cPanel simplifies email security by providing built-in tools to manage these records. Follow this step-by-step guide to harden your domain against spoofing directly from your hosting dashboard.
Step 1: Enable SPF and DKIM
In cPanel, these two protocols are managed under the same interface.
-
Log in to your cPanel account.
-
Navigate to the Email section and click on Email Deliverability.
-
Locate the domain you want to secure. If you see a "Problems Exist" warning, click Manage.
-
For DKIM: Look for the DKIM section. If it is disabled, click Install/Enable. cPanel will automatically generate the private and public keys.
-
For SPF: cPanel will provide a suggested SPF record.
-
Customizing SPF: If you use third-party services (like Mailchimp or Zendesk), click Customize. Under the Include section, add the domain of your service (e.g.,
servers.mcsv.net). -
Click Install-Record to save.
-
Step 2: Create a DMARC Record
cPanel does not have a dedicated "toggle" for DMARC, so you must add it manually as a DNS record.
-
Go back to the cPanel home screen and open Zone Editor (under the Domains section).
-
Click Manage next to your domain.
-
Click the arrow next to the Add Record button and select Add "TXT" Record.
-
Fill in the following details:
-
Name:
_dmarc.yourdomain.com.(Replace with your actual domain; ensure the dot is at the end if cPanel requires it). -
TTL:
3600 -
Type:
TXT -
Record: Use a starting policy like this:
v=DMARC1; p=none; rua=mailto:admin@yourdomain.com
-
Note: The
p=nonepolicy is essential for the first few weeks. It ensures no emails are blocked while you verify that your SPF and DKIM are configured correctly.
Step 3: Verify Your Configuration
After saving your records, you should verify they are live and syntax-correct.
| Tool Type | Purpose |
| DNS Checker | Confirms the records are visible to the public internet. |
| DMARC Inspector | Validates that your DMARC tag syntax is correct. |
| Mail Tester | Allows you to send a test email to see if your signatures are passing in "real-time." |
Moving to Enforcement
Once you have monitored your DMARC reports (sent to the email in your rua tag) and confirmed that your legitimate emails are passing authentication, return to the Zone Editor to update your policy:
-
Quarantine: Change
p=nonetop=quarantine. This sends suspicious mail to the recipient's spam folder. -
Reject: Eventually, change the record to
p=reject. This instructs servers to drop spoofed emails entirely.
Common Troubleshooting:
-
Too many SPF lookups: Ensure your SPF record doesn't have more than 10 "include" statements.
-
Duplicate SPF records: You should only have one TXT record starting with
v=spf1. If you have two, merge them into one.
