How to Configure Email Authentication in WHM (SPF, DKIM, and DMARC)

May 30, 2026 WHM Guides
Summarize this article with:
Last update: May 30, 2026 8 min read

Overview

Email authentication tells receiving mail servers that you’re actually authorised to send email from your domain. Without it, your messages look suspicious — because from the internet’s perspective, anyone can claim to be sending from your domain. WHM SPF, DKIM, and DMARC records are the three layers that fix this.

You’ll need this article if your emails are bouncing, landing in spam folders, or if you’re setting up a new server and want to get deliverability right from day one. It’s also relevant if you’re managing multiple client accounts — for example, if you’re on a Reseller Hosting plan and need to configure authentication across several domains at once.

WHM gives you server-level controls to enable DKIM and SPF globally, but DMARC is a DNS-only record you’ll add per domain. This guide covers all three in the correct order — because the order actually matters.

Prerequisites

  • Root or reseller access to WHM (version 11.102 or later recommended)
  • Access to your domain’s DNS zone — either through WHM’s Zone Editor or an external DNS provider like Cloudflare
  • At least one domain with active email hosting on the server
  • Basic understanding that DNS changes can take up to 48 hours to propagate, though usually under an hour with TTLs set correctly
  • If you’re using an external DNS provider, you’ll need to copy records manually — WHM won’t push them automatically

Step 1: Enable DKIM Globally in WHM

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. The receiving server checks that signature against a public key in your DNS. If they match, the email is verified as legitimate.

  1. Log in to WHM at https://yourserver.example.com:2087
  2. In the left sidebar, search for Email Authentication and click it. The full path is Home > Email > Email Authentication.
  3. Under the DKIM section, make sure the toggle is set to On.
  4. Click Save.

This enables DKIM for all existing and future cPanel accounts on the server. WHM automatically generates a 2048-bit RSA key pair per domain and adds the public key to each domain’s DNS zone (if DNS is managed locally).

📝 Note: WHM generates DKIM keys at 2048 bits by default as of cPanel version 11.90+. If you’re on an older installation that generated 1024-bit keys, I’d recommend regenerating them. You can do that per-account inside cPanel under Email > Email Deliverability.

Step 2: Enable SPF Globally in WHM

SPF (Sender Policy Framework) tells receiving servers which IP addresses are allowed to send email for your domain. Without it, anyone can spoof your domain in the “From” address.

  1. Still in Home > Email > Email Authentication, scroll to the SPF section.
  2. Enable the SPF toggle if it isn’t already on.
  3. Click Save.

WHM will generate a default SPF record that includes your server’s IP and the mx mechanism. For most setups, this is fine. The generated record looks roughly like this:

v=spf1 +a +mx +ip4:YOUR.SERVER.IP ~all

⚠ Warning: If your domain sends email through third-party services like Mailchimp, SendGrid, or Postmark, you need to add their sending infrastructure to your SPF record too. The default WHM-generated record won’t include them, and their emails will fail SPF checks. You’d modify the record to something like:

v=spf1 +a +mx +ip4:YOUR.SERVER.IP include:sendgrid.net include:servers.mcsv.net ~all

Keep SPF records under 10 DNS lookups total. Each include:, a, and mx mechanism counts as a lookup. Exceeding 10 causes a “permerror” and breaks SPF entirely — this trips up a lot of people who add too many third-party includes over time.

Step 3: Verify DNS Records Are in Place

After enabling both in WHM, confirm the DNS records actually exist before moving to DMARC. If DNS is managed locally by WHM, the records should be there. If you’re using an external DNS provider, you’ll need to add them manually.

To check, log in to cPanel for the domain (or use the root WHM account) and go to Email > Email Deliverability. This tool shows you which records are present and flags anything missing or misconfigured.

You can also verify from the command line on your server:

# Check SPF record
dig TXT yourdomain.com +short

# Check DKIM record (replace 'default' with your selector if different)
dig TXT default._domainkey.yourdomain.com +short

If the DKIM lookup returns the public key starting with v=DKIM1; k=rsa; p=..., you’re good. If it returns nothing, the record isn’t there yet — either it hasn’t propagated, or it wasn’t written to an external DNS provider.

Step 4: Add a DMARC Record

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM. It tells receiving servers what to do when an email fails those checks — and optionally sends you reports about failures.

WHM doesn’t add DMARC records automatically. You add it as a TXT record in DNS yourself.

  1. In WHM, go to DNS Functions > Edit DNS Zone and select your domain.
  2. Add a new TXT record with the following details:
    • Name: _dmarc.yourdomain.com. (note the trailing dot if your DNS editor requires it)
    • Type: TXT
    • Value: see below

Start with a monitoring-only policy. This is the safest approach — it collects reports without rejecting or quarantining any mail:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-reports@yourdomain.com; fo=1

Once you’ve reviewed reports for a week or two and confirmed your legitimate mail is passing, tighten the policy:

# Quarantine (sends failures to spam)
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com

# Reject (blocks failures outright — use only when confident)
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@yourdomain.com

📝 Note: The rua address receives aggregate reports (daily digests). The ruf address receives forensic reports per failed message. Many mail providers have started limiting ruf delivery for privacy reasons, so don’t be surprised if forensic reports are sparse or absent.

⚠ Warning: Don’t jump straight to p=reject on a domain that’s been sending mail for a while. If any legitimate mail source isn’t covered by SPF or signed with DKIM, it’ll get blocked immediately. Start with p=none, always.

Common Issues and Troubleshooting

DKIM DNS Record Not Found After Enabling in WHM

This usually means the domain’s DNS is hosted externally (Cloudflare, Route 53, etc.) rather than on the WHM server. WHM writes DKIM records to its local BIND zone files, but if the domain’s nameservers point elsewhere, those records never go live. Go to Email > Email Deliverability in cPanel, click Repair on the DKIM row, and then manually copy the displayed TXT record into your external DNS provider’s dashboard.

Emails Still Landing in Spam After Adding All Three Records

Authentication passing doesn’t guarantee inbox placement — it just removes one major spam signal. Other factors like sender reputation, blacklisted IPs, or spammy content still apply. Run your server IP through MXToolbox Blacklist Check and check your mail logs at /var/log/exim_mainlog for delivery details. If your IP is blacklisted, that’s a separate remediation process.

SPF “permerror” — Too Many DNS Lookups

This error is annoyingly common and the official docs aren’t great on it. Each mechanism in your SPF record that requires a DNS lookup counts toward the limit of 10. Use a tool like MXToolbox SPF Checker or dmarcian’s SPF Surveyor to count your current lookups. The fix is usually flattening includes — replacing include:sendgrid.net with the actual IP ranges it resolves to, so they become ip4: mechanisms instead of counted lookups.

DMARC Reports Show Legitimate Emails Failing

This typically means a sending service isn’t covered by SPF, not signing with your DKIM key, or both. Common culprits: CRM tools, helpdesk platforms, or automated alerting systems that send from your domain using their own mail infrastructure. Either add them to your SPF record, configure them to use your DKIM key, or set up a subdomain specifically for their sending so it doesn’t affect your main domain’s DMARC policy.

“DMARC Policy Not Enabled” Warning in WHM Email Deliverability Tool

WHM’s Email Deliverability tool checks for a DMARC record but doesn’t create one for you. It’s expected to show this warning on a fresh setup. Add the TXT record manually as shown in Step 4. The warning will clear once DNS propagates.

FAQ

Frequently Asked Questions

Do I need to configure SPF, DKIM, and DMARC separately for every domain on my WHM server?

DKIM and SPF are enabled server-wide through WHM’s Email Authentication page, so they apply to all domains automatically. DMARC is different — it’s a DNS record you add individually per domain, because the policy and reporting email address are specific to each domain. If you manage dozens of domains, you’ll need to add DMARC records for each one separately.

How long does it take for SPF and DKIM to start working after I enable them?

If WHM manages your DNS locally, the records are usually active within minutes. If your DNS is at an external provider like Cloudflare and you’ve just added the records manually, allow up to an hour for most resolvers to see them — though the TTL on the record controls how fast changes propagate. Standard TTL is 3600 seconds (1 hour), but Cloudflare’s proxy cache can sometimes extend this.

What's the difference between SPF softfail (~all) and hardfail (-all)?

Softfail (~all) marks unauthorised mail as suspicious but still delivers it — most receiving servers will route it to spam rather than reject it outright. Hardfail (-all) instructs receiving servers to reject the message entirely. I’d recommend starting with softfail until you’re confident all your legitimate sending sources are covered, then switching to hardfail. Getting this wrong with hardfail will block real email immediately.

Can I use WHM email authentication settings if my DNS is managed through Cloudflare?

You can still use WHM to generate the DKIM keys and SPF values, but you’ll need to manually copy those records into Cloudflare’s DNS dashboard. WHM only writes to its local BIND zone files. Use the Email Deliverability tool in cPanel to see the exact record values, then paste them into Cloudflare as TXT records. Make sure DKIM records in Cloudflare are set to DNS-only (grey cloud), not proxied.

Will enabling DMARC with p=reject break any of my existing email?

Potentially yes, if any legitimate sending source isn’t passing SPF or DKIM alignment. That’s why you should always start with p=none, collect and review DMARC aggregate reports for at least two weeks, then move to p=quarantine, and only reach p=reject once you’re certain all legitimate mail is authenticated. Skipping straight to reject is one of the most common ways people accidentally block their own transactional or marketing email.

Related Articles

How to Handle Email Delivery Failures and Bounces in WHM Troubleshooting the WHM LiteSpeed Plugin: Common Errors and Fixes How to Configure PHP Settings in WHM Using EasyApache 4

SHARE THIS ARTICLE

Need help with your hosting?

Host & Tech provides 24/7 support for all VPS, dedicated, and shared hosting customers.

Contact Support View Plans
Scroll to Top