Configure SPF, rDNS, DKIM, and DMARC for email
Introduction
Sending and receiving email should be straightforward, but a lot of background checks happen before your organization’s email is delivered reliably and securely. Use this article to activate SPF, rDNS, DKIM, and DMARC to make sure your email reaches recipients, and protects your email server from crippling outcomes like dropped email and public blacklisting.
What cost a lost email that you never know a recipient has not seen?
Click open the headers below to understand more and learn how to configure your email server for minimum business standards. Please read through this entire article before starting to engage modifications to your email server. Changes you make are done so at your risk so be sure to contact us for general advice if you are in doubt. Click on images to view at full-sized resolution.
Why do these protocols matter?
If you do not put a stamp on a letter, it probably will not reach its destination, and without a return address you will certainly never know what happened to the letter.
Similarly, without SPF, rDNS, DKIM, and DMARC, email that you send will be erratic and unpredictable. You may think “it has never been a problem before”. Partly this is because when email does not reach a recipient, you know you sent it but the recipient does not know it was supposed to be received.
Perhaps this is not so noticeable in casual or individual usage. In an organisation, eventually patterns start emerging. Either way, everyone has sent an email that has never reached its target. These protocols are why most failures happen, and in business communications…. it matters. The protocols enable your supplier and customer email servers to “trust” your email and its “brand”.
“Postage stamps” for email
The one question we are posed by clients in 25 years of IT support is the plaintive “why aren’t my emails getting through?”. Hopefully, it is only because of a badly spelled email address. Often, though, the answer is that the client’s service is not sending adequately “stamped” emails with return addresses.
Protecting your identity – “trust”
Protocols like SPF, rDNS, DKIM, and DMARC are email’s answer to postage stamps. They enable receiving email servers to measure and “trust” the authenticity of your communication. Put another way, you need these protocols to protect your email from being measured as spam or malicious email.
Self serve guides for implementing email protocols
Your web server is optimised for delivering your web pages. If email is included in your package, we have made sure that an email server is enabled with necessary email tools. However, like flat pack furniture, your email server is minimally configured and the protocols need to be aligned with your domain name.
These domain name modifications can only be manually configured by you or your agent. If we look after your domain name, we would configure these modification within your ongoing support. If we do not have admin privileges in your domain name, and you have elected against support, then you need to configure these tools.
If you do not have expert in-house IT skills, consider our email configuration service and ongoing support plans. We are glad to quote on request.
Configuration guides
Use the “self-serve” guides linked below to implement SPF, rDNS, DKIM, and DMARC. There are a few ways to deal with these modifications, and it really depends on how your domain name and authoritative nameservers are configured, so these articles might not be exactly on point. Implement the protocols in the order listed:
- How to configure SPF
- How to configure rDNS
- How to configure DKIM
- How to configure DMARC
Tips and tricks
- some protocols may take up to 24 hours to resolve
- read through each guide before starting
- monitor email for a week or so before enabling the next protocol
- document what you do with screen shots
Bear in mind that changes made to domain names happen in real time, and errors can cause web site and email outages that could take up to 72 hours to restore. If in doubt, contact us first.
Summary
Email is vulnerable to malicious attacks that pose risks to your online identity, reputation, and hijack. Implementing SPF, rDNS, DKIM, and DMARC helps to ensure that your outgoing email reaches recipients.
Implementing these kinds of services is challenging without experience. If you do not have expert in-house IT skills, consider our email configuration service and ongoing support plans. We are glad to quote on request.
Create a new email address with cPanel
Set up a new email account
Set up email accounts using cPanel’s email module. You can create new email accounts and manage multiple users with cPanel’s extensive utililties.
See our other articles about email to plan email storage quotas, ongoing management, and security implementation like SPF, rDNS, DKIM, and DMARC. For advice, we can help you design policies and procedures.
Click on the headers below to learn how to create an email account. Click on images to view at full resolution.
Create a new email account
Log into your cPanel web server home page
- open your web browser
- navigate to the URL in your web server info sheet
- enter your credentials and click <Enter>
Navigate to cPanel’s Email module
- look for the <Email> section on the cPanel home page
- click on <Email Accounts>
cPanel’s email module features tools for implementing your email policies.
Create your new email account
- In your Email Account menu, click <Create> to add a new account
Important Note: when your server is built, it is programmed with a system account. This is for admin use and should not be used for daily email activity. For instance, your System email account is necessary for establishing a centralised address book, shared calendar, and system functions.
Fill in the following fields:
- Username: Enter the part of the email address before the @ symbol (e.g. info for info@your-domain.com)
- Domain: Select the domain for the email address if you have multiple domains
- Password: Enter a strong password or use the “Generate” button to create one
- Storage Space: Set the mailbox quota (default is 1GB)
- Click <Create> to set up the email account
Using a new email account
cPanel provides a fully featured Webmail utility called Horde. Access Horde Webmail by pointing their web browsers to the URL detailed in your web server info sheet. Click here to find out more about Horde Webmail/calender.
Your web server provides utilities to auto-configure devices to user’s email accounts. Users should configure email using IMAP to permit multi-device access.
Your web server provides email auto-configuration files for popular email clients. Users can download the files to execute from their Webmail preference pages.
Summary
cPanel provides a complete suite of tools to create email accounts and a webmail service for users to manage their email with.Also, the system email account can be used to create a centralised contact list which is an important GDPR consideration. The system account can create shared calendars too.
Email does not look after itself and ever changing threats require ongoing attention to protect you from email storage overruns and risks like blacklisting which could prevent you and your users sending email.
Read this article for more guidance on email management
For expert help about email policies and fully supported management, please contact us for help.
How to use cPanel Web Disk
cPanel Webdisk
Use cPanel Web Disk as a Cloud storage facility for managing and sharing your documents and files. Create Web Disk accounts in cPanel and save connections in your devices as network drives to provide access on your local devices.
Click on the headers below to find out how to use cPanel’s Web Disk module. Click on images to see in full resolution.
Plan a Web Disk folder structure
Web disk is a useful resource for saving files for access from computers and mobile devices that have been configured to connect to Web Disk user profile. Some organizations use the utility for off-site file backup.
Create a folder structure with user accounts
First, plan a folder structure (directory in Linux parlance) that can scale as your needs grow and change. For instance, you might create a user account for Accounting, and a user account for Marketing. This way, you can control how staff connect to the right files. Web Disk may be a useful mechanism for backing up local files, too.
Next, create a “sandbox” account to test account creation and connectivity. Then, you ca establish user accounts in cPanel and download connection scripts which can be installed on desired devices.
Your server can generate cconnection scripts that you can install on devices to create a permanent connection to files from computers and mobile devices.
Secure data transfer
Connections between your web server and connected devices leverage your web server’s SSL certificate. This means that your connected computer can connect to a Web Disk drive so that the Web Disk location appears in Windows File Explorer or Mac OS Finder. If you need to connect to multiple Web Disk accounts, download a script for each account you have privileges to connect to.
File sharing
Modern approaches to file sharing reduce the risk of duplication and version problems that have plagued workgroups in the past. Solutions like Microsoft 365 provide GDPR-compliant utilities to control versions and multi-user editing in real time. Web Disk does not include these kinds of tools.
There are third party add-on solutions that expand file sharing options for Web Disk to emulate Microsoft 365’s capabilities. Be aware that Web Disk may not be a suitable for you if your organization relies on version control and simultaneous multi user editing.
Create a new Web Disk account
Only the web site owner can create Web Disk Accounts. Log into cPanel using the data sheet we have provided you with and navigate to Files > Web Disk. Click open the utility.
Leave your primary user account alone
When you open Web Disk, you will see that a user account is already established. Leave this primary account alone. Your primary Web Disk account has access to all directories on your web server, including your web site pages and database. Sharing credentials for the primary accounts which poses a catastrophic risks if shared.
Instead, adding accounts makes it is easier to manage and revoke access for individual users without affecting the primary account. Also, creating a hierarcy of accounts helps you track/change/remove users and privileges.
Add an account
- Scroll down the Web Disk page and click open Create an Additional Web Disk Account
- Fill in the fields, including user name and permissions
- Use the recomended directory location
- Enable <Digest Authentication> (for Windows users)
- Review the account privileges and click <Create>
Edit new and existing accounts under the <Manage Additional Web Disk Accounts> heading
Download and install connection script
Once your account is created you can edit properties, change passwords, and download connection scripts for that account. Distribute connection scripts to users or devices that need connecting to the account.
To install the installation script, click on the downloaded file and follow the prompts. When you enter your login credentials you will need to enter the full syntax for the account (e.g. marketing@my-server-name, not “marketing”). This will connect you to your web disk account on your web server. In future, you will find a link to your Web Disk account in File Manager or Finder.
Your server can generate connection scripts that you can install on devices to create a permanent connection to files from computers and mobile devices.
If you are connecting to multiple folders, download a script for each account. Also, if you are the web site owner, you have automatic privileges to all directories on your server.
Create file links for email
Today, organizations send file attachments using links. Email file attachment links:
- reduces email storage costs
- reduces bandwidth usage
- helps control file version problems
- reduces the risk of emails being rejected by recipients who restrict file attachment sizes.
As email users and storage increase over time, organizations of all sizes have to deal with bloat. So it is important to establish a policy to address this looming problem. There are options to do this with Webdisk and add-on software.
Enable file sharing permissions individually
To grant an email recipient access to a linked file, access Webdisk using cPanel File manager, right clicking on a file and changing permissions to 644 and finally right clicking on the file to get a direct link to paste into your email. This is less tricky than it sounds. However, making files publicly accessible over time poses problems over time and may not be suitable for GDPR compliance.
Enable file-sharing permissions at directory level
Files for email attachment can also be stored in a public directory which can be created with 755 permissions. This kind of directory could be called “email attachments” or “shared with everyone. Since sharing permissions are already established, it only remains for a user to get the file link to include in an email. Also, directory contents can be reviewed over time to deal with compliance issues.
Third party add-ons and Webdisk customization
You can use third party apps like Cyberduck to extend Webdisk’s finctionality to include more streamlined file links and more. Also, link expiration policies can be set at server level to control data loss or leakage. Please contact us for help with Webdisk customizations.
Summary
Web Disk provides a simple centralised file management system. Using Linux “user” privileges, you can create a directory hierarchy to manage user or device access to “departmental” files.
Web Disk does not natively provide multi-user real time editing or document version options. You can use add-on software to improve functionality. You may need to develop an in-house system to notify workgroup users when a file they may want to edit is already being edited by another user. As files become more widely shared and/or users need to collaboratively edit documents, consider Microsoft 365 to address workgroup needs.
Web disk might be a good way to back up files stored on premises. However, if Web Disk is your primary file location, be aware that backup remains your responsibility and you should implement a workflow within your GDPR documentation to manage backups.
For expert help about Webdisk, and fully supported management please contact us.
How to back up your web server with cPanel
Backup vs Backup Wizard
Use our cPanel utilities to backup and restore web site data content, databases, and other data on your web server.
cPanel backup utility provides workflows for backing up and restoring web site and email content
Using cPanel’s Backup utility, you can select from data sets we have already backed up and download the files to your local drives for safekeeping.
Using cPanel’s Backup Wizard utility, you can design your own backups. You can backup some or all or your content. Also, you can backup incremental backups which are useful when you only need to backup minor changes since your last full backup. You can store your files locally, restore them to your server, and you can use the content when migrating to a new server.
Click on the headers below to find out how to use cPanel Backup and Backup Wizard. Click on images to view full size.
Download Backups using cPanel Backup
og into your web server’s control panel – we call it cPanel. You can find how to log into your services from the web server data sheet we have provided you with.
At your cPanel dashboard, either search for Backup or scroll to the section called Files and click on the optin called Backup.
About cPanel Backup
cPanel BAckup lists backups that are already made and stored on your web server. These are available in a pulldown list, including full and partial backups, that you can download. The list includes backups that we have executed as we deal with daily mantenance. You can download these backups,
Export backup from server
We recommend that you download backups to your local drives, and you can find help for copying backups at datacneter speeds to Google Drive, OneDrive, Dropbox, etc. Also, to conserve space and improve web page delivery speeds, not that we rotate backups so that (at time of writing we only maintain the two latest backups.
About Restore
In cPanel Backup, there is an option to restore backups. If you are resroting full and partial backups, be aware that you should restore data sets in date order, starting with the earliest date stamp.
Create backups and restore with Backup Wizard
Use cPanel Backup Wizard to create and download backups. Also, you can restore backups using this option.
Backup Wizard – more options
Backup Wizard offiers more granularity, giving you the option to select individual data sets, like your WordPress site, or your MySQL database which attaches to your WordPress site, or your email. Also, you can execute partial backups if changes that you have made to your web site are minimal.
Using Backup Wizard you can create your own backup profile. Downloading files that we have created may limit what you are able to do.
Summary
cPanel’s backup utilities have proven to be reliable, however a lot of things can go wrong with backups. Your server might backup files accurately, but the data could be corrupted as it is saved because of a power brownout. Or, data might be damaged in transit as the data set is transferred elsewhere. So, although we take “snapshots” of your web site, they are not guaranteed, and we only keep update that are current over the last 2-4 weeks.
Therefore, you should only rely on our working backups as part of your risk management. Professionals use an array of tools to provide duplication and/or availability. In some case, professionals mirror two or more geographically remote servers to cover a primary server failure. In some cases, this is economical and we can implement these kinds of services.
You can protect against a single point of failure failure by developing a strategy which covers two or more methods to secure data. For instance, your web designer may keep backups. Usually these conserve work in progress so that there is a “last known working state”. You might need to maintain a longer history of backups.
Your web designer will be glad to discuss backup strategies with you because you might mutually and economically share utilities and avoid extra cost. Also, we are always glad to help if you do not have a professional developer but need advise about strategy and products.
Microsoft Outlook Categories
Microsoft Outlook's "Categories" Feature
Use Microsoft 365 Categories to organize and manage your Outlook email, calendar, contacts, and tasks.
Tag your Outlook content with Categories to visually distinguish projects and priorities with colour-coded tags to visually differentiate content at-a-glance.
Find things fast with Categories
Categories help you visually target important content in your ever-growing email folders, calendars, and more. Also, you can search across Outlook for emails, events, and tasks that are tagged with the same category. Used in a well planned scheme, you can use categories to filter an Inbox to create virtual folders on demand. This avoids duplicated content in unwieldy folder structures which leads to broken email threads and lost attachments.
Click on the headers below to find out how to create and customize your categories. Click or tap on images to see in full screen.
What are categories for?
Outlook Categories help you organize and manage email, contacts, calendar events, and tasks. For instance, instead of moving or copying emails to folders, you can keep emails in your Inbox and tag emails with categories. This way, you can filter your Inbox on demand to show one or more categories.
Categories reduce confusion
In situations where an email is saved in two folders which might lead to multiple email threads for the same message, it is more efficient to keep the original email in your Inbox and assign two categories to that email.
Using tags you can:
- create category names and colours
- tag and group related emails
- organize your calendar events by type, such as meetings, personal appointments, or deadlines
- group your contacts as family, friends, colleagues, or clients
- organize your tasks by project, priority, or status
Enter the name of a category you want to filter in “search” and turn your Inbox into a dynamically generated folder which lists activty associated with the tag. e.g all items tagged with “Brian” in this screenshot.
Categories are usually used at an individual level. However A shared email account would rely on categories established for that account. Uniform categories can be established at an organizational level. This requires adminstrator-level knowledge.
How to create and manage tags
Use this workflow to start creating and customizing your tags:
- create a new email in Outlook
- click open the <Categories> dropdown list.
Outlook always lists a few categories. These are intended as a starting point. In the illustration below notice that there are user-defined categories instead of the defaults. This means Outlook’s original categories have been customized, and new categories added to the user’s library. Notice towards towards the bottom of the list the options for creating, edit, and showing categories. Click on <New category> to create a new category.
Use <all categories> to view categories. You can use the <search> field at the top of the dropdown box to pinpoint categories. Once you create a category, the same tag can be used in Email, Calendar, Contacts, and Tasks.
Editing and managing categories
You can edit existing tags to change names and colours. In any email composition and calendar event windows, pull down the <categories> dropdown menu and click open <Manage categories>. Her you can “fave” categories, and you can click on the pencil icon to edit category properties. In the image below, clicking on the pencil in the DNS/web row would open the properties for that category.
Planning Categories
Exit strategies matter. Plan a structure for your categories to avoid duplication and confusion. Unchecked, category libraries can become so large that users forget what categories they already have.
For instance, if you are tagging customers, it might makes sense to have a category for “customer”, but also a drill-down or sub-heading category called “customer”-“customer surname-initials”. For example, a <heading>-<sub-heading> category might look like:
- customer-smith-a
This way “customer” is a global header, and the other fields are sub heading. Organising a strategy for categories helps you manage your list as it grows. This can be likened to departments, which is a common feature in charts of accounts.
Summary
Outlook Categories add a flexible and visual way to keep your Outlook items organized, making it easier to manage and search your communications and schedules as your database grows.
Categories are intended for individual use, but organizations might opt to have individual users follow a common colour-coding theme and defined list defined by a manager to adopt in their own instance of Outlook. Categories can be established at organizational level. This requires administrator level implementation.
How to backup your Microsoft 365 Authenticator credentials
Backup Microsoft Authenticator settings
Backup and restore your Microsoft 365 multi-factor authentication (MFA) credentials to restore access to 365 dashboards in the event of a lost or stolen mobile phone.
This option is especially useful for 365 tenancy owners/global administrators. For example, if you are a 365 tenancy owner/Global Administrator (global Admin) then you cannot turn to a higher authority to re-establish credentials if your credentials are lost.
Click on the headers below to find out how to backup Microsoft Authenticator on Apple and Android mobile phones.
Why backup has to be configured
Microsoft Authenticator data is not included in iCloud and Android mobile phone backups because the security keys are critically sensitive. Instead, you can organize Authenticator data backups in Microsoft Authenticator app settings. Authenticator backups can then be saved to Google Drive/iCloud, however you have to be verify identity against a Microsoft account to validate your identity when restoring credentials.
Microsoft Account vs Microsoft 365 account
You need a Microsoft account to backup and restore Microsoft Authenticator credentials. A Microsoft account and a Microsoft 365 account are two different entities. Without a Microsoft account you cannot back up your 365 credentials.
If you have a Microsoft account, but you have fogotten your credentials, you may need to establish a new Microsoft account. Do not lose the credentials to your Microsoft account. If you forget these credentials, you will not be able to connect Microsoft Authenticator on a new mobile phone to restore your settings. This would be catastrophic, so be sure to document your Microsoft Account credentials.
How to backup Microsoft Authenticator
Use the steps below to configure backup in Microsoft Authenticator settings. The process may vary from notes here because Microsoft updates its processes periodically. Also, the process might vary depending on your mobile phone hardware and operating system. Either way, prompts are not difficult to follow. These tips will steer you in the right direction:
- Open Microsoft Authenticator on your mobile phone
- Access Settings: Tap the three vertical dots at the top right corner and select <Settings>
- Enable <Backup>*
- Depending on your hardware, provide your Microsoft Account credentials if/when asked**
* Apple users will need to be sure Authenticator is logged in to iCloud.
** In some cases, users may already be logged in to existing Microsoft Accounts, however the backup process will direct you to provide credentials as necessary.
Recovery & Summary
To recover your credentials, install Microsoft Authenticator on your new mobile phone. Usually, the <Welcome> screen offers an option to <Begin Recovery>. This option depends on your hardware and software versions. The process is a little different for Apple and Android users, and is easily executed provided you have the credentials for iCloud/Google account, and your Microsoft Account.
You should periodically check Authenticator backup settings to verify backups are current. Authenticator app settings will confirm when your credentials were last backed up.
Authenticator offers options in settings to override Android or Apple screen-lock defaults. Also, some Apple and Android versions may need Authenticator enabling to run in the background. This can be checked in Authenticator settings.
Summary
Tenancy owners and global admins do not have scope to resort to a higher authority to restore access to a 365 dashboard if their mobile phone is lost or destroyed. Therefore it is crucial to your organization’s IT continuity to protect your access settings to 365 Admin. Microsoft Authenticator enables you to restore existing credentials which cannot otherwise be found in Android and Apple backups.
For help, contact us using WhatsApp via our web site, or by phone.
Configure DMARC using cPanel
Authenticate outgoing email with DMARC
Use DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an important tool that business email users need to help protect your domain name from being used for email spoofing. Without DMARC, email that you send can be dropped by a receiver’s email server before reaching that user’s Inbox.
Click on the headers below to follow our guide to obtain a DMARC record using cPanel WHM and then post your DMARC record in your domain name’s zone record at your domain registrar. Click on images to see in full resolution.
How to prepare
DMARC is already enabled on your web server. DMARC builds on DKIM and SPF, so before implementing DMARC, be sure to implement DKIM first.
Before starting, you will need to understand where your domain name is managed. If your domain name is held at a domain name supplier using their nameservers, you will need to create DMARC records in the zone record at your supplier. If you own the domain, but we hold it in our management portfolio, then you might only need to make amendments in cPanel which will make things easier.
Therefore, before you proceed, prepare as follows:
- if in doubt, check with us where your records need modifying
- find your cPanel login credentials from our server information sheet
- (optionally) find the login credentials for your domain name supplier
We recommend you add a DMARC record to your domain name’s zone record which initially operating DMARC in test mode. Our workflow is therefore set out to accomplish this preliminary objective.
Making adjustments to your domain name’s zone record requires exacting language and sytax. A missing character can cause a web site to cease functioning and disable your email. Nor can you test it – changes made have effect in real time. Be sure to copy records before overwriting “last known working” states.
We have decades of experience managing domain names on behalf of clients. If you are nervous about dealing with this technology, we can provide admin support for domain names and ongoing services – ask for help.
Step-by-step instructions
Follow these instructions caefully. Each step is important. Missing characters like colons, semi-colons, and spelling mistakes can cause a lot of work.
1. Log in to cPanel:
- open your web browser
- enter your cPanel URL (e.g., https://yourdomain.com:2083)
- log in with your cPanel credentials
2. Navigate to <Zone Editor>
- in cPanel dashboard, scroll to <Domains> section
- find and click open <Zone Editor>
3. Look for a DMARC Record:
- in Zone Editor, find the domain you want to check
- click <Manage> next to the domain
- look for a TXT record with the name: _dmarc.yourdomain.com
- if you do not see one, you will need to create it
4. Create or Modify a DMARC Record:
- if you need to create a new DMARC record, click <Add Record>
- choose <TXT Record> from the <+Add> dropdown list
- in the <Name> field, enter: _dmarc
- in the <TTL> field, leave the default value
- in the <Type> field, select: TXT
- in the <Record field>, enter your DMARC policy. For now, use:
• v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; sp=none; pct=100 - for <mailto:> substitute your preferred email address• see notes below
- select and copy the record field to clipboard or notepad. You will need this later
5. Save the DMARC Record:
- Click <Save Record> to apply the changes
6. Log in to Your Domain Registrar:
- in a new browser window, go to your domain registrar’s website
- log in with your credentials
7. Access DNS Management:
- find the DNS management or zone file settings
- this section allows you to add or edit DNS records
8. Add the DMARC Record you created in steps 4 and 5 above:
- Add a new TXT record
- in the <Name> field, enter: _dmarc
- in the <Value> field, paste the DMARC policy you created and copied earlier in cPanel
- Save the changes
9. Verify the new DMARC record:
- Use online tools like MXToolbox to verify your DMARC record
- Check for typos like missing colons or spaces, or inaccurate spelling
Notes:
DMARC is a technology that operates on a few levels. The record we gave an example for you to use above is for a DMARC policy that shows DMARC is enabled, but not reactive (p=0). The record can be modified to p=quarantine and p=reject which cause emails that fail a test to be either quarantined or rejected by a receiver. In some circumstances like emails sent to a mailing list, values for sp and pct can also affect how your outgoing email is received.
By using policy p=0 and establishing the email address of the person you want to receive DMARC reports, you have a minium valid record. Once this tests positive, consider upgrading the policy to p=quarantine.
Summary
DMARC builds upon existing protocols like SPF and DKIM to help domain name owners specify how their organisation’s emails should be treate by receiving email servers that fail authentication checks. This is important because it helps to prevent a malicious party from attempting to use your email addresses to purport to be you using spoofing and phishing attacks. Consequently, DMARC can be configured a number of ways.
Making adjustments to your domain name’s zone record requires exacting language and syntax. A missing character can cause a web site to cease functioning and disable your organisation’s email. Nor can you test a modification first – changes made have effect in real time.
Expert help available
We have decades of experience managing domain names on behalf of clients. If you are nervous about dealing with this technology, we can provide admin support for domain names and ongoing services. We can turn modifications in minimal time at reasonable cost while saving you from risk of web site and email disruption – please ask for help if in doubt.
cPanel email account considerations
cPanel and email accounts
cPanel’s standard web server configuration includes a Webmail and integrated calendar calendar system. This utility is provided as-is. Email is a problematic technology. Support may be subject to charges for problems like disk space overruns, IP blacklisting, and other disruptions if you have not arranged for ongoing support.
Your web server has primarily been optimized for WordPress and supporting MySQL database functionality. Be aware that problems with email may affect your server’s ability to deliver web pages. If you intend to operate more than two or three email addresses you should really use a platform like Microsoft 365 which copes with business needs better than this service can.
Lastly, there are some technologies that you need to activate within cPanel to condition your service for commercial operation. This article explains some things you can do to improve “trust” and meet standards that your suppliers require.
Click on the headers below to read more about important email considerations.
Email is a complex technology
Email is a problem for organizations of all sizes. Email consumes ever-increasing storage. Also extra security features are necessary to pass scrutiny of email gateways at banks and other important suppliers. Without these utilities in place there is a risk that important emails might not reach their destination.
As businesses grow, increasing in-house management means it becomes cost-effective to migrate email to a platform like Microsoft 365. This way, email services are constantly improved behind the scenes by the people who help dictate the conditions for email logistics worldwide.
Organizations that need to cater for multiple email accounts should consider Microsoft 365, whose “out-of-the-box” platform (Exchange) is the overwhelming solution of choice for commerce, public sector, and military. Microsoft 365 scales to the needs of global enterprises, whereas cPanel does not scale well. Also, 365’s nominal cost obviates unknown costs that organizations might incur with “self-serve” solutions.
Planning - email storage
Your web server is designed to deliver web pages promptly. As your historical email volume grows over time on your web server, resources will be increasoingly re-directed to manage email. This is one reason why most businesses use different equipment to manage web and email services.
Storage – how much?
Microsoft 365 provides 50GB expandable mailbox limits for individual accounts. This is not realistic for a web server that is designed for web page delivery. Without hardware upgrades, we recommend that email accounts should be limited to 3GB -5GB.
Attachments – links save disk space
Even at Microsoft’s larger scale, file attachment are limited to 15MB by default. This is because large files cause network congestion and rapidly increasing mailbox sizes. Organizations have learned to use file distribution via email with permission-enabled links to files stored elsewhere. This leaves large files out of the equation for email disk space and it is GDPR-compliant. We recommed that you adopt a similar approach to conserve mailbox space. cPanel can be configured to limit file attachment sizes, but this requires intervention by us to configure your hardware. Please contact us for help.
Long term storage – archiving
Archiving is not available in cPanel email accounts. Microsoft 365 is capable of compressing email that is archived. Also, Microsoft enables network admins to prevent accidental or malicious deletion of email which is not possible in cPanel.
Email validation - configuration
Modern email gateways perform a number of tests and scores to validate every email intended for receipients within its network. The principal security tests are SPF, Reverse DNS, DKIM, and DMARC. These tests are important because they help build a picture for receipients that verify that you are a legitimate sender and that the content in the message you have sent has not been altered or replaced between end-points.
cPanel can diagnose and recommend patchs to improve your email validation tools.
Without these four services, there is a risk that email can be rejected by organizations like banks, suppliers, and customers. Click on the links to find out more about each technology/protocol.
SPF
SPF is enabled by default in cPanel. You do not need to update your server.
Reverse DNS
Reverse DNS technology is installed in cPanel by default, however its functionality depends on where your domain name’s authoritative zone record is stored. If the zone record is established on your web server, the protocol’s record is determinative in that zone record. If your domain name’s zone record is managed at a domain name registrar, you will need to review and probably edit your record. The syntax for this record, including the correct IP address, is available in cPanel email configuration. Reverse DNS is important. because other technologies like DKIM and DMARC depend on Reverse DNS.
DKIM
DKIM was introduced worldwide in early 2025. The technology is installed on your server, but your domain name’s zone record needs to be modified for the protocol to work. This cannot be performed automatically, and therefore your domain name’s authoritative zone record has to be modified. cPanel provides the record that you need to add, however domain name zone records are notoriously fragile. Accidental corruption of a domain name’s zone record can crash your web site and associated services for up 72 hours. So, you should contact us for help.
DMARC
DMARC is another technology that is enabled in cPanel but requires implementation in your domain name’s authoritative zone record. Also, the security can be incremented in steps according to your zone record’s syntax. So, DMARC needs manually configuring. We recommend using DMARC in “test” mode initially.
Email is an evolving technology and industry standards change over time to respond to threat. cPanel email is provided as-is, so it is your responsibility to configure email services unless we provide support for your email environment. Please contact us for help with implementation.
Shared address book/calendar
You can centralize contacts in a centralized address book which can be accessed by all email account users. This is referred to as a system managed address book and it is equivalent to Microsoft 365’s Global Address Book. This is a GDPR compliant feature and is encouraged because it provides all users with a single point of contact for internal and external organizational contacts. Also, it reduces the risk of data leakage because it enables you to ringfence business contacts from employees’ personal address books.
To add or edit contacts, login to your webmail account, open contacts, and look for the address book called cPanelCardDav. Each email accont holder will see this address book in their contacts page.
Similarly, a shared calendar is available in Webmail calendar as cPanel CalDav Calendar.
IP blacklisting and email blocks
When sufficient emails from an email account in your organization fails a security tests as it transits the Internet, public authorities like Symantec can blacklist your server’s IP address and cause email associated with your domain name to be dropped before email reaches its destination. This is catastrophic. It can take hours to understand the nature of the problem, and it can take 72-96+ hours to purge your blacklisting. Meanwhile, you cannot send email.
Microsoft 365 and Google Workspace measure outgoing email forensically before it is released in public domain, and customers’ email servers are programmed “out-of-the-box” with toolsets that allow suspicious activity to be reconciled before corrupt email hits the public domain.
Be aware that if you are using cPanel email without support,restoring services in the event of blacklisting is not subject to an SLA and may incur charges. Also, blacklistings may compromise web site performance and SEO rankings.
Summary
cPanel email accounts can be configured with protocols like those listed above to help secure email efficacy. Also, cPanel’s email module supports calendar sharing and shared address books. A centralised address book is a fundamental GDPR component.
There are several issues like data leakage and malicious deletion which are beyond the scope of this article that cPanel does not natively provide for. If you are considering using cPanel email accounts at an organizational level, bear in mind that Microsoft 365 and Google Workspace assume these obligations for minimal cost and save you from managing this complex technology yourself. This saves an organization a lot of effort and trouble.
Lastly, by separating email and web servers, the risk of losing both services simultaneously in the event of one component failing is minimized.
Configure DKIM in cPanel
Verify outgoing email with DKIM
Use DKIM (DomainKeys Identified Mail) to reduce the chance of your users’ outgoing emails ending up in customer/supplier Spam or Junk folders.
Click on the headers below to follow our guide to configure DKIM using cPanel WHM and post your DKIM records in your domain name’s zone record at your domain registrar. Click on images to see in full resolution.
How to prepare
DKIM is already enabled on your web server. However, the service needs to be implemented. This is because the verification process requires checking a unique DKIM record which only you can add to your domain name’s “phone book” – we call the phone book a zone record. If we have ongoing access to your domain name, we would take care of this as part of the support we provide.
Before starting, you will need to understand where your domain name is managed. If your domain name is held at a domain name supplier using their nameservers, you will need to create DKIM records in the zone record at your supplier. If you own the domain, but we hold it in our management portfolio, then you might only need to make amendments in cPanel which will make things easier.
Therefore, before you proceed, prepare as follows:
- if in doubt, check with us where your records need modifying
- find your cPanel login credentials from our server information sheet
- (optionally) find the login credentials for your domain name supplier
We are able to manage domain names on behalf of clients. Domain name management is a critical function and unwitting errors can cause email and web site failure. If you are nervous about dealing with this technology, we can provide admin support – ask for help. For instance, if you do not have in-house expertise, we can take administrative custody of your domain to manage these kinds of jobs.
Step-by-Step instructions
1. Log in to WHM:
- Open your web browser.
- Enter your WHM URL (e.g., https://your-server-ip:2087).
- Log in with your root credentials.
2. Access the DKIM Settings:
- In the WHM dashboard, search for <Email>.
- Click on <Email Deliverability>.
3. Select the Domain:
- Choose the domain you want to configure DKIM for.
- Click <Manage> next to the domain.
4. Enable DKIM:
- In the DKIM section, click <Install the Suggested Record>.
- WHM will automatically generate the DKIM record.
5. Copy the DKIM Record:
- After generating the DKIM record, you will see a TXT record.
- Copy the entire TXT record, including the v=DKIM1; part.
6. Log in to Your Domain Registrar:
- Open your domain registrar’s website.
- Log in with your credentials.
7. Access DNS Management:
- Find the DNS management or zone file settings.
- This section allows you to add or edit DNS records.
8. Add the DKIM Record:
- Add a new TXT record.
- In the Name field, enter the selector and domain (e.g., default._domainkey.yourdomain.com).
- In the Value field, paste the DKIM record you copied from WHM.
- Save the changes.
9. Verify the DKIM Record:
- Go back to WHM.
- In the <Email Deliverability> section, click <Manage> next to your domain.
- Click <Check> to verify the DKIM record.
10. Test Your DKIM Setup:
- Send a test email to ensure DKIM is working.
- Use online tools like DKIMValidator to check if your email passes DKIM checks.
Tips for Non-IT Users
- Take Your Time: Follow each step carefully.
- Ask for Help: If you get stuck, don’t hesitate to ask your registrar’s support team.
- Double-Check Entries: Ensure there are no typos in the DKIM record.
Summary
Business users do not have a lot of patience when it comes to email, and not a lot of people check Spam or Junk occasionally if at all. Email that is lost in this way costs business so DKIM, along with SPF (automatically configured for you already, DMARC, and Reverse DNS are necessary utilities for providing resilient email delivery.
Making adjustments to your domain name’s zone record requires exacting language and syntax. A missing character can cause a web site to cease functioning and disable your organisation’s email. Nor can you test a modification first – changes made have effect in real time.
Expert help available
We have decades of experience managing domain names on behalf of clients. If you are nervous about dealing with this technology, we can provide admin support for domain names and ongoing services – we can turn modifications in minimal time at reasonable cost and while saving you from risk of web site and email disruption – please ask for help if in doubt.
Configure Reverse DNS (RDNS)
Reverse DNS
Reverse DNS, also called rDNS, is used by email servers to verify that email has arrived from a valid server before allowing incoming email into a network. point. rDNS is crucial for email deliverability and server reputation. For instance, web site contact forms often fail because Reverse DNS is not configured properly and emails are dropped before reaching a web site owner’s Inbox. This is why SPF, rDNS, DKIM, and DMARC are so important in business email.
Folder colours help you pick out important locations in long lists. Also, you can colour-code folders to distinguish between content.
Click on the headers below to follow our guide to record a Reverse DNS/PTR record in your domain name’s zone record at your domain registrar. Click on images to see in full resolution.
How to prepare
If your DNS is managed using nameservers at a domain name registrar, you will need to create a Reverse DNS/PTR record in the zone record where you keep your domain name. If your domain name operates using our nameservers (i.e. ns1.namesfirst.net) you only need to check your zone record in cPanel by pointing to Domains > Zone Editor to determine if a record needs establishing.
Therefore, before you proceed, prepare as follows:
- if in doubt, check with us where your records need modifying
- find your cPanel login credentials from our server information sheet
- (optionally) find the login credentials for your domain name supplier
If you are nervous about dealing with this technology, we can provide admin support for domain names and ongoing services – ask for help.
Step-by-step instructions
This workflow assumes that your domain name is managed at the domain name registrar where you manage and renew your domain name. If you are unsure where your DNS zone is managed, contact us.
1. Understand Reverse DNS:
- rDNS maps an IP address to a domain name
- It’s the opposite of the usual DNS lookup
2. Find out your web server’s IP address:
- your server’s IP address in displayed in your cPanel home page (usually towards upper right)
- make a note of the address
3. Log in to your domain name supplier:
- raise a support ticket asking for rDNS and providing the following:
- the IP address you noted in 2 above
- the PTR value for the PTR field – usually, this would be mail.yourdomain.com
- if your supplier asks for more information – there are a few ways to create this record
- expect up to 24 hours for the record to work
4. Verify rDNS:
- use a resource like MXToolbox to verify your IP address resolves to mail.yourdomain.com
- if necessary, follow up with your ISP
Summary
Reverse DNS is an important tool that remail servers rely on to verify that email you send is recognized as valid. Without this validation, you may send email that is rejected or dropped before it reaches a recipient’s Inbox.
Making adjustments to your domain name’s zone record requires exacting language and syntax. A missing character can cause a web site to cease functioning and disable your organisation’s email. Nor can you test a modification first – changes made have effect in real time.
Expert help available
We have decades of experience managing domain names on behalf of clients. If you are nervous about dealing with this technology, we can provide admin support for domain names and ongoing services. We can turn modifications in minimal time at reasonable cost while saving you from risk of web site and email disruption – please ask for help if in doubt.