Back to tutorials
Tutorial

cPanel SMTP Relay Setup Tutorial (2026): Route Outbound Mail Through a Smart Host for Better Deliverability

cPanel SMTP relay setup tutorial (2026): configure a smart host, secure auth, and verify headers to improve outbound deliverability.

By Anurag Singh
Updated on Jul 06, 2026
Category: Tutorial
Share article
cPanel SMTP Relay Setup Tutorial (2026): Route Outbound Mail Through a Smart Host for Better Deliverability

Outbound email is often the first thing shared hosting gets judged on—and punished for. One compromised contact form, a “noisy” tenant, or a fresh IP range can trigger throttling or straight-to-spam delivery.

This cPanel SMTP relay setup tutorial shows how to route outbound mail from cPanel/WHM through a smart host (SMTP relay). Your web server stays focused on hosting. The mail provider handles reputation, feedback loops, and rate limits.

The goal is simple. Keep local delivery working, but send remote mail through an authenticated relay with consistent headers. You’ll confirm the change using logs, message headers, and queue behavior. Then you’ll add guardrails so webmail, contact forms, and transactional mail keep working.

What you’ll build (and what you won’t)

  • Build: WHM configuration to use a smart host for outbound delivery, with TLS where possible and authenticated SMTP.
  • Keep: Local mailbox delivery for cPanel accounts (Dovecot/IMAP) and inbound mail (MX) if you still receive mail on this server.
  • Verify: Real log entries, header changes, and deliverability basics (SPF alignment and DKIM behavior).
  • Not covered: Running a full dedicated mail stack from scratch. For that, you’ll want separate mail infrastructure and long-term reputation work.

Prerequisites checklist (10 minutes)

Before you touch WHM, collect these details from your SMTP relay provider (smart host):

  • Relay hostname (example: smtp.relayprovider.tld)
  • Port (587 with STARTTLS is common; sometimes 465 for SMTPS)
  • Authentication type (usually username/password)
  • Allowed “From” domains (some providers require domain verification)
  • Any IP allowlisting requirements (some relays prefer you to add the server IP)

On the server side, confirm you have:

  • WHM root access
  • Working DNS control for your domains (SPF record updates)
  • A rollback plan (you’ll capture current settings first)

If mail is already flaky, fix basic connectivity first. A blocked port 587, broken DNS resolver, or firewall rules can look like “spam problems” from the outside.

Use HostMyCode’s firewall troubleshooting tutorial as a baseline.

Step 1: Confirm what’s sending mail (and from where)

On many cPanel servers, most outbound volume comes from PHP scripts and CMS plugins. Before you route anything through a relay, identify the main senders.

Otherwise, you can hide an abuse problem and pay for it twice.

Quick queue snapshot

exim -bpc
exim -bp | head -n 30

Find the authenticated user or script path (common cPanel patterns)

On many cPanel servers, Exim logs live at:

  • /var/log/exim_mainlog
  • /var/log/exim_rejectlog
grep -E "cwd=|A=|U=|authenticated_id=" /var/log/exim_mainlog | tail -n 50

If you spot bursts (hundreds per minute), unfamiliar paths, or accounts you don’t recognize, stop and clean up first. Relaying spam through a paid provider can get your relay account suspended fast.

If you need a cleanup runbook, use the cPanel malware scan tutorial.

Step 2: Take a safe “before” backup of your mail config

cPanel updates can regenerate parts of Exim configuration. Copy the current files now. That keeps rollback straightforward.

mkdir -p /root/mail-relay-backup
cp -a /etc/exim.conf /root/mail-relay-backup/ 2>/dev/null || true
cp -a /var/cpanel/templates /root/mail-relay-backup/templates-$(date +%F) 2>/dev/null || true
cp -a /etc/mail /root/mail-relay-backup/etc-mail-$(date +%F) 2>/dev/null || true

If you’re on a VPS and you can snapshot, take one. It’s the quickest escape hatch if a change goes sideways.

HostMyCode customers on HostMyCode VPS often combine snapshots with offsite backups.

Pair that with a restore test using the VPS backup verification tutorial.

Step 3: Set the smart host in WHM (the clean way)

The most maintainable approach is to use WHM’s built-in Exim settings. Labels can vary slightly by cPanel build, but the path is consistent.

  1. Log in to WHM as root.
  2. Go to Service ConfigurationExim Configuration Manager.
  3. Open the Basic Editor.
  4. Find Smarthost support (or “Send mail through a smarthost”). Enable it.
  5. Set the Smarthost value to your relay host, usually with port, for example:
    smtp.relayprovider.tld::587

Port format notes: Many cPanel/Exim builds use a double-colon port format. If your UI shows a different format, follow the hint text.

After saving, confirm behavior with logs rather than assumptions.

Choose “route all domains” vs “selected domains”

If the server hosts multiple sites, you may not want to relay everything. Some providers reject mail from unverified domains.

That can turn a “deliverability improvement” into a support queue.

  • Route all outbound mail through relay: simplest, but can break edge cases (some providers reject unverified domains).
  • Route only specific sender domains: safer for multi-tenant hosting and resellers.

On reseller-style servers, start with only the domains you control. It’s usually the lowest-risk approach.

Step 4: Add SMTP authentication for the relay

Most relays require AUTH. In WHM, you’ll typically see fields like:

  • Smarthost username
  • Smarthost password
  • Use TLS / Require TLS

Use the credentials from your relay provider. If the “password” is an API key, treat it like production credentials.

Limit access and don’t paste it into random notes.

Force TLS where it’s realistic

If your relay supports STARTTLS on 587, enable TLS. If you force TLS and the relay can’t negotiate correctly, mail will fail.

That’s why you test immediately afterward.

If you run into TLS negotiation issues, don’t leave encryption off as a “fix.” Find the real cause. Common causes include a bad CA bundle, an SNI mismatch, or the wrong port.

The step-by-step checks in SMTP TLS troubleshooting tutorial cover the usual culprits.

Step 5: Rebuild and restart Exim cleanly

After saving changes in Exim Configuration Manager, cPanel usually rebuilds the config and prompts for a restart. If you need to do it yourself:

/scripts/buildeximconf
/scripts/restartsrv_exim

Then confirm Exim is up and behaving normally:

systemctl status exim --no-pager
exim -bV | head

Step 6: Send a controlled test message and read the logs

Start with a low-risk test address you control (Gmail/Outlook is fine). Send from one hosted domain.

Don’t blast a production newsletter as your first test.

Send a test from the command line

echo -e "Subject: relay test\n\nThis is a relay test." | /usr/sbin/sendmail -v you@example.net

Watch Exim logs while you send

tail -f /var/log/exim_mainlog

You want proof that Exim handed the message to the relay. Common signs include:

  • A transport showing a remote SMTP handoff to your smart host
  • AUTH success (depending on logging level)
  • TLS negotiation lines (if enabled)

Verify headers at the receiving mailbox

Open the received message headers and check:

  • Return-Path aligns with your domain policy
  • Received: chain includes the relay provider (expected)
  • DKIM: either your domain’s DKIM signature survives, or the relay rewrites it (some do)

If you enforce DMARC strictly, alignment is not optional. If you’re unsure what “good” looks like, follow the domain-level steps in Email authentication setup tutorial (SPF/DKIM/DMARC).

Then re-test with fresh headers.

Step 7: Update SPF so the relay is allowed to send for your domain

SPF is the detail that bites later. If your SPF record doesn’t include the relay, receivers can score your mail poorly.

You can also fail DMARC, depending on how the relay handles Return-Path and signing.

Find your current SPF record

dig +short TXT yourdomain.tld | tr '"' ' ' | sed 's/  */ /g' | head

A typical SPF record starts with v=spf1. Add whatever your relay provider documents. That’s often an include: mechanism.

Example SPF update

Before:

v=spf1 a mx ip4:203.0.113.10 -all

After (example):

v=spf1 a mx ip4:203.0.113.10 include:spf.relayprovider.tld -all

Rules that prevent self-inflicted outages:

  • Keep one SPF record per domain. Multiple records cause SPF permerror.
  • Watch the 10 DNS lookup limit (includes, mx, a, redirects). Too many lookups can cause SPF failures.
  • If you use both the server IP and a relay, keep both allowed until you fully cut over.

Step 8: Decide what happens to webmail and “Send mail from PHP”

Most hosting setups have three outbound paths. They should behave consistently:

  • PHP mail() / CMS forms (WordPress contact forms)
  • SMTP-authenticated users (mail clients using IMAP/SMTP)
  • Webmail (Roundcube/Horde if enabled)

Relaying at the Exim level typically affects all outbound mail. That’s fine until someone sends from a domain that isn’t verified with your relay provider.

It can also fail if the provider enforces stricter policies than your server did.

Practical approach for multi-tenant cPanel servers

  • Start by relaying only your own business domains (if WHM supports per-domain routing).
  • If you must relay everything, pick a relay provider that supports multi-domain verification and clear policy controls.
  • Limit abuse at the account level (rate limits, SMTP restrictions, and malware scanning).

Step 9: Add guardrails: rate limits, abuse signals, and queue visibility

A relay doesn’t stop spam. It changes where you see it.

Add monitoring so you catch abuse and delivery issues early. That helps before the queue explodes or the relay account gets flagged.

Queue health checks

  • Queue count: exim -bpc
  • Oldest message age: exim -bp | head (look at timestamps)
  • Top sender domains in logs (simple grep sampling)

Basic alerting idea (cron + threshold)

#!/bin/bash
# /usr/local/sbin/check-exim-queue
THRESHOLD=500
COUNT=$(exim -bpc)
if [ "$COUNT" -gt "$THRESHOLD" ]; then
  echo "Exim queue high: $COUNT" | mail -s "ALERT: Exim queue" admin@yourdomain.tld
fi

If you need to work through backlogs without making deliverability worse, use the runbook in Mail queue troubleshooting tutorial as a model.

The diagnostic approach is still useful even if you’re running Exim.

Step 10: Common failure modes (and fast fixes)

Mail sends, but the relay rejects “From” domain

  • Cause: Relay requires domain verification or enforces strict alignment.
  • Fix: Verify the domain in the relay dashboard, then re-test. If you host many customer domains, don’t force a global relay without a process.

Everything stops after enabling “Require TLS”

  • Cause: Wrong port, blocked port, or TLS negotiation/cert chain issue.
  • Fix: Test connectivity: openssl s_client -starttls smtp -connect smtp.relayprovider.tld:587. Then use the SMTP TLS troubleshooting tutorial steps.

Some messages still go direct from the server IP

  • Cause: Not all transports are relayed (domain routing rules, local domains, or custom Exim config).
  • Fix: Confirm the WHM smart host settings apply globally, then search logs for a sample message ID to see the transport used.

Web forms work, but customer mail clients fail

  • Cause: Users sending via SMTP auth may be routed differently than PHP/Exim system mail, depending on your configuration and policies.
  • Fix: Decide on a supported workflow: either clients use the relay (submission) or use local SMTP with proper authentication. Document it for customers.

Step 11: Keep routing changes safe during migrations

Relays also help during server moves. They reduce the “new IP, new reputation” shock.

If you’re migrating accounts between WHM servers, use a predictable order:

  1. Set up relay on the new server first (but don’t cut DNS yet).
  2. Migrate accounts.
  3. Cut DNS for websites/mail as planned.
  4. Watch mail logs and relay stats for 24–48 hours.

If you’re doing a WHM-to-WHM move, follow the process in cPanel Transfer Tool tutorial.

It pairs well with relay-based outbound mail because your sending path stays consistent while the server IP changes.

Operational checklist (print this)

  • Collected relay host/port/auth details
  • Backed up current Exim/cPanel template settings
  • Enabled smart host in WHM and entered correct port format
  • Enabled TLS (tested with openssl)
  • Sent test mail and confirmed relay in logs
  • Updated SPF to include relay provider
  • Validated headers (Return-Path, DKIM results, Received chain)
  • Set queue alert threshold and checked for abusive senders
  • Documented supported customer sending method (webmail/client SMTP)

Where HostMyCode fits (and why it matters)

SMTP relaying goes smoothly when the server underneath is boring—in a good way. You want consistent outbound connectivity, reliable DNS resolution, and enough CPU/disk headroom.

That keeps Exim from fighting PHP and I/O spikes.

For cPanel workloads, a properly sized VPS with clean networking makes mail routing changes easier to manage and troubleshoot. If you’re rebuilding or migrating, managed VPS hosting from HostMyCode is a practical option.

It helps when you want support with WHM service health, security baselines, and safer change windows—not just a box with root access.

If you’re relaying outbound mail because your current server IP reputation is unreliable, consider moving the sites to a clean, well-sized VPS and keeping the relay as your deliverability layer. HostMyCode offers HostMyCode VPS plans for cPanel-style hosting and managed VPS hosting if you want hands-on help with mail routing, DNS, and hardening.

FAQ: cPanel smart host outbound mail

Will an SMTP relay fix spam if an account is compromised?

No. A relay can reduce IP reputation damage, but you’ll still send spam—just through someone else’s infrastructure. Clean the source first and add account-level controls.

Do I need to change MX records to use a relay?

Not for outbound-only relaying. MX records control inbound mail. You can keep inbound local (or remote) and still route outbound via a smart host.

Can I relay only one domain on a server with many cPanel accounts?

Often yes, depending on your WHM/Exim routing options and any custom transport rules. If your relay provider requires domain verification, per-domain routing is usually the safer choice.

What’s the minimum DNS change I should make after switching to a relay?

Update SPF to include the relay provider. Then verify your DKIM/DMARC behavior with real message headers and your provider’s guidance.

How do I roll back quickly if mail stops sending?

Disable smart host in WHM and restart Exim. If you made template changes, restore your backup copy under /root/mail-relay-backup/, rebuild Exim config, and re-test.

Summary

A smart host is a practical way to stabilize outbound mail from a cPanel server in 2026. This is especially true on multi-tenant hosting, where one account can sink an IP.

Set the relay in WHM, enable TLS, update SPF, and verify everything with logs and headers. Keep monitoring in place so the relay doesn’t hide abuse.

If you want a cleaner base for cPanel sites and predictable outbound connectivity for relays, start with a stable server platform. HostMyCode’s VPS hosting gives you the control to tune mail flow properly.

You can pair it with structured migrations and change management as your hosting footprint grows.