Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

How do I manage cPanel Email Authentication – SPF and DKIM Records?


When Email services is unauthenticated you may face the following issues,
Emails you send are delivered to the Spam or Junk folder.
Emails that are sent bounce with "SPF Record Failure" error.
Your Inbox gets many "Failed delivery" bounce backs of the emails you never sent.

In the first case, recipient Email Server will look up SPF records for your Domain Name and if it is not added or does not match actual outgoing server IP address, such a mail delivery will fail. Such checking mechanism is done in order to make sure email comes from a legitimate sender and a verified sender.

Second situation takes place when there is no SPF - DKIM records configured for your domain name or they are configured incorrectly, which lets unauthorized party to forge emails using @yourdomain.com mailbox. Such cases are called Email Spoofing.


Email Authentication is a effective set of anti-spoofing and anti-spamming tools that are available in cPanel



Log into cPanel, then under the Email Section > Click on Authentication icon.


Consisting of two major components, SPF and DKIM records setup
In order to enable follow these instructions

Click on Enable and the records will be added to the DNS zone of all hosted domains automatically:


Right after enabling you may see a warning about authoritative Name Servers

It may take some time for the records to propagate and refresh the page afterwards. The warnings will eventually go away and DNS checks will be passed.

SPF record




The vast majority of spam emails have fake "Spoofed" data in the "From" field. Spammers and fraudsters use special tools to send their mail on behalf of a real owner of the e-mail address

SPF record "Sender Policy Framework" is a very effective and simple method which lets you avoid these issues. If your domain name has correct SPF record then it will be very difficult to send fake Emails on behalf of your Domain

The main concept of SPF records is that an owner of a Domain Name publishes the information about IP addresses that are authorized to send mail from that Domain. The receiving Email Server compares the information in the envelope sender address with the information published by the Domain Name owner. If these details match then e-mail is then delivered


NOTE 1
SPF records has its own specific syntax. It is strongly recommended to familiarize yourself SPF record syntax documentation if you are going to customize the records manually.

NOTE 2

SPF records are added to your Domain Name DNS zone as TXT record. There are cases when you need to add a second TXT record to verify your domain name ownership for some Services. It is not recommended to modify existing SPF records, it is better to add a new one instead

DKIM Record

DKIM (DomainKeys Identified Mail) is another way of Email Authentication. This method uses information about Domain Names which is published by the Domain owner. This information allows receiving email Servers to verify if the Email was sent by a legal owner of that Domain

Once TXT record which contains DKIM has been added to the DNS zone file a special code is added to the headers of outgoing Emails. Receiving email Servers compare these headers with the information in DNS zone files and if it matches then the Email is delivered

DomainKeys(DK) and DomainKeys Identified Mail (DKIM) are different Records

DomainKeys(DK) are not available on our shared servers as DK implementation was converted to DKIM and extended in a number of ways as of cPanel 11.32 and later releases

Some of the differences between DomainKeys and DKIM include
Multiple signature algorithms (as opposed to just one available with DomainKeys)
More options with regard to canonicalization that can validates both header and body
Ability to delegate signing to third parties
Ability for DKIM to self-sign the DKIM-Signature header field and to protect against its being modified
Ability for wildcard option on some parameters
Ability to support signature timeouts in DNS

These simple actions will let you be sure that no one is able to send spam on your behalf and your e-mail will not be delivered to spam folders

Search Help Topics