Email Deliverability: How to Keep Your Emails Out of Spam (SPF, DKIM, DMARC)

For business emails to arrive reliably, receiving mail servers must be able to verify that your messages really come from your domain. SPF, DKIM and DMARC help protect your domain from abuse and improve the deliverability of your emails.

Email deliverability is much more demanding today than it used to be. Major mailbox providers such as Google, Microsoft, Yahoo and others inspect incoming messages very carefully. It is no longer enough for an email to be technically sent. The receiving system also checks whether the sender is trustworthy, whether the domain is properly authenticated and whether the message looks like spam, phishing or spoofing.

This is especially important for businesses: if quotes, invoices, support replies, contact form messages or order confirmations land in spam, it looks unprofessional and can directly cost revenue. The most important technical foundations for clean email authentication are SPF, DKIM and DMARC.

Important:

SPF, DKIM and DMARC improve the technical trustworthiness of your email. However, they do not guarantee that every message will land in the inbox. Content, sending behavior, recipient reactions, blocklists, reputation and complaint rates also matter.

Why Do Emails Land in Spam?

An email can land in the spam folder or be rejected for many reasons. Common causes include missing or incorrect DNS records, a badly configured mail server, suspicious content, too many recipient complaints or sending through unauthorized systems.

It becomes especially critical when a mail server cannot verify that a message really comes from the stated domain. Spammers and fraudsters often try to abuse other domains as senders. This is exactly where SPF, DKIM and DMARC help.

The Three Most Important Protection Mechanisms

1. SPF

Sender Policy Framework defines which servers are allowed to send email on behalf of your domain. Receiving mail servers can check whether the sending server is authorized.

2. DKIM

DomainKeys Identified Mail adds a digital signature to outgoing emails. This helps verify that the message was not altered and was sent with authorization.

3. DMARC

Domain-based Message Authentication, Reporting and Conformance defines how receiving servers should handle messages that fail SPF or DKIM checks.

SPF: Who Is Allowed to Send for Your Domain?

SPF is a DNS TXT record that defines which servers are allowed to send emails on behalf of your domain. For example, if your domain sends emails through CURIAWEB, the CURIAWEB mail server must be allowed in the SPF record. If external services such as newsletter tools, CRM systems or accounting software also send email using your domain, those services must be included as well.

From the receiving mail server’s perspective, an SPF record answers the question: “Is this server allowed to send email for this domain?” If the answer is no or the SPF record is faulty, the message may be considered suspicious.

Important for SPF:

A domain should usually have only one SPF record. Multiple separate SPF TXT records for the same domain can cause errors. If several sending services are used, they must be combined into one shared SPF record.

DKIM: The Digital Signature of Your Email

DKIM complements SPF with a digital signature. The sending mail server signs outgoing messages cryptographically. The public key needed to verify this signature is published as a DNS record. The receiving mail server can use it to check whether the message was changed after sending and whether the signature matches the domain.

DKIM is especially valuable because it does not only look at the sending server but signs the message itself. This improves the technical trustworthiness of your emails and is an important part of authentication for modern mailbox providers.

DMARC: Rules for Failed Authentication

DMARC builds on SPF and DKIM. It defines what receiving mail servers should do when an email fails authentication or does not align with the visible sender domain. DMARC can also enable reports that show which systems are sending email on behalf of your domain.

DMARC can be operated with different policies:

DMARC policy Meaning Typical use
p=none Monitor only, no direct rejection enforced Initial setup and analysis
p=quarantine Failed messages should usually go to spam or quarantine Advanced protection phase
p=reject Failed messages should be rejected Strict protection after clean setup

Recommendation

Start carefully with DMARC, especially if you use multiple sending services. A policy that is too strict can block legitimate emails if SPF or DKIM are not yet fully configured correctly.

Check Email Deliverability in cPanel

cPanel provides the Email Deliverability function to check the key authentication data for your domain. cPanel shows whether problems exist, which records are recommended and whether SPF, DKIM or DMARC can be installed.

Step by Step: Check SPF, DKIM and DMARC in cPanel

  1. Log in to your cPanel account.
  2. In the Email section, open Email Deliverability.
  3. Find the required domain in the list.
  4. If cPanel reports problems, click Manage.
  5. Review the suggested records for SPF, DKIM and DMARC.
  6. If cPanel manages the DNS zone, you can usually install the suggested records directly.
  7. If the DNS zone is managed externally, copy the suggested values and add them at the external DNS provider.
  8. Wait for DNS propagation and then check the domain again.
Important for external DNS:

If your domain uses external nameservers, cPanel may not be able to set DNS records automatically. In that case, SPF, DKIM and DMARC must be added where the authoritative DNS zone of your domain is managed.

Add External Sending Services Correctly

Many businesses do not send email only through the normal hosting mailbox. Additional services are often used, such as newsletter tools, CRM systems, support software, accounting systems, shop systems or booking platforms.

Typical external services include:

  • newsletter tools such as Mailchimp or Brevo,
  • CRM and sales systems,
  • helpdesk or ticket systems,
  • shop and invoicing software,
  • Microsoft 365 or Google Workspace,
  • transactional mail providers for automated system emails.

If such services send emails using your domain as the sender, they must be properly included in SPF, DKIM and, if applicable, DMARC. Otherwise, these legitimate messages may be treated as unauthorized.

Practical tip:

Never add external sending services blindly. Always use the official DNS instructions from the provider and check whether SPF records must be combined or whether DKIM is configured through separate CNAME or TXT records.

Common SPF, DKIM and DMARC Mistakes

1. Multiple SPF records for the same domain

Multiple SPF records are a common mistake. Instead of creating several TXT records with v=spf1, all authorized sending sources must be combined into one single SPF record.

2. External mail services missing from SPF

If a newsletter tool or CRM sends email using your domain but is not included in the SPF record, authentication may fail.

3. DKIM not enabled

Without DKIM, an important signature check is missing. Many receiving mail servers treat signed messages as more trustworthy than unsigned messages.

4. DMARC configured too strictly

A direct policy such as p=reject can be problematic if not all legitimate sending sources are correctly authenticated yet. In complex setups, start with monitoring and only tighten the policy after review.

5. DNS changed in the wrong place

If your domain uses external nameservers, changes in the cPanel Zone Editor may have no effect. The authoritative DNS zone is always what matters.

6. Sender domain and sending service do not align

If the visible sender address, technical sending path and authenticated domain do not match, DMARC can fail. Make sure domain alignment is clean.

How to Test Your Email Deliverability

After changing SPF, DKIM or DMARC, you should test the configuration. First use the Email Deliverability function in cPanel. External test services can also be helpful because they analyze a test email and provide hints about DNS, authentication, spam factors and reputation.

However, external test tools only provide a snapshot. A good score in one tool does not automatically mean that every email will reach every inbox. Likewise, a warning does not always mean that your entire email configuration is broken. The results must be interpreted correctly.

Good Technical Deliverability Is Only Part of the Solution

Besides SPF, DKIM and DMARC, many other factors influence whether emails reach the inbox:

  • clean recipient lists,
  • no purchased or unverified address lists,
  • realistic sending volumes,
  • low complaint rates,
  • clear sender identity,
  • professional subject and content,
  • working reply address,
  • proper unsubscribe option for newsletters,
  • no suspicious attachments or links.

DNS authentication is therefore the technical foundation. Good email practice remains necessary.

Frequently Asked Questions About SPF, DKIM and DMARC

Does every domain need SPF, DKIM and DMARC?
For domains that send email, proper authentication is strongly recommended. Even domains that do not actively send email can be better protected against abuse with DMARC.

Can cPanel set SPF, DKIM and DMARC automatically?
Yes, if the DNS zone is managed by the cPanel server. If the domain uses external nameservers, the records must be added at the external DNS provider.

Why does cPanel still show problems?
Possible causes include DNS propagation, external nameservers, incorrectly copied records, multiple SPF records or missing DKIM/DMARC records.

What happens if I use external services such as Mailchimp?
These services must be authenticated correctly. Use the DNS instructions provided by the service and combine SPF records properly.

Can CURIAWEB check my email deliverability?
Yes, CURIAWEB Support can review the technical DNS basics. For external services, their exact DNS instructions are often required.

Register a New Domain

Clean email deliverability starts with a professionally managed domain. With CURIAWEB, you can check and register your desired domain directly online and then use it for your website and email.

Register your domain with CURIAWEB

Was this answer helpful? 0 Users Found This Useful (0 Votes)