Email Authentication Tool in cPanel – SPF Records

E-mail Authentication is an effective set of anti-spam tools available in cPanel. It consists of two major components – SPF record and DKIM record.




SPF record

Nowadays the vast majority of spam emails have fake data in the «From» field. Spammers and fraudsters use special tools to send their mail on behalf of a real owner of the e-mail address.

SPF record (acronym for Sender Policy Framework) is an effective and simple method which lets you avoid such issues. If your domain name has correct SPF record then you can be sure nobody is able to send fake e-mails on behalf of your domain name.

The main idea of SPF record is that an owner of domain name publishes the information about IP addresses that are authorized to send mail from this domain name. The receiving server compares the information in the envelope sender address with the information published by domain name owner. If these details match then e-mail is delivered.




In order to enable SPF record for your domain name which uses email services provided in your cPanel you need to go to E-mail Authentication icon in cPanel. Click on Enable and the record will be added to your DNS zone automatically. You can find the record that was added in Advanced DNS Zone Editor.




Here is an example of correct SPF record in Advanced DNS Zone Editor of cPanel:

v=spf1 +a +mx +ip4:205.251.130.241 ~all

SPF record has its own specific syntax. It is strongly recommended to get familiar with it here if you are going to customize this record manually.

v=spf1 – the current version of SPF.

At the moment it is version 1.

+a – here you can specify an authorized domain or subdomain. All the IP addresses for the specified domain are compared with client IP address. If no domain is specified, then the current sender’s domain is taken. In our example no domains are specified therefore example.com is an authorized one.

+mx – a domain name with specific MX records can be configured. If one of domain MX records resolves to client IP address, then it is considered to be authorized.

+ip4: 205.251.130.241 – IP address which is authorized so send e-mails from that domain name. It is possible to set several IP addresses as well as restrict specific IPs using «-» instead of «+».

~all – mail from all other senders goes to spam folder. It is possible to change «~» on «-» to reject all e-mails which are sent from not authorized IP addresses.

Also a convenient interface is available in the menu ‘Email Authentication’. It will allow you to easily customize your SPF record. It becomes active once SPF record is enabled.




Additional Hosts that send mail for your domains (A) – this function works as +a. It is a user-friendly interface of adding authorized domain name. If you click Add you will see a window with one single field where an authorized domain name can be added. By clicking Remove you can simply delete the item from the list of the authorized domain names.

Additional MX servers for your domains (MX) – this function works as +mx.

Additional IP blocks for your domains (IP4) – the name of this function could seem to be confusing. It works as +ip4. Here you can add authorized IP addresses.

Include List (INCLUDE) –allows adding some other hosts if you are going to use several mail services.

All Entry (ALL) – lets you modify all. If this parameter is checked then it will exclude all senders which are not specified in your SPF record (-all). If it’s not checked it will be ?all.

Overwrite Existing Entries – if checked then all SPF records which exist for your account at the moment will be overwritten by this SPF record.

In some instances some services require you to add TXT record for your domain to verify your domain name ownership. In such cases it is not recommended to add another TXT record if you already have SPF record. It is possible to add the required text value to your SPF record.

DKIM Record

DKIM (DomainKeys Identified Mail) is another way of e-mail authentication. This method uses information about domain which is published by the domain owner. That information allows receiving server to verify if the e-mail message was sent by legal owner of that domain name.

Once TXT record which contains DKIM has been added to DNS zone a special code is added to the headers of outgoing e-mails. Receiving servers compare these headers with the information in DNS zone and if it matches then the e-mail is delivered.

To enable DKIM you need to access your cPanel >> E-mail Authentication and click on Enable next to DKIM Record section.




These simple actions will let you be sure that no one is able to send spam on your behalf and your e-mail will not be delivered to spam folders.