TL;DR: DKIM proves sender authenticity and DMARC instructs receivers what to do. In 2025, plain p=none does not protect your brand or deliverability. Use at least p=quarantine or preferably p=reject together with appropriate adkim and aspf.

cPanel quick start

1. Open Email Deliverability -> fix DKIM/SPF (Repair / Install the suggested record(s)).
2. Ensure DNS has default._domainkey.<domain> (DKIM) and a correct SPF.
3. Add DMARC in Zone Editor for name _dmarc (TXT). Start with quarantine:

   v=DMARC1; p=quarantine; aspf=r; adkim=r

   Move to reject when all senders align:

   v=DMARC1; p=reject; aspf=s; adkim=s

4. (Recommended) Add aggregate reporting later: rua=mailto:dmarc-rua@example.com.

Same settings as full DNS lines (BIND)

_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=quarantine; aspf=r; adkim=r"

_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s"

What are SPF, DKIM and DMARC?

• SPF: lists permitted sending hosts for your domain (DNS TXT v=spf1 ...). Protects the envelope/Return‑Path, not the visible From.
• DKIM: cryptographic signature; the receiver fetches the public key from DNS (selector._domainkey.example.com -> v=DKIM1; k=rsa; p=...).
• DMARC: ties the visible From domain to SPF/DKIM results and sets policy (none/quarantine/reject) and reporting.

Alignment: the visible From domain must match DKIM’s d= domain or SPF’s MailFrom/Return‑Path domain. adkim=r / aspf=r allows subdomains; adkim=s / aspf=s requires exact match.

Why p=none is no longer enough

1. No enforcement: failures aren’t quarantined or rejected -> spoofing continues.
2. Deliverability signal: major receivers use DMARC policy as a signal; without enforcement, even legit mail can suffer.
3. Visibility ≠ protection: reports alone don’t stop abuse – quarantine/reject shapes behavior.

Conclusion: start with p=quarantine (relaxed) and move to p=reject (strict) once all mail aligns.

Relaxed (r) vs Strict (s)

• Relaxed (aspf=r; adkim=r): many senders/subdomains -> easier rollout.
• Strict (aspf=s; adkim=s): you fully control sending -> strongest anti‑spoofing.

DKIM – practical tips

1. 2048‑bit keys (or stronger); rotate every 6–12 months.
2. Selector strategy: e.g., s2025q4; keep two selectors active during rotations.
3. Sign at least: From, Date, Subject, Message‑ID (often To as well).
4. Canonicalization: c=relaxed/relaxed is resilient to transit changes.
5. cPanel/DNS: default selector is default -> public key at default._domainkey.<domain>.
6. Testing: check Authentication‑Results for dkim=pass, spf=pass, dmarc=pass.

DKIM DNS example (cPanel default):

default._domainkey.example.com. 3600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A..."

Signature snippet:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=s2025q4;
h=from:date:subject:message-id:to:mime-version:content-type;
bh=...; b=...

DMARC – policies

Monitoring (short-term only)

_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=none; aspf=r; adkim=r; rua=mailto:dmarc-rua@example.com; ruf=mailto:dmarc-ruf@example.com; fo=1; ri=86400"

Transition (recommended minimum)

_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=quarantine; aspf=r; adkim=r; pct=100; sp=quarantine; rua=mailto:dmarc-rua@example.com; fo=1; ri=86400"

Full enforcement

_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; sp=quarantine; rua=mailto:dmarc-rua@example.com; fo=1; ri=86400"

Minimal (no reporting)

Value only (paste into cPanel TXT):

v=DMARC1; p=quarantine; aspf=r; adkim=r

v=DMARC1; p=reject; aspf=s; adkim=s

Full DNS line (BIND):

_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=quarantine; aspf=r; adkim=r"

_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s"

Reporting

_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=quarantine; aspf=r; adkim=r; rua=mailto:dmarc-rua@example.com!10m,mailto:dmarc-ops@example.com; ruf=mailto:dmarc-ruf@example.com; fo=1; ri=86400"

Rollout playbook

1. Inventory senders (CRM, marketing, ticketing, invoicing…).
2. Fix SPF; avoid +all and long include chains.
3. Enable DKIM everywhere (2048‑bit, per‑system selectors).
4. DMARC p=none + RUA 1–4 weeks; fix issues.
5. Raise to p=quarantine (relaxed); monitor.
6. Move to p=reject (strict) when all mail aligns.