If your emails are landing in spam folders or being rejected outright, the cause is almost always one of three things: missing or misconfigured DNS records (SPF, DKIM, DMARC), a damaged sender reputation, or your domain being on a blacklist. This guide walks through fixing all three, in the order that matters.
Set these up correctly once and you’ll spend the rest of your hosting life with email that just works.
The three pillars of deliverability
Email authentication is built on three DNS records that work together. They prove to the receiving server that the email is genuinely from your domain and hasn’t been tampered with.
- SPF (Sender Policy Framework) — tells the world which servers are authorized to send mail for your domain.
- DKIM (DomainKeys Identified Mail) — cryptographically signs each email, proving it wasn’t modified in transit.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) — tells receiving servers what to do when SPF or DKIM fail, and (optionally) sends you reports about who’s sending mail using your domain.
Without all three, modern mail providers (Gmail, Microsoft 365, Yahoo) increasingly treat your domain as suspicious. As of 2024, Google and Yahoo both require SPF + DKIM + DMARC for any domain sending more than 5,000 emails per day, and they’re tightening that threshold over time.
Step 1 — Set up SPF
SPF is a single TXT record in your DNS. On iWebVault cPanel hosting with the default mail server, the record value is:
v=spf1 +a +mx +ip4:[your-server-ip] include:iwebvault.com ~allReplace [your-server-ip] with the IP from your welcome email. To add it:
- In cPanel, open Email → Email Deliverability.
- Find your domain. SPF status will probably show as “Problems Detected”.
- Click Manage, then under SPF click Install the Suggested Record.
- cPanel adds the record automatically if your nameservers are
ns1/ns2.iwebvault.com. If they’re hosted elsewhere (Cloudflare, your registrar), copy the suggested record and add it manually to your external DNS.
Critical rule: you can only have one SPF record per domain. If you use a third-party service like Mailchimp, Brevo, or Google Workspace alongside your hosting, merge their include: directives into a single record — don’t add a second SPF line. Multiple SPF records cause silent failures.
Step 2 — Enable DKIM
DKIM is a public/private key pair. The private key lives on the mail server; the public key goes in your DNS as a TXT record. When a server receives your email, it looks up the public key, uses it to verify the signature, and decides whether to trust the message.
- In cPanel → Email Deliverability, find your domain.
- Under DKIM, click Manage, then Install the Suggested Record.
- If your DNS is on iWebVault nameservers, cPanel handles everything in one click. If not, cPanel shows you the record to add manually — copy the entire long string (it’ll start with
v=DKIM1; k=rsa; p=...) and add it as a TXT record on the hostdefault._domainkeyat your external DNS provider.
DKIM records can take 1–24 hours to fully propagate. You can check progress with MXToolbox’s DKIM Lookup.
Step 3 — Configure DMARC
DMARC ties SPF and DKIM together and tells receiving servers how strict to be. It’s added as a TXT record on the hostname _dmarc.yourdomain.com.
Start in monitoring mode (no action taken on failures, just reporting):
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comAdd via cPanel Zone Editor (Domains → Zone Editor → Manage → Add Record → TXT) or your external DNS provider. After 1–2 weeks of monitoring, if reports show everything legitimate is passing, tighten to quarantine:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100After another 2 weeks of clean operation, go to p=reject — the strictest policy, where unauthorized email using your domain is dropped entirely.
Skipping monitoring mode and going straight to p=reject is a common mistake. If anything’s misconfigured, your legitimate email vanishes silently. Start with p=none and read the reports before tightening.
Step 4 — Test with mail-tester.com
Mail-tester.com is the standard tool for end-to-end deliverability checks, and it’s free for casual use.
- Visit mail-tester.com. It generates a unique test address.
- Send an email from your domain (use your real sending setup — WordPress, Outlook, whatever) to that address.
- Click Then check your score on mail-tester.
A score of 10/10 means everything is perfect. 8 or 9 is acceptable for most use cases. Anything below 8 has fixable issues — the report tells you exactly which records are missing or misconfigured.
Step 5 — Set up reverse DNS (VPS/dedicated only)
If you’re on a VPS or dedicated server (not shared hosting), reverse DNS (PTR record) is critical and often overlooked. It maps your server’s IP back to a hostname. Mail receivers reject email from servers with missing or generic PTR records.
To check yours, run on the server: dig -x [your-ip] +short. The output should be a real hostname like mail.yourdomain.com, not something generic like 185-123-45-67.iwebvault.com.
If it’s generic, open a ticket requesting a custom PTR record for your IP. Provide the hostname you want — usually mail.yourdomain.com if you’ve added a corresponding A record. PTR changes take 1–4 hours to propagate.
Step 6 — Maintain sender reputation
Once authentication is set up, your ongoing job is to not blow your reputation. Mail providers track per-domain reputation scores, and a domain that hits “spam” 20% of the time gets demoted quickly.
- Never buy email lists. Even if 90% are valid, the other 10% are spam traps and you’ll torch your domain’s reputation overnight.
- Honor unsubscribes within 24 hours. Required by CAN-SPAM and GDPR, and ignoring it generates spam complaints fast.
- Keep bounce rates under 5%. If you’re routinely above this, you’re sending to stale lists. Use double opt-in and prune inactive subscribers.
- Warm up new IPs gradually. If you’ve just moved hosting, don’t send 10,000 emails on day one. Ramp up: 100 the first day, 500 the next, double each day after.
- Match the From address to the domain. Sending from
noreply@gmail.comwhile your servers are onyourdomain.comis one of the easiest spam-filter triggers. Always send frominfo@yourdomain.comor similar.
Step 7 — If your domain is already blacklisted
If you’re being rejected outright (not just spam-foldered), check the blacklists:
- MXToolbox Blacklist Check — tests against 100+ blacklists at once.
- If listed, click the blacklist name to see their delisting page. Most have automated forms. Major lists (Spamhaus, SORBS) usually delist within 24–48 hours of a clean request.
Get blacklisted often? You have a deeper problem — either compromised email accounts on your domain, a script being abused on your site, or you’re sending to old lists. Fix the cause before requesting delisting; otherwise you’ll be back on the list within days.
Common mistakes
Two SPF records. Even one is too many — must be combined. If MXToolbox SPF check shows “multiple records”, that’s the #1 priority to fix.
DKIM key not propagated yet. Allow 24 hours after enabling. If it’s been 48 and still failing, your DNS isn’t pointing to iWebVault nameservers, or the cPanel-generated record didn’t sync.
DMARC too aggressive too soon. Set to p=none for at least 2 weeks before tightening.
Sending from a different domain than the From address. If your WordPress sends as wordpress@yourdomain.com but your mail server is configured for yourdomain.com only, the SPF check fails. Use a plugin like WP Mail SMTP to send through your actual SMTP server.
What’s next
- Configuring email on devices? See our setup guides for iPhone, Android, Outlook, and Gmail.
- Setting up email accounts in cPanel? Step-by-step here.
- Need to handle high-volume transactional email? Consider a dedicated mail relay like Mailgun, Postmark, or Brevo — they specialize in deliverability at scale.
If your deliverability problem persists after all five steps, open a ticket. Include a mail-tester.com link to your latest test — we can pinpoint the issue from the report in one reply.
Was this helpful?
Thanks for your feedback!
