages | DNS TXT record + mail server config |
| DMARC | Defines policy for SPF/DKIM failures; enables reporting | DNS TXT record |
Think of it this way: SPF is the guest list (only these servers are allowed to send for you), DKIM is the wax seal (proves the message came from you and wasn't modified), and DMARC is the bouncer's instructions (if someone shows up without an invitation or with a broken seal, here's what to do with them).
SPF: Sender Policy Framework
How It Works
When your mail server sends an email, the receiving server performs a DNS lookup on your domain and retrieves your SPF record. The SPF record is a list of IP addresses and mail servers that are authorized to send email on behalf of your domain.
If the sending server's IP is on the list, the email passes SPF. If it isn't, it fails.
Anatomy of an SPF Record
v=spf1 include:yourmailprovider.com ip4:192.0.2.1 ~all
Breaking this down:
v=spf1— declares this as an SPF record (required)include:yourmailprovider.com— authorizes all servers listed in that provider's SPF record (e.g., Google Workspace, SendGrid, Mailchimp)ip4:192.0.2.1— authorizes a specific IP address (your mail server's IP)~all— the "all" mechanism, which defines what to do with sources not listed in the recordThe "all" Qualifier
The all mechanism is the most important part of your SPF record. It has four qualifier options:
| Qualifier | Meaning | When to Use |
|---|---|---|
+all |
Pass — allow all senders | Never — defeats the purpose |
~all |
Softfail — suspect but don't reject | During initial setup/testing |
-all |
Fail — reject unauthorized senders | Recommended for production |
?all |
Neutral — no assertion | Rarely useful |
Start with ~all (softfail) while you're confirming your legitimate sending sources are covered. Once you're confident, upgrade to -all (hard fail) for the strongest protection.
Common "include" Mechanisms
If you send email through third-party services, you need to include their SPF records. Here are the most common:
| Service | Include Mechanism |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| Mailchimp | include:servers.mcsv.net |
| SendGrid | include:sendgrid.net |
| Mailgun | include:mailgun.org |
| Your cPanel server | ip4:YOUR.SERVER.IP |
SPF Lookup Limit
SPF has a hard limit of 10 DNS lookups per evaluation. Each include: statement counts as one lookup, and the records they reference may trigger additional lookups of their own. Exceeding this limit causes an SPF permerror, which receiving servers may treat as a failure.
If you send through many third-party services, use an SPF flattening tool to consolidate the lookups.
Adding SPF in cPanel
- Log in to cPanel and navigate to Domains → Zone Editor (or Email → Email Deliverability).
- Click Manage next to your domain.
- Look for an existing TXT record beginning with
v=spf1. If one exists, edit it — you can only have one SPF record per domain. - If none exists, click Add Record, select TXT, set the name to
@(your root domain), and paste your SPF record as the value. - Save the record. DNS propagation typically takes 15–30 minutes.
Tip: cPanel's Email Deliverability tool (under the Email section) will automatically detect your server's IP and suggest an SPF record. It's a great starting point before adding your third-party senders.
DKIM: DomainKeys Identified Mail
How It Works
DKIM uses public-key cryptography to sign outgoing email. When your mail server sends a message, it adds a digital signature to the email header using a private key stored on your mail server. The corresponding public key is published in your DNS as a TXT record.
When a receiving server gets your email, it retrieves your public key from DNS and uses it to verify the signature. If the signature is valid, the email hasn't been tampered with since it was sent and genuinely originated from a server with access to your private key.
Unlike SPF — which only verifies the sending server — DKIM verifies the integrity of the message content itself.
Anatomy of a DKIM Record
DKIM records are published at a specific subdomain format:
selector._domainkey.yourdomain.com
The selector is a label that identifies which DKIM key to use. This allows you to have multiple DKIM keys (e.g., one for your mail server and one for a third-party service like SendGrid).
A typical DKIM TXT record value looks like this:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA...long base64 string...
v=DKIM1— versionk=rsa— key type (RSA is standard)p=— the public key (base64-encoded) You never write this value by hand. It is generated by your mail server or third-party provider and simply needs to be copied into your DNS.
Enabling DKIM in cPanel
cPanel generates a DKIM key pair automatically for each domain on your account.
- Log in to cPanel.
- Go to Email → Email Deliverability.
- Find your domain in the list. If DKIM is not yet installed, you'll see a warning.
- Click Manage next to your domain.
- cPanel will show you the current status of your SPF and DKIM records and compare them to what's currently in your DNS zone.
- Click Install the Suggested Record next to the DKIM entry to automatically add the correct TXT record to your DNS zone. If you manage your DNS externally (e.g., through Cloudflare or a domain registrar), cPanel will show you the required record values so you can add them manually at your DNS provider.
DKIM for Third-Party Senders
If you send email through a service like Mailchimp, Google Workspace, or SendGrid, that service needs its own DKIM record in your DNS. Each provider will give you a CNAME or TXT record to add; the process is documented in their setup guides. Adding these records authorizes that service to sign emails on your domain's behalf.
DMARC: Domain-based Message Authentication, Reporting & Conformance
How It Works
DMARC builds on SPF and DKIM by adding two critical capabilities:
- Alignment — DMARC requires that the domain in the email's visible "From:" address aligns with the domain that passed SPF or DKIM. This closes a gap where spammers could pass SPF using a different domain while spoofing your From address.
- Policy — DMARC lets you tell receiving servers what to do with emails that fail alignment: nothing (
none), send to spam (quarantine), or reject outright (reject). - Reporting — DMARC instructs receiving servers to send you daily aggregate reports on who is sending email using your domain. These reports are invaluable for discovering unauthorized use of your domain.
Anatomy of a DMARC Record
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100; adkim=r; aspf=r
Breaking this down:
| Tag | Value | Meaning |
|---|---|---|
v |
DMARC1 |
Version (required) |
p |
none / quarantine / reject |
Policy for failing messages |
rua |
mailto:you@domain.com |
Where to send aggregate reports |
ruf |
mailto:you@domain.com |
Where to send forensic (failure) reports (optional) |
pct |
0–100 |
Percentage of mail to apply policy to |
adkim |
r (relaxed) / s (strict) |
DKIM alignment mode |
aspf |
r (relaxed) / s (strict) |
SPF alignment mode |
DMARC Policy Progression
The recommended approach is to start with p=none (monitor only), review your reports, and gradually tighten the policy once you're confident all legitimate email is properly authenticated.
Phase 1 — Monitor (p=none)
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
No impact on delivery. Receive reports to see what's sending email as your domain.
Phase 2 — Quarantine (p=quarantine)
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=10
Start with pct=10 (10% of failing mail goes to spam). Increase gradually as you confirm no legitimate mail is failing.
Phase 3 — Reject (p=reject)
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
Maximum protection. Failing messages are rejected at the server level and never reach the inbox. This is the goal for most domains.
Adding a DMARC Record in cPanel
DMARC records are added as a TXT record in your DNS zone, exactly like SPF. The record name should be:
_dmarc.yourdomain.com
- In cPanel, go to Domains → Zone Editor.
- Click Manage next to your domain.
- Click Add Record → TXT Record.
- Set the name to
_dmarc(cPanel will append your domain automatically, or you can type_dmarc.yourdomain.com). - Paste your DMARC record as the value.
- Save.
Reading DMARC Reports
DMARC aggregate reports are sent as XML files — not exactly human-readable. Several free tools can parse and visualize them for you:
- Postmark DMARC — free report viewer at dmarcian.com
- MXToolbox DMARC Analyzer — free for basic monitoring
- Google Postmaster Tools — valuable if a significant portion of your recipients use Gmail
Set up monitoring before you move past
p=noneso you can see exactly which servers are sending mail on your behalf and ensure they all have valid SPF and DKIM before tightening your policy.
Putting It All Together: A Setup Checklist
Here's the order of operations for setting up email authentication from scratch on a cPanel hosting account:
Step 1: Identify Your Email Sending Sources
Make a list of every service that sends email using your domain:
- Your cPanel/hosting mail server
- Google Workspace, Microsoft 365, or other email providers
- Transactional email services (SendGrid, Mailgun, Postmark, SES)
- Marketing platforms (Mailchimp, Klaviyo, Constant Contact)
- CRMs, helpdesks, or other SaaS tools that send on your behalf
Step 2: Set Up SPF
Build your SPF record including all identified senders and set it to ~all (softfail) initially. Add it to your DNS zone as a TXT record at your root domain (@).
Step 3: Enable DKIM
Use cPanel's Email Deliverability tool to install the server-generated DKIM key. For any third-party senders identified in Step 1, follow their documentation to add their DKIM CNAME or TXT records to your DNS.
Step 4: Add DMARC in Monitor Mode
Add a DMARC record with p=none and a rua reporting address. Give this 2–4 weeks to collect data.
Step 5: Review Reports and Fix Issues
Use a DMARC report viewer to check what's failing. Common issues at this stage:
- A newsletter service that wasn't included in SPF
- A forgotten automated system sending alerts from your domain
- Forwarded email (mail forwarding inherently breaks SPF; DKIM alignment typically passes)
Step 6: Tighten Your Policy
Once you're confident all legitimate mail is passing:
- Change SPF
~allto-all - Increase DMARC
pfromnonetoquarantine(start atpct=10, increase over weeks) - Finally, move to
p=reject
Verifying Your Records
After adding or modifying your records, verify them using these tools:
- MXToolbox (mxtoolbox.com/SuperTool.aspx) — paste your domain and check SPF, DKIM, and DMARC individually
- Mail Tester (mail-tester.com) — send a test email and get a full authentication score
- Google Admin Toolbox (toolbox.googleapps.com/apps/checkmx/) — excellent for checking MX, SPF, and DKIM
- cPanel Email Deliverability — the built-in tool compares your current DNS records to what cPanel expects and flags any mismatches
Common Issues and Fixes
"My SPF record has too many lookups." — You've hit the 10-lookup limit. Use an SPF flattening service, or remove include mechanisms for services you're no longer using.
"My DKIM signature isn't validating." — The most common cause is a DNS propagation delay — wait up to 24 hours after adding the record. Also check that the record was added at exactly the right subdomain (e.g., default._domainkey not default._domainkey.yourdomain.com if your registrar appends the domain automatically).
"My DMARC reports show failures from legitimate email." — This is why you start with p=none. Identify the failing service, add it to SPF and/or ensure it has DKIM configured, then confirm it appears in reports as passing before moving to a stricter policy.
"Email forwarding is breaking SPF." — This is a known limitation of SPF. When email is forwarded, the sending IP changes and SPF fails. However, DKIM usually survives forwarding intact, and DMARC can pass on DKIM alignment alone. This is why having DKIM configured is especially important.
Email Authentication at Lone Star Hosting
All Lone Star Hosting accounts include:
- Automatic DKIM key generation — your private/public key pair is created when your account is set up
- SPF record suggestions — cPanel's Email Deliverability tool generates a baseline SPF record based on your server's IP
- DMARC record support — add your DMARC policy through the built-in Zone Editor The Email Deliverability tool in your cPanel dashboard is your best first stop — it scans your current DNS and flags any authentication gaps with one-click fix options for records hosted on our nameservers.
If you have questions about configuring email authentication for a custom setup — especially if you use multiple third-party senders — our support team is here to help at support@lstarhosting.com.
Ready to complete your email authentication setup? Log in to your cPanel account and head to Email → Email Deliverability to get started.