On this page
Troubleshooting outbound email delivery problems (bounces, rejections & blacklists)
If your outbound email is bouncing or landing in spam, there is almost always a clear reason - this guide walks you through how to find and fix it.
If your outbound email is bouncing, being rejected by the recipient's server, or landing in spam, there is almost always a clear reason in the error message or your account settings. This guide walks you through the most common causes and how to fix them.
Step 1: read the bounce or rejection message
Every delivery failure generates a Non-Delivery Report (NDR), sometimes called a bounce message. This is an automated reply that lands in the sender's inbox and contains the information you need to diagnose the problem.
You can also find delivery information inside cPanel:
- Log in to cPanel.
- Go to Email and click Track Delivery.
- Search by sender address, recipient address, or time range to find the message in question.
When you find the bounce, look for three things:
- The SMTP error code - a three-digit number such as 550, 421, or 554. Our article on types of email bounces explains what each code means.
- The reason string - a plain-English explanation from the rejecting server, such as "SPF check failed" or "Message rejected due to: IP policy".
- Any blocklist or policy reference - the rejecting server may name a specific blocklist or link to a lookup tool.
The error code and reason string tell you which section of this guide to follow next.
Step 2: check and fix SPF and DKIM
Authentication failures are the most common cause of outbound rejections. SPF and DKIM records prove to receiving mail servers that your domain is authorised to send the message. If either is missing or incorrect, many servers will reject your mail outright or send it to spam.
The good news is that cPanel builds and maintains the correct records for you, so for most people this is a one-click check:
- Log in to cPanel.
- Go to Email and click Email Deliverability.
- Select your domain from the list.
- cPanel shows whether your SPF and DKIM records are valid. If it detects a problem, click Repair to apply the correct records automatically.
This sets up everything needed for mail sent through your hosting account, including the correct SPF entry that routes your outbound mail through our filtering gateway. You do not need to write these records by hand.
We enable DKIM signing at the server level. If the Email Deliverability tool shows a DKIM problem that the Repair button does not resolve, contact our support team and we will investigate at the server level.
Do other services send email as your domain?
This is the most commonly missed cause of authentication failures. Your SPF record must list every service that sends email on behalf of your domain - not just your hosting. The Email Deliverability tool covers your hosting account, but it cannot know about external senders. Think about whether any of these apply to you:
- A newsletter or email marketing platform (Mailchimp, MailMachine, and similar).
- A CRM, helpdesk, or invoicing system that emails your customers as you.
- Microsoft 365 or Google Workspace, if some or all of your mailboxes live there rather than on your hosting.
- An application or website using its own SMTP provider. A WordPress site that sends through the server is already covered, but the moment you install an SMTP plugin pointing at an external service such as SendGrid, Mailgun, or a Gmail account, that service becomes a new sender that must be added to your SPF record - otherwise its mail will fail authentication.
For each external sender, find the SPF include value in that service's documentation and add it to your existing record using the Zone Editor in cPanel.
Always edit the record you already have rather than copying one from this article - a domain can have only one SPF record, so you extend it rather than create a second. Your existing record will look something like the example below (here 203.0.113.10 stands in for your own server's IP, which the Email Deliverability tool added for you).
v=spf1 +a +mx +ip4:203.0.113.10 +include:spf.filteredmx.net ~all
To authorise an additional newsletter platform, you would add its include before the ~all at the end:
v=spf1 +a +mx +ip4:203.0.113.10 +include:spf.filteredmx.net include:servicename.example.com ~all
Leave the ~all at the very end exactly as it is. It tells receiving servers how to treat mail that does not match your record, and changing it can cause legitimate mail to be rejected - our companion guide on understanding SPF records explains why.
Never remove the +include:spf.filteredmx.net entry or the +ip4 entry that the Email Deliverability tool added. These authorise your own hosting to send mail - delete them and your normal outbound email will start failing authentication.
After any DNS change, allow a little time before testing again. Our SPF records use a four-hour TTL, so a change can take up to a few hours to take full effect.
Step 3: verify your mail routing is set to Local
Each domain on your cPanel account has a mail routing setting that tells the server where to deliver mail. If this is set to Remote instead of Local, outbound mail from your account may fail to route correctly, because the server believes your mailboxes live elsewhere.
This setting can flip to Remote if your domain's MX records temporarily pointed to an external provider - for example during a migration - and were not switched back afterwards.
- Log in to cPanel.
- Go to Email and click Email Routing.
- Select your domain from the drop-down if you have more than one.
- If the setting is Remote Mail Exchanger and your mailboxes are hosted with us, change it to Local Mail Exchanger and click Change.
If your mailboxes genuinely live with an external provider such as Google Workspace or Microsoft 365, this setting should stay on Remote. Only change it to Local if your mailboxes are hosted on your Kualo account.
If you have multiple domains, check this setting for each one individually - addon domains each have their own routing configuration. Our article on configuring email routing in cPanel covers this in more detail.
Step 4: check whether you are being blocked by a blocklist
Blocklists (also called blacklists or DNSBLs) are databases that receiving mail servers query to decide whether to accept a message. There are two distinct situations, and they are handled very differently.
The server IP is listed - this is our job
On shared and reseller hosting, your mail is sent from a shared server IP, and your outbound mail is routed through our filtering gateway specifically to keep that IP's sending reputation clean. That keeps listings rare, but no system is completely foolproof.
If a bounce message references the server's IP address being on a blocklist, this is something we handle, not you. Contact our support team with the full bounce message and we will check the IP and submit any delisting request needed.
The domain itself is listed
Less commonly, a blocklist may list a sending domain rather than an IP, usually after a period of spam being sent from it. To check your domain:
- Visit a reputable lookup tool such as MXToolbox.
- Enter your sending domain and run the check.
- If it appears on a list, follow that list's own delisting process, linked from its results.
Before requesting delisting, fix the underlying cause first - for example a compromised mailbox or a spam-sending script - or the domain will simply be listed again.
Step 5: reduce the chance of landing in spam
Even a delivered message can be filtered to the junk folder. What happens inside someone else's spam filter is outside anyone's direct control, but several things improve your odds.
Add a DMARC record
DMARC builds on SPF and DKIM by telling receiving servers what to do when authentication fails, and many modern mail systems now look for it. A basic monitoring-only record looks like this:
_dmarc.yourdomain.com. IN TXT "v=DMARC1; p=none;"
The p=none policy takes no action on failures - it is a safe starting point that simply signals you have DMARC in place. You can add this with the Zone Editor in cPanel.
DMARC can also send you reports on who is sending mail as your domain, but these arrive as raw XML that is difficult to read by hand. If you want to make use of them, a dedicated DMARC reporting service is a far better option than sending the reports to your own inbox.
Do not auto-forward your mail to Gmail, Outlook, or other large providers
Automatically forwarding your mail to an external mailbox is one of the most common self-inflicted causes of deliverability problems. When spam sent to your address is forwarded onward, the receiving provider sees your server relaying that spam, which harms your sending reputation. How much harm depends on your platform's inbound filtering, so this is worth understanding before you set up any forwarding.
Review your content and sending practices
- Avoid spam-trigger patterns - excessive capitals, phrases like "FREE!!!", or emails that are one large image with little text.
- Keep your sending volume consistent. A sudden spike in outbound volume from a shared account is a common spam signal.
- If you email a list, always include a clear, working unsubscribe link.
Use a dedicated sending service for bulk mail
Shared hosting mail is designed for transactional and personal email, not bulk campaigns. If you send newsletters or marketing email, use a dedicated platform such as MailMachine, Mailchimp, or similar. These maintain their own sending reputation, handle bounces, and manage unsubscribes for you.
When to contact our support team
Some delivery problems are at the server or IP level and cannot be resolved from within your cPanel account. Contact our support team if:
- The bounce message references the server's IP address being on a blocklist.
- The Email Deliverability tool shows a DKIM problem the Repair button does not fix.
- You have worked through the steps above and messages are still being rejected.
When you raise a ticket, include the full bounce message with all headers so we can identify the rejecting server and the exact reason for the failure. You can raise a support ticket through MyKualo at any time.