When email “doesn’t work” — a customer claims they didn’t get a confirmation, a contact form submission never arrives, an automated email vanishes into the void — the answer is in the mail logs. cPanel exposes detailed delivery records for every message sent and received. This guide shows you how to read them, what bounce codes mean, and how to fix the most common delivery problems.
Accessing the mail logs
cPanel offers two views:
- Track Delivery (cPanel → Email → Track Delivery) — searchable interface for individual messages. The right tool for “did this specific email arrive?”
- Email Logs / Delivery Reports (varies by plan) — broader log access showing all mail in/out for a time range.
For most diagnostic work, Track Delivery is what you want.
Using Track Delivery
- Open Track Delivery.
- Enter the recipient’s email address in the search box (or sender, or message ID).
- Click Show All.
- Filter by date range if needed.
Results show, for each message:
- Date/Time — when our server tried to deliver.
- Result — Success (green check), Deferred (yellow clock), Failure (red X).
- Sender / Recipient — the addresses involved.
- Action / Result — what the receiving server said.
Click any row to expand for full SMTP transaction details — the exact dialog between our server and the recipient’s server.
The three message states
Success ✓
The receiving server accepted the message. From our side, delivery is complete. Caveat: “accepted” doesn’t always mean “in the inbox”. Spam-foldered messages were also accepted. If a customer claims they didn’t get it but the log shows success, check their spam folder — and read our deliverability guide.
Deferred ⏱
Temporary failure — receiving server is busy, has a temporary glitch, or has greylisted us. The mail server retries automatically every few minutes for up to 5 days before giving up. Deferred messages usually deliver eventually; ignore unless they’re sticking around for hours.
Failure ✗ (Bounce)
Permanent failure — the receiving server rejected the message and won’t accept it on retry. The sender (if internal) gets a bounce message. Reasons vary; the SMTP response code in the log row tells you why.
Reading SMTP response codes
| Code | Means | Common cause |
|---|---|---|
| 2xx | Success | Mail accepted |
| 4xx | Temporary failure (soft bounce) | Receiver busy, greylist, mailbox temporarily full |
| 5xx | Permanent failure (hard bounce) | Mailbox doesn’t exist, blocked, refused |
| 550 | Rejected — common | “User unknown”, blocklisted, content rejected |
| 552 | Size limit | Message exceeded receiver’s max |
| 553 | Bad address | Sender address rejected (syntax error) |
| 554 | Generic refusal | SpamAssassin score too high, IP blocklist, content rules |
The five most common bounce reasons
1. “User unknown” / “No such user”
The recipient address doesn’t exist. Typo, ex-employee gone, or just wrong. Fix: get the right address, retry.
2. “Sender IP blocklisted”
Your server’s IP is on a blocklist (Spamhaus, Barracuda, etc.). Usually because a previous compromised account on the IP sent spam. iWebVault monitors and addresses these; if you encounter this and it persists, open a ticket — we’ll investigate.
Quick check: mxtoolbox.com/blacklists.aspx — enter your IP, see if any major lists have it flagged.
3. “SPF/DKIM authentication failed”
Your authentication isn’t set up correctly. See our SPF/DKIM/DMARC guide. Most major receivers (Gmail, Outlook) now reject mail with failed authentication outright in 2026.
4. “Mailbox full”
Recipient’s inbox is over quota. Wait for them to clean up, or contact them via another channel.
5. “Message content rejected”
Receiving server’s spam filter flagged the content. Common triggers: phrases like “click here to claim”, excessive ALL CAPS, lots of exclamation points!!!, URL shorteners, attachments with executable extensions. Rewrite, retry.
Bounce processing for senders
When mail bounces, the sender (your mailbox or your application) typically gets a bounce notification email. The notification includes:
- The original recipient.
- The reason for failure (the receiving server’s exact response).
- A copy of the original message (sometimes).
For automated senders (newsletter platforms, transactional emails), implement bounce handling:
- Hard bounces (5xx codes) — remove from your list immediately. Repeated sends to a hard-bouncing address hurt your reputation with the receiver.
- Soft bounces (4xx) — retry. After 3-5 soft bounces over a few days, treat as hard bounce.
- Suppression lists — most marketing platforms maintain these automatically.
Doing this manually for transactional mail from your own app: read your incoming mail at the from-address, parse bounce notifications, update your database.
Diagnosing “this email never arrived”
Workflow when a customer reports a missing email:
- Track Delivery for that recipient.
- If Success — they have it; ask them to check spam.
- If Deferred — wait, it may still arrive. After 24 hours assume failure.
- If Failure — read the SMTP response. Determine cause from the bounce reasons above. Fix and retry.
- If no records at all — the email wasn’t actually sent. The originating app (WordPress contact form, app code) failed locally. Look at the app’s own logs, not our mail logs.
Common log questions
“Logs only go back a few days.” Mail logs are retained for the recent past — usually 7-14 days. For older delivery records, contact support with the specific date range you need; we may have server-level logs going back further.
“Track Delivery shows success but recipient swears they didn’t get it.” 95% of these are spam folder issues. The remaining 5% are usually corporate-firewall blocks at the receiver that accept-then-discard. Have the recipient check spam, then check with their IT team if you’ve ruled that out.
“Lots of deferred messages — am I doing something wrong?” Greylisting is normal. Deferred-then-success pattern within 5-30 minutes is the standard greylisting workflow. Only worry if messages stay deferred for hours.
“Receiving very high bounce volume.” Either your list is dirty (full of dead addresses — usually buying email lists), or your domain is being spoofed and bounces are coming back to you. DMARC reports help diagnose the second case.
What’s next
- Authentication setup (prevents most bounce issues): SPF/DKIM/DMARC guide.
- Spam folder issues: Deliverability guide.
- Catch-all and filtering: Email filters and catch-alls.
Mail logs answer most “why didn’t they get my email” questions in under a minute. The pattern: search recipient, read result, act accordingly. After your first three diagnostic sessions, the workflow becomes second nature.
Was this helpful?
Thanks for your feedback!
