Shared-hosting email auth fix

Fix SPF, DKIM, and DMARC on shared hosting.

Use this when cPanel, WordPress, SMTP plugins, or marketing senders all send for one domain and authentication records need to agree instead of fighting each other.

When to use this fix

  • Mail sends but lands in spam or fails authentication.
  • SPF, DKIM, or DMARC is mentioned in a bounce or provider warning.
  • WordPress uses a different SMTP provider than the mailbox provider.
  • The domain has multiple senders: cPanel, Google, Microsoft, Brevo, Mailgun, Postmark, or WooCommerce notices.

Correction order

  1. Decide which services are allowed to send for the domain.
  2. Merge all required SPF includes into one SPF record.
  3. Enable DKIM for each active sender that supports it.
  4. Start DMARC in monitoring mode while alignment is verified.
  5. Tighten DMARC only after legitimate senders pass.

Before and after authentication stack

Before

SPF: two separate v=spf1 records
DKIM: old provider selector only
DMARC: p=reject
WordPress From: mysite@gmail.com

After

SPF: one record with active sender includes
DKIM: active provider selectors
DMARC: p=none during verification
WordPress From: no-reply@example.com

Common false positives

  • SPF passes for the envelope sender but DMARC fails because visible From does not align.
  • Google Workspace mail passes, but WordPress SMTP fails because it sends through another provider.
  • DKIM exists in DNS, but it belongs to a provider no longer used.
  • DMARC rejects real mail because policy was tightened before all senders were known.

Provider-specific sender map

SenderSPF clueDKIM clueCommon trap
cPanel/local mailHost-provided SPFcPanel Email Deliverability DKIMLeaving routing Remote when cPanel hosts mail.
Google Workspaceinclude:_spf.google.comGoogle Admin DKIM selectorUsing Google MX but sending WordPress through another SMTP.
Microsoft 365include:spf.protection.outlook.comMicrosoft selector CNAMEsAssuming old cPanel DKIM covers Microsoft mail.
Transactional SMTPProvider includeProvider-generated selectorUsing a free-mail From address that cannot align.

Do NOT do this

  • Do not create separate SPF records for each sender.
  • Do not enable strict DMARC before every legitimate sender is mapped.
  • Do not assume mailbox DNS and WordPress SMTP DNS are the same sender path.
  • Do not copy provider examples without replacing them with domain-specific values.

Success looks like this

Authentication-Results:
spf=pass
dkim=pass
dmarc=pass

From domain:
matches the authenticated sender domain

Pattern to verify in your environment. Exact headers differ by receiver.

Related errors and fixes

SPF issue DKIM issue DMARC issue Run debugger