Securing Email

There are a few things which can be done on the server level to secure email. This will help with not only making sure that your messages arrive correctly but also that your domain is protected from being blacklisted.

SPF Records

An SPF record is a Sender Policy Framework record. It’s used to indicate to mail exchanges (servers) which hosts are authorized to send mail for a domain. These records are defined using the TXT record type. There’s also an SPF record type, but it’s no longer used.


By Ale2006-from-en - Own work, CC BY-SA 3.0,

We have a separate guide - How to Create an SPF Record in cPanel - which goes into detail on how to create SPF records and configure them in your DNS.


DKIM (DomainKeys Identified Mail) is an email security standard designed to make sure messages aren’t altered in transit between the sending and recipient servers. It uses public-key cryptography to sign email with a private key as it leaves a sending server. Recipient servers then use a public key published to a domain’s DNS to verify the source of the message, and that the body of the message hasn’t changed during transit. Once the signature is verified with the public key by the recipient server, the message passes DKIM and is considered authentic.

While DKIM isn't required, having emails that are signed with DKIM appear more legitimate to your recipients and are less likely to go to Junk or Spam folders. Spoofing email from trusted domains is a popular technique for malicious spam and phishing campaigns, and DKIM makes it harder to spoof email from domains that use it.

DKIM uses two actions to verify your messages. The first action takes place on a server sending DKIM signed emails, while the second happens on a recipient server checking DKIM signatures on incoming messages. The entire process is made possible by a private/public key pair. Your private key is kept secret and safe, either on your own server or with your ESP, and the public key is added to the DNS records for your domain to broadcast it to the world to help verify your messages. Let’s dive a little deeper into how DKIM works on servers that are sending and receiving email.


By Ale2006-from-en - Own work, CC BY-SA 3.0,

DKIM can be generated and installed under the Email Deliverability section in cPanel. It's important to note that to correctly install a DKIM record, your server must be the authoritative nameserver.

  1. Log in to your cPanel account.
  2. Click the Email Deliverability icon, located in the Email section.
  3. Click the Manage button, next to the domain you wish to verify.
  4. You'll be able to install the record directly from this area by clicking the Install The Suggested Record button.

SSL on Mail Subdomain

When issuing SSL Certificates for your domain it's important to also cover the mail subdomains. Typically these are in the format of Luckily this is easily handled by either the cPanel AutoSSL mechanism or Let's Encrypt.

AutoSSL certificates can be issued through the SSL/TLS Status section in cPanel. You just need to make sure that your mail subdomains are selected for the certificate to be issued.

The same is true with Let's Encrypt. There will be an area listing the corresponding subdomains under Issue a new Certificate once you click on the Let's Encrypt™ SSL section in cPanel. All that's needed is to click + Issue and a certificate will be installed onto the subdomain.

Once an AutoSSL or Let's Encrypt certificate has been installed onto your mail subdomain you can feel confident that it's more secure.

Was this article helpful?
0 out of 1 found this helpful

Articles in this section

See more
Reclaim Hosting Support Hours
8:00 am - 5:00 pm ET, Monday through Friday
Submit a Ticket
Get a quick and helpful response from the pros.
Need Extra Support?
No problem, we're here to help! Talk to us about Professional Services or custom Service Level Agreements.