Login
There was a problem loading the comments.

SPF, DKIM & DMARC for Google Workspace + cPanel (Complete Guide)

Support Portal  »  Knowledgebase  »  Viewing Article
  Print

SPF, DKIM & DMARC for Google Workspace + cPanel

A practical, copy-paste guide for hybrid setups where users send email via Google Workspace and websites/scripts send via cPanel.

 
Contents
1) Overview
2) SPF
3) DKIM (Google & cPanel)
4) DMARC
5) Recommended rollout phases
6) Ready-to-paste examples
7) Validate & monitor
8) Common mistakes & FAQ
 

1) Overview

What each record does

SPF Authorizes which IPs/servers can send for your domain.

DKIM Cryptographic signature proving message integrity & domain identity.

DMARC Policy + reporting layer that ties SPF/DKIM to the visible From: domain.

 

Key principle: Alignment

DMARC passes if either SPF or DKIM passes and the authenticated domain aligns with the visible From domain.

 

We recommend strict alignment for strongest protection.

 

Goal for hybrid (Workspace + cPanel): Authorize both systems in SPF, enable DKIM on both, then move DMARC from monitoring to enforcement.
 

2) SPF (Sender Policy Framework)

What to publish: an SPF TXT record at the root (host @).

 

Directive Meaning Why
include:_spf.google.com Authorizes Google Workspace MTAs Required for user mail sent via Gmail/Google
ip4:XX.XX.XX.XX Authorizes your cPanel IPv4 Required for PHP/Exim mail from your webserver
ip6:YYYY:...:ZZZZ (optional) Authorizes your cPanel IPv6 Add if mail can originate via IPv6
-all Hard fail for everyone else Prevents spoofing from unauthorized IPs
 
SPF lookup limit: You get max 10 DNS lookups. Avoid stacking too many include:s or nested providers.
 
 

3) DKIM (DomainKeys Identified Mail)

Publish a TXT record per sender system. Each uses a unique selector (the label before ._domainkey).

 

Google Workspace DKIM

  1. Google Admin Console → Apps → Google Workspace → Gmail → Authenticate email (DKIM)
  2. Generate key: selector google, 2048-bit
  3. Publish TXT: google._domainkey.yourdomain.tldv=DKIM1; k=rsa; p=…
  4. Click Start authentication after DNS propagates

cPanel DKIM

  1. cPanel → Email Deliverability → Enable DKIM
  2. It creates default._domainkey.yourdomain.tldv=DKIM1; k=rsa; p=…
  3. Ensure the DKIM d= domain matches your visible From domain for DMARC alignment
 
Why do we keep selectors separate: Google and cPanel manage their own keys/rotations. Separate selectors avoid collisions and simplify troubleshooting.
 
 
 

4) DMARC (Policy & Reporting)

Publish a TXT record at _dmarc.yourdomain.tld.

 

Tag Options Recommendation Why / When not chosen
p none / quarantine / reject Start: none → then quarantinereject Jumping straight to reject can block legitimate mail during setup
sp same as p none initially; later reject Controls subdomains; enforce once you’re confident
adkim r (relaxed) / s (strict) s (strict) Relaxed allows subdomain wiggle; strict is cleaner and safer
aspf r / s s Strict alignment reduces spoofing
rua mailto:… Enable Daily aggregate XML reports show all sources
ruf mailto:… Optional Forensic samples may be verbose; enable for debugging only
fo 0, 1, d, s 1 Report on any SPF/DKIM failure for better visibility
pct 0–100 Usually omit Use only when gradually applying enforcement

 

 

5) Recommended Rollout Phases

  1. Phase 1 (Monitor): p=none, collect reports for 2–3 weeks
  2. Phase 2 (Caution): p=quarantine, consider sp=reject
  3. Phase 3 (Strict): p=reject (and sp=reject) once all legitimate sources align
Pass condition: If either SPF or DKIM passes and aligns with the visible From domain, DMARC passes.
 
 

6) Ready-to-Paste Examples

6.1 SPF (add your webserver IPs)


v=spf1 include:_spf.google.com ip4:XX.XX.XX.XX -all

 

 

If you also send via IPv6:


v=spf1 include:_spf.google.com ip4:XX.XX.XX.XX ip6:YYYY:YYYY::ZZZZ -all

 

6.2 DKIM (Google Workspace)

Host Type Value
google._domainkey.yourdomain.tld TXT v=DKIM1; k=rsa; p=<Google 2048-bit public key>

 

6.3 DKIM (cPanel)

Host Type Value
default._domainkey.yourdomain.tld TXT v=DKIM1; k=rsa; p=<cPanel 2048-bit public key>

 

6.4 DMARC (phased)

Phase 1 – Monitor


v=DMARC1; p=none; sp=none; adkim=s; aspf=s; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

 

Phase 2 – Quarantine


v=DMARC1; p=quarantine; sp=reject; adkim=s; aspf=s; rua=mailto:[email protected]; fo=1;

 

Phase 3 – Reject


v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:[email protected]; fo=1;

 

6.5 DNS UI cheat-sheet

Record Host / Name Type Value
SPF @ TXT v=spf1 include:_spf.google.com ip4:XX.XX.XX.XX -all
DKIM (Google) google._domainkey TXT v=DKIM1; k=rsa; p=…
DKIM (cPanel) default._domainkey TXT v=DKIM1; k=rsa; p=…
DMARC _dmarc TXT v=DMARC1; p=none; …

 

6.6 BIND-style zone snippets (optional)


@   3600 IN TXT "v=spf1 include:_spf.google.com ip4:XX.XX.XX.XX -all"
google._domainkey 3600 IN TXT "v=DKIM1; k=rsa; p=<GooglePublicKey>"
default._domainkey 3600 IN TXT "v=DKIM1; k=rsa; p=<cPanelPublicKey>"
_dmarc 3600 IN TXT "v=DMARC1; p=none; sp=none; adkim=s; aspf=s; rua=mailto:[email protected]; fo=1;"

 

7) Validate & Monitor

Quick checks

  • SPF: MXToolbox SPF
  • DMARC: MXToolbox DMARC
  • Gmail: send a test → message menu → Show original → confirm SPF=PASS, DKIM=PASS, DMARC=PASS

 

Read your reports

Aggregate rua reports arrive daily in XML. Parse with:

 

8) Common Mistakes & FAQ

Don’t forget your webserver in SPF. If PHP/Exim mail isn’t authorized, DMARC may fail even if Google is perfect.
Avoid rushing to p=reject. Monitor first, then enforce once all legitimate sources align.

What is “alignment” exactly?

For SPF: the domain in the MAIL FROM / Return-Path must match (strict) the visible From domain. For DKIM: the d= domain in the signature must match the visible From domain. We recommend aspf=s and adkim=s for clarity and security.

 

Should I use ruf (forensic) reporting?

Optional. It can be noisy and include message samples. Use when actively debugging failures, then remove or keep limited.

 

Forwarding breaks SPF—will DMARC fail?

Forwarding often breaks SPF but DKIM still passes if signatures survive, so DMARC can still pass. That’s why enabling DKIM everywhere is crucial.

Support: If you’re an IndicHosts.net client, raise a ticket and we’ll verify your DNS, DKIM, and DMARC reports and recommend the right enforcement level for your domain.

Share via
Did you find this article useful?  

Related Articles

Comments

Add Comment

Replying to  

Self-Hosted Help Desk Software by SupportPal

Categories

Tags

© Indichosts.net