Surprising fact: nearly 30% of sent messages fail authentication checks because DNS records are missing or misconfigured.
You can stop that by using the Email Deliverability tool inside cPanel. The interface appears after your host enables the Feature Manager in WHM. It scans domains, checks SPF and DKIM, and shows status with action buttons.
The tool needs a DNS server authoritative for the domain. If you use third‑party mail like Gmail or Microsoft 365, follow their setup to add SPF and DKIM. Use Repair to auto-fix simple invalid records or Manage to edit Mail HELO, DKIM, SPF, DMARC, and PTR details.
This short guide gives a clear roadmap: what you’ll click, what name/value pairs to copy to external DNS, and when to coordinate with your provider for PTR. By the end, you’ll know how to get to a passing status fast.
Key Takeaways
- Find the Email Deliverability interface after your host enables the WHM Feature Manager.
- The system relies on SPF and DKIM and requires authoritative DNS for the domain.
- Use Repair for quick fixes; open Manage to edit HELO, DKIM, SPF, DMARC, and PTR.
- Copy name/value pairs to external DNS when you host records elsewhere.
- Third‑party services need their own DKIM/SPF steps; follow provider docs for best results.
Why your emails bounce or hit spam today
Receiving hosts inspect published DNS entries to confirm your domain really sent the message. When SPF, DKIM, DMARC, or PTR records are missing or wrong, remote servers may reject or mark your mail as risky.
Common problems include missing includes for third‑party services, a DKIM TXT stored under the wrong name, or a PTR that doesn’t map back to an A record. Misaligned HELO/EHLO names also draw extra checks and reduce trust.
Quick tip: treat authentication as a group. Auditing SPF, DKIM, DMARC, and rDNS together fixes most issues faster than changing subject lines or content.
For more background and practical steps, see this guide: why messages go to spam and what to.
| Failing record | Typical symptom | Quick fix |
|---|---|---|
| SPF (TXT) | Softfail or fail from third‑party sends | Add the provider’s include to the TXT value |
| DKIM (TXT) | Broken signature or unsigned messages | Publish the full key under the correct selector host |
| PTR (rDNS) | Rejected by strict servers | Ask the IP owner to set PTR pointing to a matching A record |
| DMARC (TXT) | No policy or reporting | Install a reporting policy after SPF and DKIM validate |
Accessing the Email Deliverability interface and prerequisites in cPanel and WHM
You’ll see the Email Deliverability entry in cPanel once your host flips the switch in WHM’s Feature Manager. Check WHM » Home » Packages » Feature Manager » Feature Lists to confirm the feature is enabled for your plan.
If the interface is missing, contact support. The system needs to know where DNS is authoritative before it can install TXT records. If your server does not host nameservers for the domain, cPanel will still generate suggested TXT Name and Value pairs that you must paste at your DNS provider.
Third‑party providers and where settings live
When you use Gmail or Microsoft 365, follow the provider documentation and instructions to publish SPF and DKIM in your external DNS. cPanel can show the suggested mail-related dns records, but the authoritative nameservers win.
Understanding the domains table, Status, Repair vs Manage
The table lists each domain, its status, and action buttons. Click Repair to attempt an auto-fix (recheck may take up to five minutes). Use Manage to view HELO, copy suggested TXT records, or customize records manually. The gear icon changes pagination and refreshes the system view.
Set up SPF in cPanel: the foundation for trusted sending
Start by locating the Suggested SPF (TXT) entry in Manage the Domain so you can copy the exact Name and Value to publish. Use the View toggle to show Full or Split formats if your DNS host limits 255 characters.
Click Customize to add Additional Hosts (+a) and Additional MX Servers (+mx). Add any dedicated gateways or marketing systems so the logic matches where you send from.
Under IP Address Settings, enter IPv4 or IPv6 blocks in CIDR form for fixed servers. The system already includes your server’s main IPv4/IPv6 addresses automatically.
Use the Include List (+include) for platforms like Mailchimp so their senders are authorized. Choose ~all while rolling out for flexibility, and switch to -all when you confirm only authorized hosts are listed.
Preview the updated SPF record, then Install if your server is authoritative. If not, paste the suggested Name and Value at your external DNS host. Allow a few minutes for propagation, then recheck the status in the system.
Configure DKIM correctly: keys, TXT format, and provider considerations
If your domain has no DKIM key, generate one in Manage the Domain and copy the Suggested “DKIM” (TXT) Record exactly as shown.
Use the View tool to pick Full if your DNS host auto-splits long strings. Choose Split to paste 255-character chunks when your provider requires separate fields.
Keep the private DKIM key secret. Treat the private dkim key like a password. If it leaks, attackers can sign messages as your domain and harm your reputation.
If DKIM fails for messages sent by PHP apps, check the PHP handler. For DSO without MPM ITK, enable two Exim options in WHM’s Exim Configuration Manager to let the system attribute the sender correctly.
“Create or regenerate your DKIM key pair, copy the suggested TXT Name and Value, and publish where your authoritative nameserver lives.”
| Action | What to copy | When to choose Full vs Split |
|---|---|---|
| Generate Local DKIM Key | Name and Value (Suggested DKIM TXT) | Full if provider auto-splits |
| Publish to authoritative DNS | Exact TXT record value | Split for 255-char limits |
| Handle PHP-sent messages | Adjust Exim options in WHM | After changing PHP handler or enabling trust options |
Quick checklist:
- Copy the TXT Name and Value exactly.
- Publish at the authoritative DNS or paste locally for reference.
- Test after propagation and rotate keys if compromised.
DMARC policy that enforces your SPF and DKIM
A DMARC policy turns authentication results into action and gives you reporting so you can see who sends for your domain.
Prerequisites: make sure valid spf and dkim records are in place and passing for the domain before you enforce a policy. If either fails, DMARC will not effectively protect mail and may not activate enforcement.
Install the Suggested DMARC (TXT) Record
The interface shows a suggested record you can use to start. If the system hosts your zone, click Install the Suggested Record to add the TXT automatically.
If your nameservers are external, copy the Suggested TXT Name and Value exactly and publish them at your DNS provider. Contact your provider if you need help adding the dns record.
- Begin with p=none to collect reports and verify sources.
- Publish rua (aggregate) and ruf (forensic) addresses so you can monitor pass/fail rates.
- Gradually move to quarantine or reject once alignment and pass rates are stable.
- Recheck the system status after propagation; the interface may take a few minutes to update.
“Keep your DMARC record in sync with changes to SPF includes and DKIM selectors so legitimate sends aren’t blocked.”
Reverse DNS (PTR) and HELO alignment: stop rDNS-related rejections
Reverse DNS ties an IP back to a hostname, and it only works if that hostname also resolves forward. A PTR resolves an IP to a name, and that name must have a matching A record for the check to pass.
Who can set PTR: the owner of the IP space — usually your data center or hosting provider. If you cannot edit the PTR yourself, open a support ticket and ask the provider to set the desired mapping.
Tip: make your Mail HELO/EHLO match the PTR/A hostname. When the HELO and the reverse mapping align, receiving servers are much less likely to flag your traffic.
- Check that your sending IP’s PTR maps to a hostname that has a forward A record.
- If PTR is missing or incorrect, contact the IP owner (data center or provider) to update the record.
- Use the system’s Email Deliverability page to see rDNS issues and follow the shown remediation steps.
- Expect PTR changes to take time to propagate; plan a recheck after a few hours.
“Keep PTRs consistent for each dedicated IP and align HELO with the PTR hostname to reduce rejections.”
email deliverability on cpanel: verification, fixes, and edge cases
Use the Manage view to inspect HELO details and copy the exact suggested record Name and Value when the server isn’t authoritative. This panel lists the Mail HELO and shows the Suggested “SPF/DKIM/DMARC” TXT entries you can publish elsewhere.
Use Manage the Domain: HELO info, suggested records, and manual edits
Open Manage to get HELO info and the precise name value strings. Use the View toggle to pick Full or Split so long TXT values match your DNS host limits.
When to click Repair: what it changes and timing of rechecks
Click Repair for straightforward fixes. The system rechecks repaired records within about five minutes.
Note: you cannot update multiple domains that share the same zone at once.
Hostname vs domain in WHM: server-level SPF, DKIM, and DMARC
WHM’s feature covers the server hostname separately from each domain name. Use that server-level area to install SPF, DKIM, and DMARC for the host itself.
Nameservers not controlled by cPanel: copying Name/Value to your DNS host
If the system does not host nameservers for a domain, copy the suggested TXT name and value and paste them at the provider that manages your DNS. Track any problem exists flags and clear SPF and DKIM first, then DMARC and rDNS.
Smart host scenarios and why PTR might not appear
If you relay through a smart host, PTR details may be omitted in the UI. The outbound IP is set by the relay provider, so request PTR changes from them when needed.
“Open Manage, copy the suggested record text exactly, and verify with the gear icon refresh after propagation.”
| Action | What to copy | Timing / Notes |
|---|---|---|
| Open Manage | Suggested TXT Name & Value | Use Full/Split before pasting to nameservers |
| Click Repair | System auto-fixes invalid records | Recheck ~5 minutes; no bulk edits per zone |
| WHM Hostname | Server‑level SPF/DKIM/DMARC records | Separate from each domain name |
| Smart host | Request PTR from provider | PTR may not show if relay controls IP |
Conclusion
,Wrap up the setup by confirming TXT entries are published and propagated for every domain you manage.
Quick checklist: set spf to cover all senders, publish the dkim record correctly, then add dmarc at p=none while you collect reports.
Copy the Suggested Name and Value from the interface when your system is not authoritative. Ask the IP owner to set PTR so HELO and forward A records match.
Protect your private dkim key, rotate when needed, and test by sending to a major provider. Inspect headers for spf=pass, dkim=pass, and dmarc=pass to confirm success.
FAQ
What should you check first if messages bounce or land in spam?
Start by verifying your SPF, DKIM, and DMARC records in DNS. Confirm your server IP has a proper PTR record and that your HELO/EHLO name matches a forward-resolving A record. Also check whether your DNS host is authoritative so suggested TXT records actually publish.
How do you access the Email Deliverability interface and what prerequisites matter?
Open the Email Deliverability section in cPanel or WHM. Ensure the feature is enabled in WHM’s Feature Manager and that the domain uses an authoritative nameserver. If you use Gmail or Microsoft 365, some settings live at those providers instead of your control panel.
What does the interface table show and when should you use Manage vs Repair?
The table lists domains with statuses and suggested records. Click Manage to view name/value pairs and make manual edits. Use Repair to let the system attempt automatic fixes—ideal for common missing or malformed TXT records, but allow time for DNS propagation.
How do you view and copy the suggested SPF TXT record?
In Manage, the suggested SPF shows the TXT record’s Name and Value fields. Copy both exactly, then paste into your DNS host’s TXT entry if cPanel isn’t authoritative. Verify the record with a DNS lookup after propagation.
Can you customize the SPF record for additional hosts or services?
Yes. Add entries like +a for extra hostnames, +mx for extra mail exchangers, or +include: for services such as Mailchimp. Ensure you don’t exceed DNS TXT length limits and choose the right all mechanism (~all for softfail, -all for strict fail) based on your risk tolerance.
How do you add IPs with CIDR notation, and are server IPs included automatically?
Add IPv4 or IPv6 addresses using CIDR (/32, /128, etc.) into the IP Address settings when customizing SPF. cPanel often auto-includes the server’s primary sending IP; verify the final TXT includes any other outbound IPs you use.
How do you generate and install a DKIM key locally?
Use the Email Deliverability or WHM key-generation option to create a local DKIM key. Copy the suggested DKIM TXT name and value into your DNS host or let cPanel install it if authoritative. After publishing, test with a DKIM validator to confirm the public key resolves.
What about long DKIM TXT values—full vs split records?
DNS limits single-string TXT parts to about 255 characters. Some DNS providers automatically split long values; others require you to add quoted fragments. If your host doesn’t auto-split, paste the DKIM value as multiple quoted strings as instructed by the provider.
When might you need the private DKIM key and what are the risks?
You typically don’t share the private key. Only retrieve it if you must migrate signing to another server or for backup. Keep it secure—exposure lets others sign mail as your domain and can destroy reputation.
Are there server-side caveats for PHP scripts that affect signing?
Yes. If PHP runs under certain handlers (DSO, Mod_Ruid2, MPM ITK), scripts might send mail as the system user instead of the domain user. Review Exim Configuration Manager and PHP handler behavior to ensure messages get proper SPF/DKIM alignment.
What must be true before you install a DMARC record?
Ensure valid SPF and DKIM records exist and pass checks. Once those are in place, add the suggested DMARC TXT (policy, aggregate/reporting addresses). Remember that DMARC is enforced only when the receiving system evaluates alignment and the DNS record is authoritative.
Who controls reverse DNS (PTR) and why does it matter?
PTR records map IPs back to hostnames and are controlled by the IP owner—usually your hosting provider or data center. PTR must resolve to an A record and match HELO to avoid rejections from strict receivers.
How do you handle nameservers that aren’t managed in cPanel?
Copy the Name and Value fields from Manage and add them at your DNS provider’s dashboard. If your domain uses third-party DNS, changes made in cPanel won’t publish—use the authoritative host instead.
Why might PTR not appear for smart host setups or relay scenarios?
If you send through a smart host or relay, the sending IP belongs to that relay provider. PTR entries and HELO alignment are then the relay operator’s responsibility, and you must coordinate with them for proper reverse DNS.
When should you click Repair and what happens afterward?
Click Repair when suggested records are missing or malformed and you want cPanel to attempt an automatic fix. The system updates DNS if authoritative; otherwise it provides the records for you to add. Allow time for TTL and DNS propagation before rechecking status.
How do server hostname records differ from domain records in WHM?
The server hostname uses server-level SPF/DKIM/DMARC that affect system-generated mail (cron, notifications). Domain records govern user mail. Keep both consistent to minimize alignment issues and reputation hits.
How can you verify that records have propagated and work correctly?
Use public DNS lookup tools to fetch TXT and PTR records, and online validators for SPF, DKIM, and DMARC. Send test messages to check header authentication results and review bounce or spam reports for clues.
