{"id":2914,"date":"2025-12-05T13:08:09","date_gmt":"2025-12-05T10:08:09","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/spf-dkim-and-dmarc-explained-for-cpanel-and-vps-email\/"},"modified":"2025-12-05T13:08:09","modified_gmt":"2025-12-05T10:08:09","slug":"spf-dkim-and-dmarc-explained-for-cpanel-and-vps-email","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/en\/spf-dkim-and-dmarc-explained-for-cpanel-and-vps-email\/","title":{"rendered":"SPF, DKIM and DMARC Explained for cPanel and VPS Email"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><p>If your domain sends any kind of email \u2013 newsletters, order confirmations, password resets or plain corporate mail \u2013 SPF, DKIM and DMARC are no longer optional. They are the minimum you need so that big providers can trust your messages. Without them, you will see a mix of problems: messages going to spam, random bounces, or in the worst case, attackers spoofing your brand and sending phishing emails that look like they came from you.<\/p>\n<p>In this article, we will walk through what SPF, DKIM and DMARC actually do, how they fit together, and then go step\u2011by\u2011step through configuration on both cPanel and <a href=\"https:\/\/www.dchost.com\/vps\">VPS<\/a> servers. The goal is simple: by the end, you should be able to look at any domain you manage and confidently say \u201cthis is authenticated correctly\u201d \u2013 and know exactly where to fix things when deliverability is not where it should be.<\/p>\n<div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Why_Email_Authentication_Matters_for_Your_Domain\"><span class=\"toc_number toc_depth_1\">1<\/span> Why Email Authentication Matters for Your Domain<\/a><ul><li><a href=\"#From_8220Sent8221_to_Inbox_Whats_Actually_Happening\"><span class=\"toc_number toc_depth_2\">1.1<\/span> From &#8220;Sent&#8221; to Inbox: What\u2019s Actually Happening<\/a><\/li><li><a href=\"#How_SPF_DKIM_and_DMARC_Work_Together\"><span class=\"toc_number toc_depth_2\">1.2<\/span> How SPF, DKIM and DMARC Work Together<\/a><\/li><\/ul><\/li><li><a href=\"#Key_Concepts_DNS_MX_and_Who_Is_Actually_Sending_Your_Mail\"><span class=\"toc_number toc_depth_1\">2<\/span> Key Concepts: DNS, MX and Who Is Actually Sending Your Mail<\/a><ul><li><a href=\"#DNS_Records_Youll_Touch\"><span class=\"toc_number toc_depth_2\">2.1<\/span> DNS Records You\u2019ll Touch<\/a><\/li><li><a href=\"#Mapping_Your_Real_Senders\"><span class=\"toc_number toc_depth_2\">2.2<\/span> Mapping Your Real Senders<\/a><\/li><\/ul><\/li><li><a href=\"#SPF_Explained_Telling_the_World_Who_Can_Send_for_Your_Domain\"><span class=\"toc_number toc_depth_1\">3<\/span> SPF Explained: Telling the World Who Can Send for Your Domain<\/a><ul><li><a href=\"#What_SPF_Does_and_What_It_Doesnt\"><span class=\"toc_number toc_depth_2\">3.1<\/span> What SPF Does (and What It Doesn\u2019t)<\/a><\/li><li><a href=\"#Example_SPF_Records\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Example SPF Records<\/a><\/li><li><a href=\"#Common_SPF_Pitfalls_and_How_to_Avoid_Them\"><span class=\"toc_number toc_depth_2\">3.3<\/span> Common SPF Pitfalls (and How to Avoid Them)<\/a><\/li><\/ul><\/li><li><a href=\"#DKIM_Explained_Cryptographic_Signatures_for_Your_Email\"><span class=\"toc_number toc_depth_1\">4<\/span> DKIM Explained: Cryptographic Signatures for Your Email<\/a><ul><li><a href=\"#Selectors_Keys_and_DNS_Records\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Selectors, Keys and DNS Records<\/a><\/li><li><a href=\"#How_DKIM_Alignment_Affects_DMARC\"><span class=\"toc_number toc_depth_2\">4.2<\/span> How DKIM Alignment Affects DMARC<\/a><\/li><\/ul><\/li><li><a href=\"#DMARC_Explained_Policy_Reporting_and_Protection\"><span class=\"toc_number toc_depth_1\">5<\/span> DMARC Explained: Policy, Reporting and Protection<\/a><ul><li><a href=\"#DMARC_Alignment_in_Plain_Language\"><span class=\"toc_number toc_depth_2\">5.1<\/span> DMARC Alignment in Plain Language<\/a><\/li><li><a href=\"#Designing_a_Safe_DMARC_Rollout\"><span class=\"toc_number toc_depth_2\">5.2<\/span> Designing a Safe DMARC Rollout<\/a><\/li><li><a href=\"#Sample_DMARC_Records\"><span class=\"toc_number toc_depth_2\">5.3<\/span> Sample DMARC Records<\/a><\/li><\/ul><\/li><li><a href=\"#Setting_Up_SPF_DKIM_and_DMARC_on_cPanel\"><span class=\"toc_number toc_depth_1\">6<\/span> Setting Up SPF, DKIM and DMARC on cPanel<\/a><ul><li><a href=\"#Step_1_Check_Your_Current_DNS_and_Email_Routing\"><span class=\"toc_number toc_depth_2\">6.1<\/span> Step 1: Check Your Current DNS and Email Routing<\/a><\/li><li><a href=\"#Step_2_Enable_SPF_and_DKIM_in_cPanel\"><span class=\"toc_number toc_depth_2\">6.2<\/span> Step 2: Enable SPF and DKIM in cPanel<\/a><\/li><li><a href=\"#Step_3_Customise_SPF_for_ThirdParty_Senders\"><span class=\"toc_number toc_depth_2\">6.3<\/span> Step 3: Customise SPF for Third\u2011Party Senders<\/a><\/li><li><a href=\"#Step_4_Add_a_DMARC_Record\"><span class=\"toc_number toc_depth_2\">6.4<\/span> Step 4: Add a DMARC Record<\/a><\/li><li><a href=\"#Step_5_Test_and_Monitor_Deliverability\"><span class=\"toc_number toc_depth_2\">6.5<\/span> Step 5: Test and Monitor Deliverability<\/a><\/li><\/ul><\/li><li><a href=\"#Configuring_SPF_DKIM_and_DMARC_on_a_VPS_PostfixExim\"><span class=\"toc_number toc_depth_1\">7<\/span> Configuring SPF, DKIM and DMARC on a VPS (Postfix\/Exim)<\/a><ul><li><a href=\"#Scenario_1_Your_VPS_Hosts_Both_Website_and_Mail\"><span class=\"toc_number toc_depth_2\">7.1<\/span> Scenario 1: Your VPS Hosts Both Website and Mail<\/a><\/li><li><a href=\"#Scenario_2_Web_on_VPS_Mail_on_External_Provider\"><span class=\"toc_number toc_depth_2\">7.2<\/span> Scenario 2: Web on VPS, Mail on External Provider<\/a><\/li><li><a href=\"#HighLevel_Steps_for_DKIM_on_Postfix\"><span class=\"toc_number toc_depth_2\">7.3<\/span> High\u2011Level Steps for DKIM on Postfix<\/a><\/li><li><a href=\"#HighLevel_Steps_for_DKIM_on_Exim\"><span class=\"toc_number toc_depth_2\">7.4<\/span> High\u2011Level Steps for DKIM on Exim<\/a><\/li><li><a href=\"#Where_to_Put_the_DNS_Records\"><span class=\"toc_number toc_depth_2\">7.5<\/span> Where to Put the DNS Records<\/a><\/li><\/ul><\/li><li><a href=\"#Operational_Tips_Keeping_Email_Deliverability_Healthy\"><span class=\"toc_number toc_depth_1\">8<\/span> Operational Tips: Keeping Email Deliverability Healthy<\/a><ul><li><a href=\"#Forwarding_Mailing_Lists_and_Aliases\"><span class=\"toc_number toc_depth_2\">8.1<\/span> Forwarding, Mailing Lists and Aliases<\/a><\/li><li><a href=\"#IPv6_rDNS_and_Blocklist_Hygiene\"><span class=\"toc_number toc_depth_2\">8.2<\/span> IPv6, rDNS and Blocklist Hygiene<\/a><\/li><li><a href=\"#When_to_Scale_Beyond_Shared_Hosting\"><span class=\"toc_number toc_depth_2\">8.3<\/span> When to Scale Beyond Shared Hosting<\/a><\/li><\/ul><\/li><li><a href=\"#Wrapping_Up_A_Practical_Checklist_You_Can_Reuse\"><span class=\"toc_number toc_depth_1\">9<\/span> Wrapping Up: A Practical Checklist You Can Reuse<\/a><\/li><\/ul><\/div>\n<h2><span id=\"Why_Email_Authentication_Matters_for_Your_Domain\">Why Email Authentication Matters for Your Domain<\/span><\/h2>\n<h3><span id=\"From_8220Sent8221_to_Inbox_Whats_Actually_Happening\">From &#8220;Sent&#8221; to Inbox: What\u2019s Actually Happening<\/span><\/h3>\n<p>When you click &#8220;Send&#8221;, your email doesn\u2019t go straight to the recipient\u2019s inbox. It passes through several layers of anti\u2011spam checks, filters, content analysis, and reputation systems. Each major provider (Gmail, Outlook, Yahoo, corporate gateways, etc.) uses its own scoring model based on:<\/p>\n<ul>\n<li>IP and domain reputation<\/li>\n<li>Technical setup (SPF, DKIM, DMARC, rDNS, TLS)<\/li>\n<li>Content and links in the message<\/li>\n<li>User behaviour (opens, clicks, spam complaints)<\/li>\n<\/ul>\n<p>SPF, DKIM and DMARC are the technical foundation that tells receivers \u201cthis email really belongs to this domain, and hasn\u2019t been tampered with\u201d. Without them, even perfectly legitimate content can look suspicious.<\/p>\n<h3><span id=\"How_SPF_DKIM_and_DMARC_Work_Together\">How SPF, DKIM and DMARC Work Together<\/span><\/h3>\n<p>Think of the three as layers:<\/p>\n<ul>\n<li><strong>SPF<\/strong> \u2013 declares which servers are allowed to send mail for your domain (IP and hostname\u2011based).<\/li>\n<li><strong>DKIM<\/strong> \u2013 cryptographically signs messages so receivers can verify they weren\u2019t modified and really came from your domain.<\/li>\n<li><strong>DMARC<\/strong> \u2013 tells receivers how to treat emails that fail SPF and\/or DKIM, and gives you reports so you can see who is sending on your behalf.<\/li>\n<\/ul>\n<p>We have a broader deliverability overview in our guide <a href=\"https:\/\/www.dchost.com\/blog\/en\/spf-dkim-dmarc-ve-rdns-ile-e-posta-teslim-edilebilirligini-nasil-adim-adim-yukseltirsin\/\">\u201cInbox or Spam? A Friendly, Step\u2011by\u2011Step Guide to SPF, DKIM, DMARC and rDNS\u201d<\/a>. Here, we will focus on hands\u2011on setup specifically for cPanel and VPS environments.<\/p>\n<h2><span id=\"Key_Concepts_DNS_MX_and_Who_Is_Actually_Sending_Your_Mail\">Key Concepts: DNS, MX and Who Is Actually Sending Your Mail<\/span><\/h2>\n<h3><span id=\"DNS_Records_Youll_Touch\">DNS Records You\u2019ll Touch<\/span><\/h3>\n<p>All three mechanisms rely on DNS \u2013 the &#8220;phone book&#8221; of the internet. For email authentication, you will mainly work with:<\/p>\n<ul>\n<li><strong>MX<\/strong> \u2013 which servers receive your domain\u2019s mail<\/li>\n<li><strong>A \/ AAAA<\/strong> \u2013 the IP addresses of your web and mail servers<\/li>\n<li><strong>TXT<\/strong> \u2013 where SPF and DMARC records live, and where DKIM public keys are published<\/li>\n<\/ul>\n<p>In cPanel, these are managed under DNS Zone Editor (or Email Deliverability in newer versions). On a VPS, you might manage DNS on the same server, at your registrar, or on external DNS \u2013 the principle is the same: publish the right TXT records for SPF, DKIM and DMARC.<\/p>\n<h3><span id=\"Mapping_Your_Real_Senders\">Mapping Your Real Senders<\/span><\/h3>\n<p>Before editing anything, list <strong>every system that sends email using your domain<\/strong>:<\/p>\n<ul>\n<li>Your main hosting\/cPanel server (contact forms, transactional mails, system alerts)<\/li>\n<li>Any VPS or <a href=\"https:\/\/www.dchost.com\/dedicated-server\">dedicated server<\/a> you use for mail<\/li>\n<li>Marketing \/ newsletter platforms<\/li>\n<li>CRM or support tools that send as <code>@yourdomain.com<\/code><\/li>\n<li>Applications that send via SMTP with your domain in the From: address<\/li>\n<\/ul>\n<p>This mapping is critical. Your SPF and DKIM records must include all legitimate senders. Anything not on this list should be treated as unauthorized by DMARC.<\/p>\n<h2><span id=\"SPF_Explained_Telling_the_World_Who_Can_Send_for_Your_Domain\">SPF Explained: Telling the World Who Can Send for Your Domain<\/span><\/h2>\n<h3><span id=\"What_SPF_Does_and_What_It_Doesnt\">What SPF Does (and What It Doesn\u2019t)<\/span><\/h3>\n<p><strong>SPF (Sender Policy Framework)<\/strong> is a DNS record (type TXT) that lists the servers allowed to send email using your domain in the envelope sender (the technical return\u2011path). When a mail server receives an email claiming to be from <code>user@yourdomain.com<\/code>, it checks:<\/p>\n<ol>\n<li>Which IP is sending the email?<\/li>\n<li>Is that IP allowed in the SPF record of <code>yourdomain.com<\/code>?<\/li>\n<\/ol>\n<p>Important limitations:<\/p>\n<ul>\n<li>SPF only authenticates the envelope sender (Return\u2011Path), not necessarily the visible From: header.<\/li>\n<li>When email is forwarded, the original SPF often fails, because the forwarder\u2019s IP is not in your SPF.<\/li>\n<li>SPF alone <strong>does not<\/strong> stop spoofing of the From: address \u2013 that\u2019s where DMARC comes in.<\/li>\n<\/ul>\n<h3><span id=\"Example_SPF_Records\">Example SPF Records<\/span><\/h3>\n<p>SPF records are always TXT records on the root of your domain, with content like:<\/p>\n<ul>\n<li><code>v=spf1 a mx -all<\/code> \u2013 allow the IPs of A and MX records, block everything else.<\/li>\n<li><code>v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 include:_spf.mailprovider.com -all<\/code> \u2013 allow two specific IPs and one external sender; block others.<\/li>\n<\/ul>\n<p>Breaking it down:<\/p>\n<ul>\n<li><code>v=spf1<\/code> \u2013 SPF version<\/li>\n<li><code>a<\/code> \u2013 allow IPs listed in your domain\u2019s A record<\/li>\n<li><code>mx<\/code> \u2013 allow IPs of your MX records<\/li>\n<li><code>ip4:203.0.113.10<\/code> \u2013 allow a specific IPv4 address<\/li>\n<li><code>include:_spf.mailprovider.com<\/code> \u2013 reuse another domain\u2019s SPF (for a trusted relay)<\/li>\n<li><code>-all<\/code> \u2013 hard fail for all others (recommended once you are confident)<\/li>\n<\/ul>\n<h3><span id=\"Common_SPF_Pitfalls_and_How_to_Avoid_Them\">Common SPF Pitfalls (and How to Avoid Them)<\/span><\/h3>\n<p>Some frequent mistakes we see in real audits:<\/p>\n<ul>\n<li><strong>Multiple SPF TXT records<\/strong> \u2013 you must have <strong>exactly one<\/strong> SPF record per domain. Merge entries instead of adding a second one.<\/li>\n<li><strong>Exceeding the 10 lookup limit<\/strong> \u2013 mechanisms like <code>include:<\/code>, <code>a<\/code>, <code>mx<\/code>, <code>exists<\/code> trigger DNS lookups. More than 10 makes SPF invalid. If your setup is complex, we cover SPF flattening strategies in detail in our article <a href=\"https:\/\/www.dchost.com\/blog\/en\/spf-flattening-ile-10-lookup-duvarini-nasil-asarsin-ci-cd-ve-workers-ile-yasayan-spf\/\">\u201cBeat the 10 Lookup Wall: Automated SPF Flattening\u201d<\/a>.<\/li>\n<li><strong>Using <code>~all<\/code> forever<\/strong> \u2013 softfail (<code>~all<\/code>) is fine while testing, but long term you want <code>-all<\/code> once DMARC is in place.<\/li>\n<li><strong>Forgetting third\u2011party senders<\/strong> \u2013 if a tool sends as your domain but is not in SPF, those messages will fail SPF and possibly DMARC.<\/li>\n<\/ul>\n<h2><span id=\"DKIM_Explained_Cryptographic_Signatures_for_Your_Email\">DKIM Explained: Cryptographic Signatures for Your Email<\/span><\/h2>\n<h3><span id=\"Selectors_Keys_and_DNS_Records\">Selectors, Keys and DNS Records<\/span><\/h3>\n<p><strong>DKIM (DomainKeys Identified Mail)<\/strong> adds a digital signature to each email. That signature is generated with a private key on your mail server and verified with a public key published in DNS. If the contents are changed in transit, the signature fails.<\/p>\n<p>A DKIM setup has three pieces:<\/p>\n<ul>\n<li><strong>Selector<\/strong> \u2013 a short label (e.g. <code>default<\/code> or <code>mail<\/code>) that appears in the DKIM-Signature header, like <code>s=default<\/code>.<\/li>\n<li><strong>Public key in DNS<\/strong> \u2013 a TXT record at <code>selector._domainkey.yourdomain.com<\/code> containing the public key.<\/li>\n<li><strong>Private key on the mail server<\/strong> \u2013 used to sign outgoing emails.<\/li>\n<\/ul>\n<p>A simplified DKIM DNS record looks like:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Host:  default._domainkey.yourdomain.com\nType:  TXT\nValue: v=DKIM1; k=rsa; p=MIIBIjANBgkqh... (long public key)\n<\/code><\/pre>\n<p>On cPanel, keys and records are usually generated automatically; you only need to make sure the TXT record is present and correct.<\/p>\n<h3><span id=\"How_DKIM_Alignment_Affects_DMARC\">How DKIM Alignment Affects DMARC<\/span><\/h3>\n<p>DMARC checks whether SPF and\/or DKIM &#8220;align&#8221; with the visible From: domain:<\/p>\n<ul>\n<li>For <strong>SPF alignment<\/strong>, the envelope sender domain (Return\u2011Path) must match (or be a subdomain of) the From: domain.<\/li>\n<li>For <strong>DKIM alignment<\/strong>, the domain in the DKIM <code>d=<\/code> tag must match (or be a subdomain of) the From: domain.<\/li>\n<\/ul>\n<p>With a good setup, your messages should pass DKIM and DKIM alignment, which is usually more stable than SPF in the presence of forwarding and mailing lists.<\/p>\n<h2><span id=\"DMARC_Explained_Policy_Reporting_and_Protection\">DMARC Explained: Policy, Reporting and Protection<\/span><\/h2>\n<h3><span id=\"DMARC_Alignment_in_Plain_Language\">DMARC Alignment in Plain Language<\/span><\/h3>\n<p><strong>DMARC (Domain\u2011based Message Authentication, Reporting and Conformance)<\/strong> sits on top of SPF and DKIM and answers three key questions for receivers:<\/p>\n<ol>\n<li>Did this email pass SPF and\/or DKIM <strong>in alignment<\/strong> with the From: domain?<\/li>\n<li>If not, what should we do with it? (none, quarantine, reject)<\/li>\n<li>Where should we send reports about what we\u2019re seeing for this domain?<\/li>\n<\/ol>\n<p>The DMARC record is a TXT record at <code>_dmarc.yourdomain.com<\/code>. A basic one looks like:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; fo=1\n<\/code><\/pre>\n<p>Key tags:<\/p>\n<ul>\n<li><code>p=<\/code> \u2013 policy: <code>none<\/code>, <code>quarantine<\/code> or <code>reject<\/code><\/li>\n<li><code>rua=<\/code> \u2013 where to send aggregate XML reports<\/li>\n<li><code>ruf=<\/code> \u2013 where to send optional forensic (per\u2011message) reports<\/li>\n<li><code>pct=<\/code> \u2013 percentage of messages to which the policy applies<\/li>\n<\/ul>\n<h3><span id=\"Designing_a_Safe_DMARC_Rollout\">Designing a Safe DMARC Rollout<\/span><\/h3>\n<p>A sensible rollout path looks like this:<\/p>\n<ol>\n<li>Publish <code>p=none<\/code> with <code>rua=<\/code> so you can see what is happening without affecting delivery.<\/li>\n<li>Fix SPF and DKIM for all legitimate senders until most of your traffic passes DMARC.<\/li>\n<li>Move to <code>p=quarantine<\/code> with <code>pct=25<\/code>, then 50, then 100.<\/li>\n<li>When comfortable, switch to <code>p=reject<\/code> (optionally with <code>pct=100<\/code>) to actively block spoofed mail.<\/li>\n<\/ol>\n<p>If you want to go beyond basics (RUA\/RUF analysis, subdomain policies, BIMI), we have a deep\u2011dive in <a href=\"https:\/\/www.dchost.com\/blog\/en\/gelismis-dmarc-ve-bimi-rua-ruf-raporlarindan-marka-gostergesine-nasil-yol-alinir\/\">\u201cBeyond p=none: The Friendly Playbook for Advanced DMARC and BIMI\u201d<\/a>.<\/p>\n<h3><span id=\"Sample_DMARC_Records\">Sample DMARC Records<\/span><\/h3>\n<ul>\n<li><strong>Monitoring only<\/strong> (good first step):<br \/><code>v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1<\/code><\/li>\n<li><strong>Quarantine, full enforcement<\/strong>:<br \/><code>v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com; fo=1<\/code><\/li>\n<li><strong>Reject spoofed mail<\/strong>:<br \/><code>v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; fo=1<\/code><\/li>\n<\/ul>\n<h2><span id=\"Setting_Up_SPF_DKIM_and_DMARC_on_cPanel\">Setting Up SPF, DKIM and DMARC on cPanel<\/span><\/h2>\n<h3><span id=\"Step_1_Check_Your_Current_DNS_and_Email_Routing\">Step 1: Check Your Current DNS and Email Routing<\/span><\/h3>\n<p>Log in to your cPanel account for the domain you want to configure. First, confirm where DNS is being managed:<\/p>\n<ul>\n<li>If your nameservers point to your hosting (for example ns1\/ns2 of your provider), cPanel\u2019s DNS Zone Editor controls your DNS.<\/li>\n<li>If you use external DNS (such as a third\u2011party DNS provider), you\u2019ll read values from cPanel but create TXT records at that external DNS.<\/li>\n<\/ul>\n<p>In cPanel:<\/p>\n<ul>\n<li>Open <strong>Zone Editor<\/strong> and note any existing TXT records for SPF or DMARC.<\/li>\n<li>Open <strong>Email Routing<\/strong> to verify where mail for the domain is actually delivered (Local, Backup, or Remote).<\/li>\n<\/ul>\n<p>Make a quick inventory of what you find \u2013 if older, conflicting SPF\/DMARC records exist, plan to clean them up instead of stacking new ones on top.<\/p>\n<h3><span id=\"Step_2_Enable_SPF_and_DKIM_in_cPanel\">Step 2: Enable SPF and DKIM in cPanel<\/span><\/h3>\n<p>Recent cPanel versions consolidate this under <strong>Email Deliverability<\/strong>:<\/p>\n<ol>\n<li>In cPanel, go to <strong>Email Deliverability<\/strong>.<\/li>\n<li>Find your domain in the list.<\/li>\n<li>Click <strong>Manage<\/strong>.<\/li>\n<\/ol>\n<p>Here you will see:<\/p>\n<ul>\n<li>Current status of SPF and DKIM (valid\/invalid)<\/li>\n<li>Suggested records and values<\/li>\n<\/ul>\n<p>If SPF or DKIM show as missing or invalid:<\/p>\n<ul>\n<li>Click <strong>Repair<\/strong> or <strong>Install the Suggested Record<\/strong>.<\/li>\n<li>cPanel will create or update the corresponding TXT records in DNS.<\/li>\n<\/ul>\n<p>After a few minutes, re\u2011check the page; it should show green\/valid. If you manage DNS externally, copy the suggested TXT records from here and paste them into your external DNS dashboard instead.<\/p>\n<h3><span id=\"Step_3_Customise_SPF_for_ThirdParty_Senders\">Step 3: Customise SPF for Third\u2011Party Senders<\/span><\/h3>\n<p>cPanel\u2019s default SPF usually looks something like:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">v=spf1 +a +mx +ip4:YOUR.SERVER.IP ~all\n<\/code><\/pre>\n<p>To support third\u2011party services:<\/p>\n<ol>\n<li>Get the SPF include or IP range from your provider\u2019s documentation (e.g. <code>include:_spf.mailprovider.com<\/code>).<\/li>\n<li>In cPanel, open <strong>Zone Editor<\/strong> \u2192 <strong>Manage<\/strong> \u2192 edit the SPF TXT record.<\/li>\n<li>Add the new mechanism before <code>~all<\/code>, for example:<br \/><code>v=spf1 +a +mx +ip4:YOUR.SERVER.IP include:_spf.mailprovider.com ~all<\/code><\/li>\n<li>Save the record.<\/li>\n<\/ol>\n<p>Once you are sure everything is sending correctly, consider changing <code>~all<\/code> to <code>-all<\/code> for stricter enforcement, especially after DMARC is in place.<\/p>\n<h3><span id=\"Step_4_Add_a_DMARC_Record\">Step 4: Add a DMARC Record<\/span><\/h3>\n<p>cPanel does not always create DMARC for you, but adding it is simple:<\/p>\n<ol>\n<li>Go to <strong>Zone Editor<\/strong> \u2192 <strong>Manage<\/strong>.<\/li>\n<li>Click <strong>+ Add Record<\/strong> and choose <strong>TXT<\/strong>.<\/li>\n<li>Set the name\/host to <code>_dmarc<\/code> (cPanel will append your domain).<\/li>\n<li>Use a monitoring\u2011only value such as:<br \/><code>v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1<\/code><\/li>\n<li>Save the record.<\/li>\n<\/ol>\n<p>After 1\u201324 hours, DMARC aggregate reports will start arriving at <code>dmarc@yourdomain.com<\/code>. Review these to understand:<\/p>\n<ul>\n<li>Which IPs and hosts are sending for your domain<\/li>\n<li>Which of them pass\/fail SPF and DKIM<\/li>\n<\/ul>\n<p>As your configuration stabilises, you can update <code>p=<\/code> to <code>quarantine<\/code> and eventually <code>reject<\/code>.<\/p>\n<h3><span id=\"Step_5_Test_and_Monitor_Deliverability\">Step 5: Test and Monitor Deliverability<\/span><\/h3>\n<p>Once SPF, DKIM and DMARC are in place:<\/p>\n<ul>\n<li>Send test mails to several major providers (Gmail, Outlook, a corporate address, etc.).<\/li>\n<li>Inspect the email headers to confirm <strong>SPF: pass<\/strong>, <strong>DKIM: pass<\/strong>, <strong>DMARC: pass<\/strong>.<\/li>\n<li>Watch spam folders for a few days to be sure nothing legitimate is being quarantined.<\/li>\n<\/ul>\n<p>If you use cPanel\u2019s spam filtering, it\u2019s a good moment to review those settings as well. Our guide <a href=\"https:\/\/www.dchost.com\/blog\/en\/cpanelde-e-posta-spam-filtreleme-spamassassin-rbl-kara-liste-ve-karantina-yonetimi\/\">\u201cEmail Spam Filtering on cPanel: SpamAssassin, RBLs and Quarantine Step\u2011By\u2011Step\u201d<\/a> walks through tuning filters so that authenticated mail is treated more kindly while still blocking obvious junk.<\/p>\n<h2><span id=\"Configuring_SPF_DKIM_and_DMARC_on_a_VPS_PostfixExim\">Configuring SPF, DKIM and DMARC on a VPS (Postfix\/Exim)<\/span><\/h2>\n<p>On a VPS without a control panel, you have more flexibility but also more responsibility. The concepts stay the same; the main change is that you edit configuration and keys directly instead of using a GUI.<\/p>\n<h3><span id=\"Scenario_1_Your_VPS_Hosts_Both_Website_and_Mail\">Scenario 1: Your VPS Hosts Both Website and Mail<\/span><\/h3>\n<p>If your VPS runs both web and mail (e.g. Postfix + Dovecot or Exim + Dovecot):<\/p>\n<ul>\n<li>Point your domain\u2019s MX record to the VPS hostname (e.g. <code>mail.yourdomain.com<\/code>).<\/li>\n<li>Ensure A and AAAA records for that hostname point to the VPS IPs.<\/li>\n<li>Publish SPF including your VPS IP (or <code>a<\/code> \/ <code>mx<\/code> if the A\/MX records match).<\/li>\n<li>Set up DKIM signing on the mail server and publish the public key in DNS.<\/li>\n<li>Add a DMARC record at <code>_dmarc.yourdomain.com<\/code>.<\/li>\n<\/ul>\n<h3><span id=\"Scenario_2_Web_on_VPS_Mail_on_External_Provider\">Scenario 2: Web on VPS, Mail on External Provider<\/span><\/h3>\n<p>In this more common pattern, web traffic lives on your VPS while mail is handled elsewhere (e.g. hosted email service). In that case:<\/p>\n<ul>\n<li>MX records usually point to the external mail provider.<\/li>\n<li>SPF and DKIM should mostly reflect that provider\u2019s requirements.<\/li>\n<li>Any applications on the VPS sending mail as your domain should relay through the provider\u2019s authenticated SMTP or be explicitly included in SPF and DKIM.<\/li>\n<li>DMARC still sits at the domain level and evaluates both the provider\u2019s and your VPS\u2019s traffic.<\/li>\n<\/ul>\n<p>This is where having a clear sender inventory really pays off.<\/p>\n<h3><span id=\"HighLevel_Steps_for_DKIM_on_Postfix\">High\u2011Level Steps for DKIM on Postfix<\/span><\/h3>\n<p>On a typical Postfix VPS, you use a DKIM signing service such as OpenDKIM or rspamd. At a high level:<\/p>\n<ol>\n<li>Install the DKIM signer (e.g. OpenDKIM packages for your distro).<\/li>\n<li>Generate DKIM keys per domain (2048\u2011bit RSA is a good default).<\/li>\n<li>Configure the signer with key paths, selectors and domains.<\/li>\n<li>Integrate it with Postfix via a milter (in <code>main.cf<\/code> and <code>master.cf<\/code>).<\/li>\n<li>Publish the generated public key in DNS at <code>selector._domainkey.yourdomain.com<\/code>.<\/li>\n<li>Reload\/restart Postfix and the DKIM service.<\/li>\n<\/ol>\n<p>We discuss a full stack (Postfix, Dovecot, rspamd) in detail in our article <a href=\"https:\/\/www.dchost.com\/blog\/en\/vpste-e-posta-sunucusu-kurulumu-postfix-dovecot-rspamd-ile-teslim-edilebilirlik-ve-ip-isitma-adim-adim\/\">\u201cI Built a 3\u2011Part Mail Server: Postfix, Dovecot, rspamd, and the Calm Path to Deliverability\u201d<\/a>, including IP warm\u2011up strategies.<\/p>\n<h3><span id=\"HighLevel_Steps_for_DKIM_on_Exim\">High\u2011Level Steps for DKIM on Exim<\/span><\/h3>\n<p>On Exim, DKIM is often built\u2011in or enabled through configuration:<\/p>\n<ol>\n<li>Generate a DKIM key pair per domain.<\/li>\n<li>Place the private key in a secure path on the server.<\/li>\n<li>Configure Exim to sign outgoing messages with that key for the specific domain.<\/li>\n<li>Publish the public key as a TXT record at <code>selector._domainkey.yourdomain.com<\/code>.<\/li>\n<li>Restart Exim and send test messages to confirm DKIM: pass.<\/li>\n<\/ol>\n<p>In both Postfix and Exim setups, the DNS side remains exactly the same as on cPanel \u2013 SPF, DKIM, and DMARC are always just TXT records in DNS.<\/p>\n<h3><span id=\"Where_to_Put_the_DNS_Records\">Where to Put the DNS Records<\/span><\/h3>\n<p>On a VPS, you are free to use:<\/p>\n<ul>\n<li>Your registrar\u2019s DNS<\/li>\n<li>A separate DNS hosting service<\/li>\n<li>DNS servers you manage yourself (for example, on other VPS or dedicated servers)<\/li>\n<\/ul>\n<p>The only hard rule: <strong>the DNS provider that is authoritative for your domain must hold the SPF, DKIM and DMARC TXT records<\/strong>. If nameservers at the registry point to one provider and you add TXT records elsewhere, they will simply never be seen.<\/p>\n<p>If you want to build more advanced and resilient DNS architectures for agencies or multi\u2011domain setups, we cover that in <a href=\"https:\/\/www.dchost.com\/blog\/en\/ajanslar-icin-dns-ve-alan-adi-erisimi-yonetimi\/\">\u201cDNS and Domain Access Management for Agencies\u201d<\/a> and our guide to <a href=\"https:\/\/www.dchost.com\/blog\/en\/ozel-ad-sunucusu-ve-glue-record-nasil-kurulur-kendi-dnsine-adim-adim-yolculuk\/\">setting up private nameservers and glue records<\/a>.<\/p>\n<h2><span id=\"Operational_Tips_Keeping_Email_Deliverability_Healthy\">Operational Tips: Keeping Email Deliverability Healthy<\/span><\/h2>\n<h3><span id=\"Forwarding_Mailing_Lists_and_Aliases\">Forwarding, Mailing Lists and Aliases<\/span><\/h3>\n<p>Email forwarding can break SPF because the forwarding server\u2019s IP is not in your original SPF. DMARC may still pass if DKIM survives, but in some cases both can fail. To handle complex forwarding scenarios safely, technologies like SRS (Sender Rewriting Scheme) and ARC (Authenticated Received Chain) help preserve trust chains.<\/p>\n<p>We explain the forwarding problem and the SRS\/ARC solutions in more detail in <a href=\"https:\/\/www.dchost.com\/blog\/en\/e-posta-yonlendirmede-spf-dmarc-neden-kiriliyor-srs-ve-arc-ile-nasil-tatli-tatli-onarirsin\/\">\u201cForwarding Broke Your SPF\/DMARC? Here\u2019s How SRS and ARC Save the Day\u201d<\/a>. If you rely heavily on forwards (info@ \u2192 personal mailbox, catch\u2011all addresses, etc.), it is worth understanding how your providers implement these.<\/p>\n<h3><span id=\"IPv6_rDNS_and_Blocklist_Hygiene\">IPv6, rDNS and Blocklist Hygiene<\/span><\/h3>\n<p>If you send mail over IPv6, all the same rules apply: SPF, DKIM and DMARC still operate on domains, but IP reputation and reverse DNS matter for v6 as well. Make sure:<\/p>\n<ul>\n<li>Your mail IP (both IPv4 and IPv6) has a proper PTR record (rDNS) pointing to a sensible hostname.<\/li>\n<li>That hostname has matching A\/AAAA records.<\/li>\n<li>SPF includes both IPv4 and IPv6 where relevant.<\/li>\n<\/ul>\n<p>Our article <a href=\"https:\/\/www.dchost.com\/blog\/en\/ipv6-ile-e-posta-teslimi-nasil-rayina-oturur-ptr-helo-spf-ve-rbllerle-saha-rehberi\/\">\u201cEmail Deliverability over IPv6: PTR, HELO, SPF and Blocklists\u201d<\/a> dives into v6\u2011specific gotchas and how to keep them under control.<\/p>\n<p>On the reputation side, always monitor:<\/p>\n<ul>\n<li>Major blocklists for your sending IPs<\/li>\n<li>Spam complaint rates<\/li>\n<li>DMARC aggregate reports for unknown sources<\/li>\n<\/ul>\n<p>If you end up on a blocklist or see serious reputation damage, follow a structured recovery plan. We share a practical roadmap in <a href=\"https:\/\/www.dchost.com\/blog\/en\/e-posta-itibarini-kurtarma-rehberi-blacklist-delisting-postmaster-araclari-ve-guvenli-ip-isitma-nasil-kurtarici-olur\/\">\u201cStuck on a Blocklist? The Friendly Playbook for Email Sender Reputation Recovery\u201d<\/a>.<\/p>\n<h3><span id=\"When_to_Scale_Beyond_Shared_Hosting\">When to Scale Beyond Shared Hosting<\/span><\/h3>\n<p>For many small sites and businesses, cPanel hosting with properly configured SPF, DKIM and DMARC is more than enough. But there are situations where moving part of your stack to a VPS or dedicated server makes sense:<\/p>\n<ul>\n<li>You send a large volume of transactional or marketing email.<\/li>\n<li>You need custom mail routing, filtering or archiving logic.<\/li>\n<li>You want stricter isolation between applications and mail.<\/li>\n<\/ul>\n<p>At dchost.com, we see customers evolve from basic shared hosting mail to separate VPS\u2011based mail gateways as their requirements grow, sometimes combined with external email services for redundancy. Whatever the size of your project, our shared hosting, VPS, dedicated and colocation options give you room to design the email architecture that fits your risk and control requirements.<\/p>\n<h2><span id=\"Wrapping_Up_A_Practical_Checklist_You_Can_Reuse\">Wrapping Up: A Practical Checklist You Can Reuse<\/span><\/h2>\n<p>Getting SPF, DKIM and DMARC right is mostly about being methodical. Here is a checklist you can run through for every domain you manage:<\/p>\n<ul>\n<li>List all systems that send email as your domain (hosting, VPS, tools, platforms).<\/li>\n<li>Confirm who hosts your DNS and that you have access to add TXT records.<\/li>\n<li>On cPanel: enable\/repair SPF and DKIM via Email Deliverability, or configure DKIM on your VPS mail server.<\/li>\n<li>Create a single, consolidated SPF record that includes all legitimate senders; avoid exceeding 10 DNS lookups.<\/li>\n<li>Generate DKIM keys per domain and publish the public key at <code>selector._domainkey.yourdomain.com<\/code>.<\/li>\n<li>Add a DMARC record at <code>_dmarc.yourdomain.com<\/code> starting with <code>p=none<\/code> and <code>rua=<\/code> for monitoring.<\/li>\n<li>Send test emails to multiple providers and verify SPF\/DKIM\/DMARC pass and align.<\/li>\n<li>Review DMARC reports, fix any failing legitimate sources, then gradually move to <code>quarantine<\/code> and <code>reject<\/code>.<\/li>\n<li>Monitor rDNS, blocklists, complaint rates and forwarding behaviour over time.<\/li>\n<\/ul>\n<p>If you want help choosing the right infrastructure for your email stack \u2013 from cPanel hosting with solid defaults to VPS or dedicated servers where you control every detail \u2013 our team at dchost.com works with these standards every day. When your DNS, mail servers and authentication are all designed together, your messages stop fighting to reach the inbox and simply arrive where they belong.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>If your domain sends any kind of email \u2013 newsletters, order confirmations, password resets or plain corporate mail \u2013 SPF, DKIM and DMARC are no longer optional. They are the minimum you need so that big providers can trust your messages. Without them, you will see a mix of problems: messages going to spam, random [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2915,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-2914","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts\/2914","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/comments?post=2914"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/posts\/2914\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/media\/2915"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/media?parent=2914"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/categories?post=2914"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/en\/wp-json\/wp\/v2\/tags?post=2914"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}