One commonly overlooked area in cPanel is email authentication. Maybe it’s one of those things that you never bothered checking out, or maybe it just looked a little intimidating.
Regardless of whether you know it is there or what it does you may want to look at it when you get a moment of spare time. It can potentially reduce the spam mail that you receive as well as increase the chance that the mail you send out arrives in someone’s inbox instead of a junk/spam folder. You do want your messages delivered to someone’s inbox don’t you?
cPanel email authentication allows you to enable DKIM keys, and SPF records for your domain very easy.
Here is a little more information about each:
DKIM (DomainKeys Identified Mail) – is used to verify that an inbound email message is actually from the stated sender, and that the message has not been altered or tampered with. If you enable DKIM, messages are digitally signed using a private key. The message recipient uses DNS to retrieve the sender’s public key in order to verify the message’s signature. If the signature is invalid, then the message is assumed to be forged and spam.
http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
http://www.dkim.org/
SPF (Sender Policy Framework) – specifies which mail servers are permitted to send mail on behalf of your domain. Some mail servers don’t accept incoming messages if it comes from a domain that doesn’t have an SPF record. Without an SPF record a message may end up in the receivers spam/junk folder, or it may be rejected completely.
http://en.wikipedia.org/wiki/Sender_Policy_Framework
http://www.openspf.org/
Enabling DKIM and SPF can help reduce the amount of spam you receive, and increase the likelihood that the messages you send out will arrive in the receivers inbox rather than in their spam/junk folder. There are obviously no guarantees, and this assumes that your host has set up the mail server and records properly to begin with. It also assumes that the IP address that your website happens to be on or using isn’t blacklisted for some reason.
Before enabling either of these, make sure you have a good understanding of what they do. Adding a SPF record is a little more confusing in cPanel than DKIM. If you are not sure about the process, then you may want to ask your host for help.
After adding/enabling one or both you should allow 24-48 hours (usually less) for the DNS records to propagate.
If for some reason you added a custom SPF record in the past you would want to combine them rather than have two separate records.
How To Enable DKIM And SPF In cPanel
Login to your cPanel account.
Locate the Mail section/area.
Select Email Authentication.
Scroll down to DKIM and click the Enable button.
Come back to the SPF section and click the Enable button for SPF.
After enabling them you should see something like this:
If you need to customize the SPF record you can do so in the Advanced Settings area underneath the Enable button.
The options are:
- Additional Hosts that send mail for your domains (A)
- Additional MX servers for your domains (MX)
- Additional Ip blocks for your domains (IP4)
- Include List (INCLUDE)
- All Entry (ALL)
- Overwrite Existing Entries
You can come back here at any time and update/change these settings if needed.
If your host has the Advanced DNS Zone Editor available in cPanel in the Domains section/area you can go there and see that a TXT record for SPF is automatically added for your domain.
How To Disable DKIM And SPF In cPanel
To turn off/disable DKIM or SPF you can return to Email Authentication and simply click on the Disable buttons.
Manually adding SPF
It is also possible to manually add an SPF record by adding a TXT record using the Advanced DNS Zone Editor. (The Simple DNS Zone Editor won’t allow you to add TXT records.)
Example:
Name: yourdomain.com.
TTL: 14400
Type: TXT
TXT Data: your actual SPF record
And, click the Add Record button.
It will then show up in the Zone File Records section at the bottom.
For those of you that want to explore manually adding one you can check out the page below for help, but be careful and make sure you know what you are doing.
Sender ID Framework SPF Record Wizard by Microsoft
Testing – Results
When I send a message to Hotmail/Outlook from a domain before enabling DKIM or SPF I can check the message source headers and see that there are none, or they don’t exist.
After enabling both DKIM and SPF in cPanel, and waiting for propagation when I send another email to Hotmail/Outlook I can see they are present in the headers now.
If I send a message to a Gmail address from a domain with DKIM and SPF enabled and I check the message source headers I can see that they say: pass, and the DKIM-Signature is present.
Note:
This would be for sending mail from your domain (email address) with the cPanel webmail feature (horde, roundcube, or SquirrelMail), or with an email client program like Mozilla Thunderbird, Outlook, etc.
If you are using a PHP Script like WordPress to send out replies to comments for example, and you are using the default PHP mail function you will want to check the email source headers for these as well. If you don’t see DKIM keys and SPF pass, then consider using an SMTP plugin instead of the PHP mail function. Doing so will allow WordPress to connect and send mail through your hosting SMTP (send mail transfer protocol) with DKIM keys, and SPF records attached.
7 comments
Hey Ray,
I almost didn’t stop by here thinking that whatever you were sharing was going to be too technical but boy am I glad I did.
Neither one of these settings were enabled so I did both of them. So the additional one that you’ve got here is that something that we definitely need to do?
I have my main email for my blog set up of course on my server and I have it directed to Outlook but dang, I get a LOT of spam and even though I tell it to block it that’s a joke. I’m hoping that this will really help cut down on a lot of that. It sends nothing to the spam or junk folder at all.
I don’t want to mess with anything else only because I’m not exactly sure if that’s needed or not. Thank you though for help with this. Cool!
~Adrienne
Adrienne recently posted..Does The World Really Need Another…
Hi Adrienne,
I don’t believe cPanel does a perfect job with the DKIM part, but better than none at all. I would send a message to yourself or another email box you have and check the email message source just to make sure you see DKIM and SPF in the headers like my screen shots.
I am not sure what you are referring to when you say the additional one? As long as DKIM and SPF is enabled, and you don’t see any errors then that should be it.
If you get a lot of spam mail for your domain email another thing you can look into in cPanel is the Mail section called “Apache SpamAssassin”. It is very popular, and available with most setups. It is most likely disabled by default, but you can enable that with a click of a button in cPanel as well.
You can configure a threshold/hits level there and whether or not you want to auto-delete spam. The default setting threshold/hits is 5. You have the option of setting 1 to 10. 1 being the highest (most aggressive) and 10 being the lowest (least restrictive/aggressive).
Setting it above 5 will mark more messages as spam and you may end up blocking legit messages that you didn’t intend to. Setting it too low may not help at all. So it can be difficult to find the perfect setting or number.
There is also a “Configure Apache SpamAssassin” button on the bottom of that page that will allow you to customize it with whitelists, blacklists, and threshold/scores.
You can use SpamAssassin to really cut down on spam messages. It’s just a matter of the right settings.
Something to at least take a peek at.
I updated the original reply about SpamAssassin. It should have said a setting of 1 is the most aggressive spam blocking, and 10 is the lowest. If one were to enable it a less aggressive setting would probably be the place to start such as a 9 or 10 setting.
Hi Ray, This is very cool. I had no idea about this stuff. I would love to activate this on Bluehost and figured out where to do it. I have a question though. Will activating this prevent emails from my domain going into spam folders? Often Google puts my emails and subscription notices into my spam folder. Not liking that.
If that is the case, then I definitely want to activate this. But I don’t get much spam so if all this does is prevent spam arriving to my email address then it’s not what I need now.
Carolyn Nicander Mohr recently posted..SumAll — Your Social Media Report Card!
Hello Carolyn,
Enabling these will primarily effect your outgoing email (anything @ yourdomain . com). When you enable DKIM and SPF in cPanel it adds them to the headers of the mail you send out. When they arrive at the receivers provider (Gmail, Hotmail/Outlook, Yahoo Mail, or any other provider) the message is inspected. If it has DKIM and SPF attached to it, then it is more likely to be accepted as a non-spam message.
By adding them it basically says you are who you say you are, and that you take responsibility for sending it. Without them there is little or no responsibility, and a lot of provider’s can’t determine if it is legit or not, so they put it in the spam/junk folder.
Gmail has one of the most strict checks, and it will be difficult to pass it even with these enabled. However, it certainly helps, and you would pass a lot of other email providers checks with DKIM and SPF enabled.
I did receive your reply to my comment that I left on your site. It did arrive in my inbox at Hotmail. I checked the message source and I can see DKIM pass and signature. SPF says none though.
Your host may have DKIM enabled at the server level already.
One thing to keep in mind though is that with WordPress (and other CMS systems) it uses the generic PHP Mail Function by default to send mail for subscriptions, reply to comments, etc. Usually DKIM and SPF won’t get attached to outgoing messages when they are sent this way. In order to attach them an SMTP plugin may be required, which would be configured to connect to your real mail server and sent out. Sounds confusing, but it’s fairly simple.
I know you don’t want additional incoming spam protection, but to prevent incoming spam messages you would want to look in the cPanel Mail section for SpamAssassin.
Hi,
Any idea how to authenticate outgoing mail with domain keys in cpanel. I have added domain keys, but email headers show domain key: No signature.
Thanks
You should see a DKIM-Signature in your email headers after enabling it in cPanel. However, last time I checked it does not add a DomainKey-Signature, which is kind of a bummer.
I have read up on some suggestions about how to get a DomainKey-Signature with cPanel, but all of the ones I looked into either didn’t work, or they were not very clear and specific.