Configure DMARC using cPanel

by | Apr 12, 2025

Authenticate outgoing email with DMARC

Configure DMARC (Domain-based Message Authentication, Reporting, and Conformance) to help protect your domain name from being used for email spoofing. Unless you configure DMARC, email that you send can be dropped by a receiver’s email server before reaching that user’s Inbox.

dmarc txt record using cpanel

Click on the headers below to follow our guide to obtain a DMARC record using cPanel WHM and then configure your DMARC record in your domain name’s zone record at your domain registrar. Click on images to see in full resolution.

How to prepare

DMARC is already enabled on your web server. DMARC builds on DKIM and SPF, so before implementing DMARC, be sure to implement DKIM first.

Before you configure DMARC in your domain name’s zone record, you will need to understand where your domain name is managed. If your domain name is held at a domain name supplier using their nameservers, you will need to configure DMARC records in your domain name’s zone record at your supplier. If you own the domain, but we hold it in our management portfolio, then you might only need to make amendments in cPanel which will make things easier.

Therefore, before you start, prepare as follows:

  1. if in doubt, check with us where your records need modifying
  2. find your cPanel login credentials from your server information sheet
  3. (optionally) find the login credentials for your domain name supplier

We recommend you add a DMARC record to your domain name’s zone record which initially operates DMARC in test mode. Our workflow therefore is designed to accomplish this preliminary objective.

Making adjustments to your domain name’s zone record requires exacting language and sytax. A missing character can cause a web site to cease functioning and disable your email. Nor can you test it – changes made have effect in real time. Be sure to copy records before overwriting “last known working” states.

We have decades of experience managing domain names on behalf of clients. If you are nervous about dealing with this technology, we can provide admin support for domain names and ongoing services – ask for help.

Step-by-step instructions

Follow these instructions caefully to configure DMARC and activate the service. Each step is important. Missing characters like colons, semi-colons, and spelling mistakes can cause a lot of work.

1. Log in to cPanel:

  • open your web browser
  • enter your cPanel URL (e.g., https://yourdomain.com:2083)
  • log in with your cPanel credentials

2. Navigate to <Zone Editor>

  • in cPanel dashboard, scroll to <Domains> section
  • find and click open <Zone Editor>

3. Look for a DMARC Record:

  • in Zone Editor, find the domain you want to check
  • click <Manage> next to the domain
  • look for a TXT record with the name: _dmarc.yourdomain.com
  • if you do not see one, you will need to create it

4. Create or Modify a DMARC Record:

  • if you need to create a new DMARC record, click <Add Record>
  • choose <TXT Record> from the <+Add> dropdown list
  • in the <Name> field, enter: _dmarc
  • in the <TTL> field, leave the default value
  • in the <Type> field, select: TXT
  • in the <Record field>, enter your DMARC policy. For now, use:
    • v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; sp=none; pct=100
  • for <mailto:> substitute your preferred email address• see notes below
  • select and copy the record field to clipboard or notepad. You will need this later

5. Save the DMARC Record:

  • Click <Save Record> to apply the changes

6. Log in to Your Domain Registrar:

  • in a new browser window, go to your domain registrar’s website
  • log in with your credentials

7. Access DNS Management:

  • find the DNS management or zone file settings
  • this section allows you to add or edit DNS records

8. Add the DMARC Record you created in steps 4 and 5 above:

  • Add a new TXT record
  • in the <Name> field, enter: _dmarc
  • in the <Value> field, paste the DMARC policy you created and copied earlier in cPanel
  • Save the changes

9. Verify the new DMARC record:

  • Use online tools like MXToolbox to verify your DMARC record
  • Check for typos like missing colons or spaces, or inaccurate spelling

Notes:

DMARC is a technology that operates on a few levels. The record we gave an example for you to use above is for a DMARC policy that shows DMARC is enabled, but not reactive (p=0). The record can be modified to p=quarantine and p=reject which cause emails that fail a test to be either quarantined or rejected by a receiver. In some circumstances like emails sent to a mailing list, values for sp and pct can also affect how your outgoing email is received.

By using policy p=0 and establishing the email address of the person you want to receive DMARC reports, you have a minium valid record. Once this tests positive, consider upgrading the policy to p=quarantine.

Summary

DMARC builds upon existing protocols like SPF and DKIM to help domain name owners specify how their organisation’s emails should be treate by receiving email servers that fail authentication checks. This is important because it helps to prevent a malicious party from attempting to use your email addresses to purport to be you using spoofing and phishing attacks. Consequently, you can configure DMARC a few ways.

Making adjustments to your domain name’s zone record requires exacting language and syntax. A missing character can cause a web site to cease functioning and disable your organisation’s email. Nor can you test a modification first – changes made have effect in real time.

Expert help available

We have decades of experience managing domain names on behalf of clients. If you are nervous about dealing with this technology, we can provide admin support for domain names and ongoing services. We can turn modifications in minimal time at reasonable cost while saving you from risk of web site and email disruption – please ask for help if in doubt.

Why Authoritative Nameservers Matter for Your Web Hosting Setup

by | Feb 8, 2025

Introduction

Use this article to understand how a domain name relies on authoritative namservers to connect web site viewers and email users to your web server. This article is intended for Comstat.uk clients who have bought domain names elsewhere who intend to maintain the domain names in their own portfolios. This requires more client input and can delay restoration of services in the event of outages.

If you maintain your domain names within ComStat.uk’s management portfolios we can provide streamlined support because we can access your domain names’ zone records 24/7 without recourse to clients. This means we can fix authoritative nameservers without reverting to you.

For instance, in the event of an outage while you are away on holiday, or you cannot access your domain name control panel because you have no phone signal to handle 2FA, your web site service could be disrupted until someone can get to your domain name control panel to resolve problems. So, it is important to understand how your authoritative nameservers operate and who is repsonsible for the dashboard that manages them.

Click on the headers below to find out about how to decide where to locate your authoritative nameservers. Click on images to view at full-sized resolution.

What are Authoritative Nameservers?

Authoritative nameservers hold the definitive records for a domain name that operate your email, website availability, and other services. Conventionally, two or more authoritative nameserves are in operation in case one server fails. Authoritative nameservers answer queries about domain names with the most accurate and up-to-date information about your web site, email server, and more.

For instance, if you want to send an email, your computer has to find your authoritative nameserver to find out how to send your outgoing email. Also, it has to find where to send the email. Lastly, the receipient’s email server has to verify that email is legitimate, so it is critically important that your authoritative nameservers are operational and capable of demonstrating a good “score”. If your authoritative nameservers are not recognised and do not achieve adequate safety metrics, your emails will be dropped or sent to spam.

Authoritative nameservers work behind the scenes to translates domain names (like comstat.uk) into IP addresses (like 192.0.2.1). To read this article, your computer had to find where the web server was that hosts the page you are reading. Often, a web site operates from one server, and email from another. Authoritative nameservers define where your services are established. 

Using a domain name supplier's Authoritative Nameservers

When you buy a domain name your domain name supplier will provide standard authotitative nameservers which point to your domain name’s “zone record” – a phone book – which describes where your web site is, and where your email server is. Also, it provides room for you to define records to help prove that your email is legitimate and many more things. It is important that it is secure, and safe from malicious hijack. 

 

Pros:

  •  Reliability – good security, robust global availability

Cons:

  • Limited control – limited customization options
  • Dependency – you rely on the registrar for DNS management
  • Manual entries – records have to be transcribed from your cPanel zone record (e.g. webmail.domainname.com)
  • Complexity – different suppliers adopt differing methodologies for scripting records
  • Resolution – some suppliers take up to 72 hours to resolve DNS
Using your web server for Authoritative Nameservers

When you use your web server as your authoritative nameservers, you modify records at your domain name supplier so that your web server become your authoritative nameservers. This is easy to do: you replace the standard nameservers in your domain name’s control panel with your web server’s nameservers which we will establish for you. For instance, we use nameservers like ns1.namesfirst.net and ns2.namesfirst.net. Once the nameservers are modified, all records dealing with your web site, email, webdisk, etc., are handled via cPanel.

 

Pros:

  • Control – you/we can make changes instantly
  • Integration – seamless integration with your email, web site, etc.
  • Customization – you can tailor DNS to specialized needs
  • SSL – cPanel can automatically align SSL certificates with your web server

Cons:

  • Security – teh onus is on the web server owner to protect against intrusion
Summary - which one?

Entry level web hosting services do not do much more than provide a web site, and email is usually bought as a separate service. As businesses outgrow entry level web hosting, the realities that larger business face become more evident.

If you operate a web site via cPanel which includes email, and you intend to use services like Webdisk and automated SSL, it is probably less effort to use your web server as an authoritative web server.

If you want to provide extra security against a malicious person hacking your authoritative nameserver, consider managing things at your domain name supplier. This will mean copying records from cPanel however, and may limit how your SSL certificate works. Also, our ability to restore services in the event of authoritative nameservers depend on us being able to reach you.

In some cases, we also manage authoritative nameservers for clients at Cloudflare and Microsoft 365. Both provide Enterprise grade suecurity and resiliency. How your email and website are organised influences how we need to deal with your authoritative nameservers.

Without a working authoritative namserver, web sites, email, and more cease to work. So, at some point businesses have to develop in-house skills or outsource help to manage this critical Internet technology.

To discuss how best to manage your domain name and how best to establish your authoritative nameservers, contact us using the WhatsApp link or arrange a convenient time for us tr contact you via our contact page.