Email: How to Setup DKIM SPF and DMARC if you use CPANEL

If your website runs on a virtual server, you might have experienced some false positive spam problems when sending an outgoing email. A practical example is when you send an email to a gmail address and the recipient will see an image beside the sender email, in the form of a question mark like this one below:

when hovering on it you can read “Gmail couldn’t verity that actually sent this message“. This is very common and it is almost related with missing or misconfiguration with your DMARC, DKIM and SPF. Your email could end up into the spam folder.

There are various servers and different set up so I wouldn’t be able to cover all the cases. What I can write you is what I did in my case. Also, I take for granted that you have already the DKIM Key on your server, usually it is generated by default so hopefully you don’t need to set up one.

I am using CPANEL

I manage a domain that is hosted in a virtual server I purchased on Altus Host (more info on this company here) which uses CPANEL. I set up the email account like [email protected] and I got the pop and smtp configuration for the mail client. I did a test sending one email to Mail Tester website. This is a free online tool that analyzes your email, telling if it is spam or not. The result was absolutely horrible: 2.9/10 that means I was considered a spammer 🙂 As you can see now from the header image above, after fixing this, I got a 9.2/10 which is perfect.

Using this tool you get also the report of all the issues you can fix such as:

  • SPF: Sender Policy Framework (SPF) designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses;
  • DKIM: DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message to claim some responsibility for the message. It uses a private and a public key to match the autenticity of the message sent by you. This is the official site for the DKIM organization
  • DMARC: it is a policy that allows a sender to indicate that their emails are protected by SPF and DKIM, and give instruction if neither of those authentication methods passes. More information about this policy can be found on the official website

These above are the main areas where you can be flagged as spammer. Therefore you need to fix it.

What access you need to fix this

  • DNS settings page, in my case I use Cloudflare. It is free and it works great. You might have the DNS settings with your domain registrar, so you need to log in to your registrar (eg. Register365, GoDaddy, etc) and go to the DNS setting section (dns management);
  • CPANEL page: you need to be the administrator;

On the CPANEL scroll down to EMAIL section and click on “Email Deliverability

mail section cpanel

Once the new page has loaded, you will see something like the following image. If you have more than one domain, you will see first a list of domains. Clicking on the interested domain it will load this page:

DKIM configuration

As you see above, you have 2 fields, one is the Name and other is the Value. On your DNS you have to add a new TXT record default._domainkey (in the image above advice but you can just omit the and assign the value which is the string of the public DKIM record. In this case it starts with v=DKIM1…etc. Save the record.

SPF configuration

Scrolling down the same page you will see a similar image below. In my case, as I took this screenshot after configuring, it tells me that it is properly configured. In your case will show a message that is not configured (such as the other image above).

Again, you have to go to your DNS settings and create a new TXT record with the name equals your domain address and copy the value provided into your Cpanel. As you can see, the value in this case starts with v=spf1 +mx +a etc. Save the record. A complete and official documentation about SPF can be found here.

DMARC configuration

This is a policy that you need to create regarding the DKIM & SPF. You can find this info on the Spam Testing Result page of the tool Usually you need to create a new TXT in the DNS record called _dmarc and assign the value of v=DMARC1; p=none


I don’t have a DKIM key? What should I do? There are websites on the Internet that offers a free Key generator, such as Socket Labs. If you need others who do the same service, please let me know in the comments. The case that you need a DKIM key it is pretty rare because if you run a virtual server usually it is included into the service and generated automatically once you start the set up as above.

After I added the new records to DNS I still see errors. Why? If you set up properly, wait at least 12 hours for the DNS propagation, then test it again.

If you have further questions please leave it in the comments.


Leave a Reply

Your email address will not be published. Required fields are marked *