How to Set Up DKIM, SPF, DMARC, MTA-STS, TLS-RPT, and BIMI in cPanel

How to Set Up DKIM, SPF, DMARC, MTA-STS, TLS-RPT, and BIMI in cPanel

Securing your email domain and ensuring proper email authentication is essential to prevent spoofing and improve email deliverability. This guide walks you through setting up DKIM, SPF, DMARC, MTA-STS, TLS-RPT, and BIMI in cPanel.

Step 1: Set Up DKIM and SPF

1. Log in to cPanel:

   • Access your cPanel dashboard through your hosting provider.

2. Navigate to Email Deliverability:

   • Under the Email section, click Email Deliverability.

3. Enable DKIM and SPF:

   • Locate your domain in the list and click Manage.

   • If DKIM or SPF is disabled, click Repair or Generate Suggested Record to enable them.

   • cPanel will automatically generate the necessary DNS records.

4. Verify the Records:

   • Use a DNS lookup tool like MXToolbox to confirm active DKIM and SPF records.

Step 2: Set Up DMARC

1. Access Zone Editor:

   • In cPanel, go to Domains and select Zone Editor.

2. Add a DMARC Record:

   • Click Manage next to your domain.

   • Add a new TXT record with the following details:

     • Name: _dmarc.yourdomain.com

     • Type: TXT

     • Value:

       v=DMARC1; p=quarantine; rua=mailto:reports@yourdomain.com; ruf=mailto:alerts@yourdomain.com

     • Replace reports@yourdomain.com with the email address to receive aggregate reports.

3. Save the Record:

   • Allow up to 48 hours for DNS propagation.

4. Verify DMARC Configuration:

   • Use DMARC Analyzer or similar tools to check your setup.

Step 3: Set Up MTA-STS

1. Create the Policy File:

   • Open a text editor and create a file named mta-sts.txt.

   • Add the following content:

     version: STSv1
     mode: enforce
     mx: mail.yourdomain.com
     max_age: 86400

     • Replace mail.yourdomain.com with your mail server hostname.

2. Host the Policy File:

   • Log in to cPanel and navigate to File Manager.

   • Create the directory structure:

     public_html/mta-sts/.well-known/

   • Upload the mta-sts.txt file into the .well-known folder.

3. Set Up a Subdomain:

   • In cPanel, go to Subdomains and create mta-sts.yourdomain.com.

4. Add the MTA-STS DNS Record:

   • In Zone Editor, add a TXT record:

     • Name: _mta-sts.yourdomain.com

     • Type: TXT

     • Value: v=STSv1; id=YYYYMMDD (Replace YYYYMMDD with today’s date.)

5. Secure with SSL:

   • Use AutoSSL or manually install an SSL certificate for mta-sts.yourdomain.com.

Step 4: Set Up TLS-RPT

1. Add the TLS-RPT DNS Record:

   • In Zone Editor, add a TXT record:

     • Name: _smtp._tls.yourdomain.com

     • Type: TXT

     • Value: v=TLSRPTv1; rua=mailto:reports@yourdomain.com

2. Monitor Reports:

   • Ensure the rua email address is valid and monitored. Reports will be sent in JSON format.

Step 5: Set Up BIMI

1. Prepare Your BIMI Logo:

   • Convert your company logo to SVG Tiny 1.2 format.

   • Validate the SVG file using BIMI SVG Validator.

2. Host the Logo:

   • Upload the SVG logo to your public_html directory or a subdirectory, e.g., https://yourdomain.com/logo.svg.

3. Add a BIMI DNS Record:

   • In Zone Editor, add a TXT record:

     • Name: default._bimi.yourdomain.com

     • Type: TXT

     • Value: v=BIMI1; l=https://yourdomain.com/logo.svg; (Include a=https://yourdomain.com/vmc.pem; if using a Verified Mark Certificate.)

4. Verify DMARC Policy:

   • Ensure your DMARC record has p=quarantine or p=reject, as BIMI requires a strict DMARC policy.

5. Test BIMI:

   • Use BIMI Inspector to validate your BIMI setup.

Step 6: Verify the Configuration

1. Test DNS Records:

   • Use tools like MXToolbox to validate the DNS entries for SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and BIMI.

2. Send Test Emails:

   • Send test emails to verify email authentication and ensure logos are displayed correctly in BIMI-supported email clients.

3. Monitor Reports:

   • Regularly review DMARC and TLS-RPT reports for insights into your email traffic and potential issues.