Configure DMARC using cPanel

by | Apr 12, 2025

Authenticate outgoing email with DMARC

Use DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an important tool that business email users need to help protect your domain name from being used for email spoofing. Without DMARC, email that you send can be dropped by a receiver’s email server before reaching that user’s Inbox.

dmarc txt record using cpanel

Click on the headers below to follow our guide to obtain a DMARC record using cPanel WHM and then post your DMARC record in your domain name’s zone record at your domain registrar. Click on images to see in full resolution.

How to prepare

DMARC is already enabled on your web server. DMARC builds on DKIM and SPF, so before implementing DMARC, be sure to implement DKIM first.

Before starting, you will need to understand where your domain name is managed. If your domain name is held at a domain name supplier using their nameservers, you will need to create DMARC records in the zone record at your supplier. If you own the domain, but we hold it in our management portfolio, then you might only need to make amendments in cPanel which will make things easier.

Therefore, before you proceed, prepare as follows:

  1. if in doubt, check with us where your records need modifying
  2. find your cPanel login credentials from our server information sheet
  3. (optionally) find the login credentials for your domain name supplier

We recommend you add a DMARC record to your domain name’s zone record which initially operating DMARC in test mode. Our workflow is therefore set out to accomplish this preliminary objective.

Making adjustments to your domain name’s zone record requires exacting language and sytax. A missing character can cause a web site to cease functioning and disable your email. Nor can you test it – changes made have effect in real time. Be sure to copy records before overwriting “last known working” states.

We have decades of experience managing domain names on behalf of clients. If you are nervous about dealing with this technology, we can provide admin support for domain names and ongoing services – ask for help.

Step-by-step instructions

 Follow these instructions caefully. Each step is important. Missing characters like colons, semi-colons, and spelling mistakes can cause a lot of work.

1. Log in to cPanel:

  • open your web browser
  • enter your cPanel URL (e.g., https://yourdomain.com:2083)
  • log in with your cPanel credentials

2. Navigate to <Zone Editor>

  • in cPanel dashboard, scroll to <Domains> section
  • find and click open <Zone Editor>

3. Look for a DMARC Record:

  • in Zone Editor, find the domain you want to check
  • click <Manage> next to the domain
  • look for a TXT record with the name: _dmarc.yourdomain.com
  • if you do not see one, you will need to create it

4. Create or Modify a DMARC Record:

  • if you need to create a new DMARC record, click <Add Record>
  • choose <TXT Record> from the <+Add> dropdown list
  • in the <Name> field, enter: _dmarc
  • in the <TTL> field, leave the default value
  • in the <Type> field, select: TXT
  • in the <Record field>, enter your DMARC policy. For now, use:
    • v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; sp=none; pct=100
  • for <mailto:> substitute your preferred email address• see notes below
  • select and copy the record field to clipboard or notepad. You will need this later

5. Save the DMARC Record:

  • Click <Save Record> to apply the changes

6. Log in to Your Domain Registrar:

  • in a new browser window, go to your domain registrar’s website
  • log in with your credentials

7. Access DNS Management:

  • find the DNS management or zone file settings
  • this section allows you to add or edit DNS records

8. Add the DMARC Record you created in steps 4 and 5 above:

  • Add a new TXT record
  • in the <Name> field, enter: _dmarc
  • in the <Value> field, paste the DMARC policy you created and copied earlier in cPanel
  • Save the changes

9. Verify the new DMARC record:

  • Use online tools like MXToolbox to verify your DMARC record
  • Check for typos like missing colons or spaces, or inaccurate spelling

Notes:

DMARC is a technology that operates on a few levels. The record we gave an example for you to use above is for a DMARC policy that shows DMARC is enabled, but not reactive (p=0). The record can be modified to p=quarantine and p=reject which cause emails that fail a test to be either quarantined or rejected by a receiver. In some circumstances like emails sent to a mailing list, values for sp and pct can also affect how your outgoing email is received. 

By using policy p=0 and establishing the email address of the person you want to receive DMARC reports, you have a minium valid record. Once this tests positive, consider upgrading the policy to p=quarantine. 

Summary

DMARC builds upon existing protocols like SPF and DKIM to help domain name owners specify how their organisation’s emails should be treate by receiving email servers that fail authentication checks. This is important because it helps to prevent a malicious party from attempting to use your email addresses to purport to be you using spoofing and phishing attacks. Consequently, DMARC can be configured a number of ways.

Making adjustments to your domain name’s zone record requires exacting language and syntax. A missing character can cause a web site to cease functioning and disable your organisation’s email. Nor can you test a modification first – changes made have effect in real time.

Expert help available

We have decades of experience managing domain names on behalf of clients. If you are nervous about dealing with this technology, we can provide admin support for domain names and ongoing services. We can turn modifications in minimal time at reasonable cost while saving you from risk of web site and email disruption – please ask for help if in doubt. 

Using Authoritative Nameservers for your web server

by | Feb 8, 2025

Introduction

Use this article to understand how a domain name relies on an “authoritative namserver” to connect web site viewers and email users to your web server. This article is intended for Comstat clients so this guidance is aimed at cPanel users who have moved up from entry level retail services.

Click on the headers below to find out about how to decide where to locate your authoritative nameserver. Click on inmages to view at full-sized resolution.

What is an Authoritative Nameserver?

An authoritative nameserver holds the definitive records for a domain name. It answers queries about domain names with the most accurate and up-to-date information about your web site, email server, and more. For instance, if you want to send an email, your computer has to find your authoritative nameserver to find out how to send your outgoing email and verify that the email legitimate.

To do this, an authoritative nameserver translates domain names (like comstat.uk) into IP addresses (like 192.0.2.1). To read this article, your computer had to find where the web server was that hosts the page you are reading.This way, you can operate email from one server, and email from another.

Using a domain name supplier's Authoritative Nameserver

When you buy a domain name your domain name supplier will provide a standard authotitative nameserver which points to your domain name’s “zone record” – a phone book – which describes where your web site is, and where your email server is. Also, it provides room for you to define records to help prove that your email is legitimate and many more things. It is important that it is safe from malicious hijack.

Pros:

  •  Reliability – good security, robust global availability

Cons:

  • Limited control – limited customization options
  • Dependency – you rely on the registrar for DNS management
  • Manual entries – records have to be transcribed from cPanel (e.g. webmail.domainname.com)
  • Complexity – different suppliers adopt differing methodologies for scripting records
  • Resolution – some suppliers take up to 72 hours to resolve DNS
Using your web server as an Authoritative Nameserver

When you use your web server as your Authoritative nameserver, you modify records at your domain name supplier so that your web server becomes the Authoritative nameserver. This is easy to do. It is a simple matter of overwriting the default nameservers with your web server’s nameservers. For instance, we use nameservers like ns1.namesfirst.net and ns2.namesfirst.net. Once the nameservers are modified, all records dealing with your web site, email, webdisk, etc., are handled via cPanel.

Pros:

  • Control – you can make changes instantly
  • Integration – seamless integration with your email, web site, etc.
  • Customization – you can tailor DNS to specialized needs
  • SSL – cPanel can automatically align SSL certificates with your web server

Cons:

  • Security – greater onus on web server owner to protect against intrusion
Summary - which one?

Entry level web hosting services do not do much more that provide a web site, and email is usually bought as a separate service. As businesses outgrow entry level web hosting, the realities that larger business face become more evident.

If you operate a web site via cPanel which includes email, and you intend to use services like Webdisk and automated SSL, it is probably less effort to use your web server as an authoritative web server.

If you want to provide extra security against a malicious person hacking your authoritative nameserver, consider managing things at your domain name supplier. This will mean copying records from cPanel however, and may limit how your SSL certificate works.

In some case, we manage authoritative nameservers for clients at Cloudflare and Microsoft 365. Both provide Enterprise grade suecurity and resiliency.

Without a working authoritative namserver, web sites, email, and more cease to work. So, at some point businesses have to develop in-house skill or outsource help to manage this critical Internet technology.