How To Protect Your cPanel Email From Spam

Let's dive in.

But before anything else, ensure that the cPanel account has completed the recommended barest steps:

1. DKIM:

DKIM as part of the holy trio of SPF, DKIM, and DMARC uses digital signatures to verify a message with its host to prevent email spoofing.

DKIM allows an email system to prove that spammers didn't alter an incoming message while it was in transit.

First, verify that your DKIM records are working as intended.

The simplest way to do this via cPanel is to use the Email Deliverability interface at cPanel >> Email section.

With this, you can identify problems with any of your domain's DKIM, SPF, and PTR records.

Note that the system modifies the DKIM and SPF records if the authoritative nameservers for the customer's domain DNS record exist on the server.

If it does not, then the system will not add the records, and it will report the problem/s that it identified.

You can view this via the command line with ("default._domainkey" is the default DKIM selector in cPanel):

dig +short TXT default._domainkey.$domain.com

You can view your DKIM record via the cPanel API with:

uapi --user=$user EmailAuth validate_current_dkims domain='$domain.com'

or:

uapi --user=$user EmailAuth validate_current_dkims domain='$domain.com' | grep expected | cut -c 17- whmapi1 validate_current_dkims domain='$domain.com'

The maximum permissible string length that DNS servers allow is 255 characters.

If a DNS record is more than 254, you need to split it into double-quoted strings.

This is important to note if you need to configure DKIM at an external DNS provider that doesn't allow the key to be split or does not allow characters to be more than 255.

Or if you notice that cPanel is unable to sign the domain's outbound email with a DKIM signature, thus triggering a DKIM failure, check to see if this is configured correctly.

cPanel permits both Full and Split.

If you need to split your DKIM record, visit "Email Deliverability" and then click on the "Suggested "DKIM" (TXT) Record".

Next, click split under the value row, copy, and then paste where needed.

You can also use a tool such as Mailhardener DNS record splitter

Note that if you are using a third-party email service, such as Google Workspace/Gmail™ or Microsoft Outlook 365®, etc, then you also need to refer to the right documentation for instructions on configuring DKIM, DMARC, and SPF.

WARNING: For your safety, do not share your private DKIM key as that is a security risk.

If you share your private DKIM key with someone, it is possible that in the hands of a malicious action sign emails and impersonate you as a sender.

2. SPF

Along with DKIM and DMARC, the Sender Policy Framework Record (SPF) helps with your email deliverability and reduces the possibility of email forgery.

SPF achieves this by providing remote mail hosts with a way of verifying whether the sending host is actually authorized to send mail from your domain or not.

The easiest way to check this in cPanel is to use the Email Deliverability feature in the Email section.

You can copy the Name and Value records that the system provides in the Suggested "SPF" (TXT) Record section.

Or modify the suggested SPF record before copying.

If you need to modify this record:

Access Email Deliverability.

Select the domain to modify, and click on "Manage".

Locate the SPF record on the page.

Click on the Customize pencil icon for the record.

When the "Customize an SPF record" page loads, add or remove the values as desired.

Once completed, click on the "Install a customize SPF record" button.

If you receive "this system does not control DNS for the .....", it is because the domain is not using cPanel as the nameserver for your domain.

1. Either switch to our name servers:
   • ns1.mydnsnode.com
   • ns2.mydnsnode.com
   • ns3.mydnsnode.com
   • ns4.mydnsnode.com

   or:

2. Replicate the SPF and DKIM records shown in the Email Deliverability interface at your third-party DNS provider.

You can run either of these commands below to see if an SPF record is accessible: dig $domain.com TXT dig $domain.com TXT | grep -i SPF dig +short $domain.com TXT

You can also send an email, then view the Received-SPF: value in the email headers.

You can use this method to verify the authenticity of the sender.

For an introduction and quick overview of SPF mechanism syntax, visit SPF Record Syntax

3. DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance and the newest member of the holy trio) is a technical specification to help reduce the potential for email-based abuse.

It is an extension to the existing SPF and DKIM standards which you can use as a policy, to control the rejection settings for messages that do not pass SPF and DKIM sent using your domain name.

A DMARC policy uses DNS to confirm that an email message uses a valid DKIM and SPF record and that the From: header matches those records.

Most email networks require that you use a DMARC policy to help protect their users from spam emails.

To check your domain's DMARC record, run this command below:

dig _dmarc.$domain.com txt +short

If you are unable to see an output, then you need to create a DMARC record.

To create a DMARC record, log in to your cPanel account, access the Domains section and click on Zone Editor, then Manage.

You may want to visit Web Hosting Magic documentation to learn more.

Adjust SpamAssassin Rule

If you are receiving spam emails, you can fine-tune the spam filtering settings in SpamAssassin to suit your requirements.

In fact, you can configure the sensitivity level and define rules for handling spam emails at any time.

SpamAssassin is the tool used by a mail server to check if a message is spam or not.

Apache SpamAssassin™ scans each message and checks it against hundreds of rules.

Each rule is assigned a "score" (also known as the rule's "weight").

The score tells SpamAssassin how important that rule is.

Sometimes the default scores fail to provide the correct results.

SpamAssassin may assign a "spam" result to a non-spam (ham) message, or vice-versa if the default rules are not appropriate for a user.

"Ham" is an e-mail that is not Spam and is considered a shorter, snappier synonym for "non-spam".

On our systems, we already have included Apache SpamAssassin™ with your cPanel account.

But customers can adjust the weight of each rule for themselves via their cPanel account.

Those changes affect all the email accounts associated with that cPanel account.

WARNING: Before editing the spam testing scores, please make sure that you understand what you are doing. If this is misconfigured, it will create unintended consequences including stopping all emails from reaching your inbox.

If you must adjust the weight of a SpamAssassin rule, then first, review the documentation at Writing Rules for SpamAssassin.

While some part of it is for root users, the latter part works for cPanel.

• Log in to your cPanel.
• Scroll to the Email section and click on Spam Filters.
• Click "Show Additional Configurations" that you see at the bottom of the page.
• Click on the link that says "Configure Calculated Spam Score Settings".
• When the new interface appears, you will see instructions and a link to the 'Add a new "scores" item'.

Select a test from the scores menu.

There will be a drop-down list with a list of the hundreds of rules that SpamAssassin consults. Use the search box and the name of the rule you want to change.

The list will narrow down until there is only one rule left so that you can click on it.

• Use the arrow keys to adjust the score, or type a new value into the box. You can set the score value to 0 to disable a test.
• Click the "Update Scoring Options" button at the bottom of the page.
• To disable the test, enter "0" as the score value.

cPanel API CLI

You can also use the cPanel API CLI (may require "sudo" access) to set the spam score threshold value.

First, return the email account Apache SpamAssassin settings:

uapi --output=jsonpretty --user=$username Email get_spam_settings

To enable (if needed) Apache SpamAssassin™ for the account, use:

uapi --output=jsonpretty --user=$username Email enable_spam_assassin

To list the Apache SpamAssassin™ settings for the account:

uapi --output=jsonpretty --user=$username SpamAssassin get_user_preferences

To set a new minimum Apache SpamAssassin™ spam score threshold value, use:

uapi --output=jsonpretty --user=$username Email add_spam_filter required_score=3

Remember that the lower the spam score, the more likely that Apache SpamAssassin will label messages as spam and delete them.

The default value always tends to be 5 which in itself is an aggressive spam score.

For a more lenient spam score (if you are losing emails due to an aggressive spam score), use a more permissive score of 8 or 10.

Again, confirm with:

uapi --output=jsonpretty --user=$username Email get_spam_settings

Create a Spam Email Filter

An email spam filter detects/identify and sort or delete unsolicited email (spam) and prevents them from reaching your inbox.

Spam filters look for certain characteristics present inside the incoming mail (e.g. sender, subject line, header) and make a judgment whether a certain email passes the criteria set for spam.

To create a spam filter, perform the following steps:

1. Visit cPanel » Home » Email » Spam Filters.
2. Visually confirm if Apache SpamAssassin is enabled on the server. If it is not, click Enable Apache SpamAssassin.
3. Scroll to Email » Global Email Filters, then click Create a New Filter.
4. Enter the name of the filter you are creating in the Filter Name text box.
5. Select Spam Bar from the first menu in the Rules section.
6. Select contains from the second menu in the Rules section.
7. Enter the spam score in the text box. Represent the desired spam score with plus (+) characters.

   To filter all of the mail to which Apache SpamAssassin has assigned a spam score of five or higher, enter +++++ in the text box.

   Apache SpamAssassin examines every email message for spam characteristics and then assigns it an overall score based on the number of spam-related traits found within the message.

   The lower the spam score, the more aggressive the spam filter will be.

   ISPs often use a higher score. But for a single user, a spam score of five (+++++) is more than enough.

8. Select Deliver to folder from the menu in the Actions section.
9. Now enter the name of the folder to which you wish to send your spam email.
10. Click Browse to see a list of your folders.
11. Click Create to create, save, and activate the spam filter.

You can also do this with the cPanel API:

To enable spam box filtering for a cPanel account so that the system sends messages marked as spam to a spam folder, use:

uapi --output=jsonpretty --user=username Email enable_spam_box

To clear the spam box of all its contents for all email accounts, use:

uapi --output=jsonpretty --user=username SpamAssassin clear_spam_box

If the cPanel account starts losing emails, then consider disabling the Apache SpamAssassin™ auto-delete spam feature with:

uapi --output=jsonpretty --user=username Email disable_spam_autodelete

And should you ever want to disable spam box filtering for the cPanel account so that the system sends all messages to the account's inbox, use:

uapi --output=jsonpretty --user=username Email disable_spam_box

Use BoxTrapper

One of the most easily implemented and effective methods for preventing spam from arriving in your inbox is to enable BoxTrapper.

BoxTrapper filters spam from your inbox through challenge-response verification.

When an account with BoxTrapper enabled receives an email from an unknown source, BoxTrapper automatically sends a verification email in response.

This verification process can easily be completed by a real human within a few seconds and only has to be done once.

Spambots, however, have a much more difficult time completing this verification process.

As a result, BoxTrapper greatly reduces the amount of spam that reaches your inbox while introducing minimal friction to communication with the people that actually need to communicate with you.

To enable BoxTrapper via Webmail

1. Log in to your webmail account with your email address and email password.
2. In the sidebar on the left side, click the orange cP icon that says "Webmail Home".
3. On the page load, scroll down to the "Fight Spam" section and click on the " Box Trapper" icon.
4. Look near the top of the page where it says " Current Status". On our systems, this is enabled by default. But if it says "Disabled" click the button next to it to enable BoxTrapper.
5. Review the list of links on that page and make any customizations if you want to alter the default functionality.

To enable BoxTrapper via cPanel

1. Log in to cPanel with the cPanel username and password that owns the email address that you would like to enable this feature.
2. Under the Email section, click on the BoxTrapper icon.
3. The table on that page will display the status of Boxtrapper for all email accounts. For an account that has a disabled status, click on the "Manage" link.
4. Click on the "Enable" button, and then explore the other available options to customize the configuration if you would like to change the default options.

To enable BoxTrapper via cPanel API

First, return your account BoxTrapper allowlist rules:

uapi --output=jsonpretty --user=username BoxTrapper get_allowlist email='user@example.com'

Check the account's BoxTrapper blocklist rules:

uapi --output=jsonpretty --user=username BoxTrapper get_blocklist email='user@example.com'

To return the account BoxTrapper blocklist rules:

uapi --output=jsonpretty --user=username BoxTrapper get_blocklist email='user@example.com'

To add an email address to BoxTrapper blocked senders:

uapi --output=jsonpretty --user=username BoxTrapper blacklist_messages email='user@example.com' queuefile='file1'

BoxTrapper will delete messages that match these rules and send a notification to the sender.

To add an email address to BoxTrapper-allowed senders, use:

uapi --output=jsonpretty --user=username BoxTrapper whitelist_messages queuefile='example.msg'

To add an email account to Exim ignore list, use:

uapi --output=jsonpretty --user=username BoxTrapper ignore_messages email='user@example.com' queuefile='example.msg'

How To Configure BoxTrapper Behavior

By default, BoxTrapper automatically responds to emails with messages that the system builds from the following templates:

• verify — BoxTrapper responds with this message when an address that does not exist on the whitelist or blacklist sends an email. This message requests a response to confirm that the sender is legitimate.
• verifyreleased — BoxTrapper responds with this message when a person responds to the verify message with an email or a click on the verification link.
• returnverify — BoxTrapper responds with this message when the verification process fails.
• blacklist — BoxTrapper responds with this message when a blacklisted address sends an email.

Edit BoxTrapper confirmation messages

You can edit these to customize them to your liking.

Click Edit to customize the verification and blacklist message templates.

These templates use the following variables:

• %email% — The sender’s email address.
• %fromname% — The recipient’s name.
• %subject% — The subject of the sender’s email.
• %acct% — The recipient’s username.
• %msgid% — The message ID of the sender’s email.
• %headers% — The heading information of the sender’s email.
• %if can_verify_web% and %endif% — These tags enclose a section that allows BoxTrapper to verify senders through a web link.

Warning: Do not alter verify#%msgid% in the subject line of the verify message template. BoxTrapper requires that specific code to function properly.

To restore the default message templates, click Reset to Default.

Editing BoxTrapper whitelists, blacklists, and ignore lists

To edit lists, perform the following steps:

1. Click Edit White/Black/Ignore lists.
2. Select the list that you want to modify.
3. Enter any messages, subjects, or email addresses for which you wish to filter.
4. Click Save.

BoxTrapper Lists

The system compares every new message that you receive against the following three lists:

• Whitelist — The system delivers messages directly to your inbox.
• Ignore list — The system deletes messages without notification.
• Blacklist — The system deletes messages, and the sender receives a reply that indicates that the system blocked the message.

Forwarding BoxTrapper List

Click Forward List to update the account’s forward list. Enter email addresses that you wish to add to the forward list, and click Save. The system will automatically forward whitelisted emails to these addresses.

Reviewing BoxTrapper Log

The system organizes this log by day and displays any activity for an email address that uses BoxTrapper. Use this log, for example, to isolate problems with email delivery.

How To Review BoxTrapper Queue

Click Review Queue to view any unverified BoxTrapper mail.

To deliver or delete emails, perform the following steps:

1. Select the checkbox for the desired day.
2. Select Delete or Whitelist and Deliver.
3. Click Submit.

To see the contents of a message, perform the following steps:

1. Click the email's sender, subject, or date to see the entire message, headers, and more delivery options. For example, you can ignore or blacklist a sender.
2. Select the option for which you wish to filter.
3. Click Go.

How To Use Roundcube AI To Manage Spam

Roundcube 1.5 came with a tool that can help you manage the spam messages you receive.

For each email account you create, the system creates both the Junk and spam system directories.

Roundcube uses the spam system directory for spam messages.

But displays them in the Junk folder with the flame icon ().

To locate the Junk/Not Junk button, look at the upper-right section of the top menu bar and train SpamAssassin™ to recognize spam and ham.

You can use these to train the system to recognize spam.

When you select a message in a non-Junk folder to mark as spam, the Junk button () becomes active.

When you select a message in the Junk folder to mark as ham, the Not Junk button () becomes active.

To mark a message as spam, select the message in any folder other than the Junk folder. Click Junk to mark the message as spam and move it to the Junk folder.

To mark a message as no-spam, select the message in the Junk folder. Click Not Junk to mark the message as ham and move it out of the Junk folder.

By regularly reviewing your spam folder and marking any false positives or missed spam emails, you help train the spam filters to improve their accuracy over time.

Another option would be limiting the places you use your true email address.

For example, you can avoid displaying your email address publicly on websites or forums, as this can attract spam.

Instead, use contact forms or alternate methods of communication to prevent email harvesting by spammers.

How To Use Plus (+) Addressing

You can use plus addressing to track potential email abuse easily.

How To Use External Anti-Spam Solutions To Fight Spam

One of the easiest ways to say goodbye to spam, virus, and malware threats is to integrate external anti-spam solutions, such as third-party email filtering services at https://dashboard.webhostingmagic.com/store/email-security-services

You can also use OX App Suite at https://dashboard.webhostingmagic.com/store/professional-email to keep your inbox safe from spam, viruses, malware, and phishing attacks.

These services give our cPanel users one-click access to a wide range of anti-spam solutions that don't require configurations that potentially can impact your email delivery.

If you want a simpler way to fight spam, we recommend that you go with either of these options.

To create custom, secure, ad-free addresses with 99.9% guaranteed uptime for your business, take a look at our Email Hosting plans.

We'll help you get it configured and protected to the specifications you need.