When you enable SPF either globally or on an indvidual cPanel account the default record uses a soft fail switch (~all) and this is not the best setting for prevent spam being sent from or on behalf of your server.
cPanel offers no options in WHM to change this default action, but there is a well known workaround which does seem to have official support and that is to alter the 'standard' Zone template.
If you do not know the syntax this will become a difficult thing to set up. So to make things easier below you will see the 'standard' Zone Template taken from cPanel v82.0.9 with the correct line added at the bottom for a 'Hard Fail' SPF record.
; cPanel %cpversion% ; Zone file for %domain% $TTL %ttl% @ %nsttl% IN SOA %nameserver%. %rpemail%. ( %serial% ; serial, todays date+todays 3600 ; refresh, seconds 1800 ; retry, seconds 1209600 ; expire, seconds 86400 ) ; minimum, seconds %domain%. %nsttl% IN NS %nameserver%. %domain%. %nsttl% IN NS %nameserver2%. %domain%. %nsttl% IN NS %nameserver3%. %domain%. %nsttl% IN NS %nameserver4%. %nameserverentry%. IN A %nameservera% %nameserverentry2%. IN A %nameservera2% %nameserverentry3%. IN A %nameservera3% %nameserverentry4%. IN A %nameservera4% %domain%. IN A %ip% %domain%. IN AAAA %ipv6% %domain%. IN MX 0 %domain%. mail IN CNAME %domain%. www IN CNAME %domain%. ftp IN CNAME %domain%. %domain%. %ttl% IN TXT "v=spf1 +a +mx +ip4:%ip% -all"
This will generate a SPF record as follows:
v=spf1 +a +mx +ip4:xxx.xxx.xxx.xxx -all
Other Examples
%domain%. %ttl% IN TXT "v=spf1 +a +mx +ip4:xxx.xxx.xxx.xxx +include:relaydns.com -all" %domain%. %ttl% IN TXT "v=spf1 +a +mx +ip4:xxx.xxx.xxx.xxx +include:%domain% -all" %domain%. %ttl% IN TXT "v=spf1 +a +mx +ip4:%ip% +include:%domain% -all" %domain%. %ttl% IN TXT "v=spf1 +a +mx +ip4:%ip% -all"
NB: Replace xxx.xxx.xxx.xxx with a real IPv4 IP
Notes