--- title: "A Complete Guide to Configuring Cloudflare DMARC, SPF & DKIM | AutoSPF" description: "Learn how to configure Cloudflare DMARC, SPF, and DKIM records to strengthen email authentication, prevent spoofing, and improve email deliverability." image: "https://autospf.com/og/blog/a-complete-guide-to-configuring-cloudflare-dmarc-spf-dkim.png" canonical: "https://autospf.com/blog/a-complete-guide-to-configuring-cloudflare-dmarc-spf-dkim/" --- Quick Answer To configure Cloudflare DMARC, SPF, and DKIM, add the correct DNS records in your Cloudflare dashboard. These email authentication protocols help prevent spoofing, improve deliverability, and protect your domain from phishing and unauthorized email use. ## Try Our Free DMARC Checker Validate your DMARC policy, check alignment settings, and verify reporting configuration. [ Check DMARC Record → ](/tools/dmarc-checker/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fa-complete-guide-to-configuring-cloudflare-dmarc-spf-dkim%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=A%20Complete%20Guide%20to%20Configuring%20Cloudflare%20DMARC%2C%20SPF%20%26%20DKIM&url=https%3A%2F%2Fautospf.com%2Fblog%2Fa-complete-guide-to-configuring-cloudflare-dmarc-spf-dkim%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fa-complete-guide-to-configuring-cloudflare-dmarc-spf-dkim%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fa-complete-guide-to-configuring-cloudflare-dmarc-spf-dkim%2F&title=A%20Complete%20Guide%20to%20Configuring%20Cloudflare%20DMARC%2C%20SPF%20%26%20DKIM "Share on Reddit") [ ](mailto:?subject=A%20Complete%20Guide%20to%20Configuring%20Cloudflare%20DMARC%2C%20SPF%20%26%20DKIM&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fa-complete-guide-to-configuring-cloudflare-dmarc-spf-dkim%2F "Share via Email") ![Configuring Cloudflare DMARC](https://media.mailhop.org/autospf/spf-record-checker-5228-1781520687399.jpg) Domains managed in Cloudflare are often protected at the network and application layers, but email security requires its own set of security records. DMARC, SPF, and DKIM are the core email authentication methods that help receiving mail systems decide whether a message claiming to come from your domain is legitimate. Together, they reduce spoofing, brand impersonation, and the likelihood that attackers can use your domain in a [phishing attack](https://autospf.com/blog/what-is-executive-phishing-attack-how-to-prevent-it-now/). SPF, or Sender Policy Framework, tells receiving mail systems which email server or third-party service is allowed to send mail for your domain. DKIM, or DomainKeys Identified Mail, adds a [cryptographic signature](https://chainscorelabs.com/glossary/metaverse-standards-and-virtual-assets/content-provenance-and-licensing/cryptographic-signature) to messages so the receiver can verify that the message was not altered and that it was authorized by the sending domain. DMARC, short for Domain-based Message Authentication Reporting and Conformance, builds on SPF checks and DKIM checks by defining what should happen when **message authentication fails**. For a domain administrator using Cloudflare DNS, these controls are published as DNS TXT record entries. A properly configured SPF record, DKIM record, and DMARC record improve email delivery while giving mailbox providers a clear machine-readable command about how to handle unauthorized sender activity. A DMARC policy can start in monitoring mode with a none policy, then move toward quarantine or reject as confidence improves. ![The Email Security Triad](https://media.mailhop.org/autospf/spf-record-syntax-8294-1781520822194.jpg) _Cloudflare DMARC Management and the Email Security DNS Wizard can simplify record setup by helping identify missing or misconfigured email authentication records_. The **Cloudflare DMARC Management** docs in Cloudflare Docs are especially useful for understanding policy enforcement, reporting, and domain-specific policies across larger environments. ## Preparing Your Cloudflare DNS Zone for Email Authentication Setup Before publishing any DNS TXT record in Cloudflare DNS, inventory every authorized sender that sends mail on behalf of your domain. This includes your primary email server, [marketing platform](https://www.indeed.com/career-advice/career-development/what-is-a-marketing-platform), CRM, billing system, support desk, and any third-party service that sends messages such as password resets, invoices, or newsletters. If you miss a legitimate provider, SPF checks or DKIM checks may fail and affect email delivery. For example, if example.com uses [Google Workspace](https://nethunt.com/blog/what-is-google-workspace/), a transactional email platform and a help desk tool, each service must be accounted for in the Sender Policy Framework configuration and DKIM setup. The domain administrator should confirm the exact [DNS record](https://www.ibm.com/think/topics/dns-records) values supplied by each provider, because **DKIM selectors and SPF include** mechanisms that vary by vendor. In Cloudflare DNS, email authentication records are usually added as TXT records. SPF is normally published at the root domain, while DKIM is commonly published at a selector-based hostname such as `selector1._domainkey.example.com`. A DMARC record is published at `_dmarc.example.com`. ### Audit Existing DNS and Security Records Start by reviewing existing DNS entries in Cloudflare DNS. Look for duplicate SPF records, outdated DKIM selectors, or a previous DMARC record that no longer reflects your current [email security](https://autospf.com/) strategy. A domain should have only one SPF DNS TXT record at the same hostname; multiple SPF records can cause **SPF validation errors**. Also, check whether old services are still listed as authorized sender sources. _If a provider is no longer used, remove it from the Sender Policy Framework record to reduce exposure_. This minimizes the chance that an unauthorized sender or compromised third-party service can exploit legacy permissions. ![Pre-Setup Readiness Checklist](https://media.mailhop.org/autospf/spf-tester-7335-1781521038494.jpg) Cloudflare resources such as the Help Center, Community forum, Cloudflare blog, Cloudflare API, System Status page, and Cloudflare Docs can help teams manage DNS at scale. Broader Cloudflare ecosystem references—including Cloudflare One, Cloudflare Radar, Cloudflare Labs, Certificate Transparency, Cloudflare Research, GitHub, Sponsorships, Open Source, Privacy Policy, GDPR, and Compliance materials—may also **support internal governance** and [compliance workflows](https://www.hyperbots.com/glossary/compliance-workflow). ## How to Configure SPF and DKIM Records in Cloudflare SPF configuration begins with identifying all legitimate sending sources. In Cloudflare DNS, create or edit a DNS TXT record at the root of the domain. A basic SPF record might look like this: `v=spf1 include:_spf.google.com include:sendgrid.net -all` This Sender Policy Framework example authorizes Google and SendGrid to send mail for the domain. The `-all` mechanism indicates a **stricter failure posture** than `~all`, but you should only use it once you are confident all authorized sender sources are included. During early deployment, some teams use a softer mechanism while monitoring SPF checks and [email delivery](https://autospf.com/generative-ai-and-phishing-threats/spf-record-generator/). DKIM configuration depends on your email provider. DomainKeys Identified Mail uses public-private key cryptography: the sending platform signs outbound messages with a private key, and the [public key](https://www.coursera.org/in/articles/public-key) is published in Cloudflare DNS as a DNS TXT record. A DKIM DNS TXT record may resemble:`Name: _dmarc Type: TXT Value: v=DMARC1; p=none; rua=mailto:third-party-example@example.com; adkim=r; aspf=r`When a recipient receives the message, DKIM **checks verify the signature** using the public key. If DomainKeys Identified Mail passes, the receiver has stronger confidence that the message was authorized and not modified in transit. ### Use the Email Security DNS Wizard Cloudflare’s Email Security DNS Wizard can help identify whether SPF, DKIM, and DMARC are present for a domain in Cloudflare DNS. _It is especially helpful for teams that are new to email authentication or managing many zones_. The wizard can surface missing security records, malformed DNS TXT record values, or gaps in message authentication. ![DMARC Policy Progression](https://media.mailhop.org/autospf/spf-record-example-5293-1781520964004.jpg) Cloudflare DMARC Management can then provide visibility into how your DMARC policy is performing. While the Email Security DNS Wizard helps with record setup, DMARC Management is useful for ongoing monitoring, **policy failure analysis**, and reporting. ## How to Create and Publish a DMARC Record in Cloudflare A DMARC record is a DNS TXT record published at the `_dmarc hostname`. DMARC aligns SPF and DKIM results with the visible From domain, then applies a domain-based policy. Under RFC 7489, the receiving mail system evaluates whether SPF or DKIM passes and whether the authenticated identifier aligns with the From domain. A starter DMARC record for example.com might look like this:`Name: _dmarc Type: TXT Value: v=DMARC1; p=none; rua=mailto:third-party-example@example.com; adkim=r; aspf=r`In this example, the DMARC policy is a none policy, meaning receivers should not quarantine or reject messages solely because of DMARC failure. The rua tag specifies the aggregate report destination for DMARC reporting. This lets the **domain administrator review** which services are passing or failing SPF, DKIM, and DMARC. The adkim and aspf policy attributes define alignment mode. Relaxed alignment allows subdomains to align with the organizational domain, while strict alignment requires an exact domain match. For many organizations, relaxed alignment is easier during early deployment; strict alignment may be preferable for high-security domains with tightly controlled senders. ### Move from Monitoring to Enforcement After reviewing **DMARC Management reports**, you can strengthen the DMARC policy. A typical progression is:`p=none p=quarantine p=reject`A quarantine policy tells receivers to place failing mail into spam or another [suspicious-mail](https://www.newstimes.com/news/article/danbury-plumtrees-army-recruiting-mail-hazmat-22073074.php) area. A reject policy instructs receivers to **reject failing mail** during SMTP evaluation when supported. This policy enforcement process is central to reducing phishing, spoofing, and [brand impersonation](https://www.cybersecuritydive.com/news/ai-executive-impersonation-outtake-survey/822235/). For example: ``` v=DMARC1; p=quarantine; rua=mailto:third-party-example@example.com; adkim=s; aspf=s ``` This DMARC record uses quarantine and strict alignment for both DomainKeys Identified Mail and Sender Policy Framework alignment. _Before moving to reject, verify that every authorized sender passes SPF checks or DKIM checks and aligns with the visible From domain_. Cloudflare DMARC Management, Cloudflare DMARC Management docs, and Cloudflare Docs can help interpret report data and **fine-tune domain-specific policies**. For larger organizations, DMARC Management also supports a more structured approach to policy enforcement and email inbox protection. ![Optimizing Email Security: The Cloudflare DMARC Setup Guide](https://media.mailhop.org/autospf/spf-flattening-7589-1781521346446.jpg) ## Testing, Monitoring, and Troubleshooting Cloudflare DMARC, SPF, and DKIM Once records are published in Cloudflare DNS, allow time for [DNS propagation](https://www.digicert.com/faq/dns/what-is-dns-propagation). Then test SPF, DKIM, and the DMARC record by sending mail to major mailbox providers and inspecting message headers. Look for SPF pass, DKIM pass, and DMARC pass results. If message authentication fails, determine whether the problem is authorization, alignment, or record syntax. Common issues include: - Multiple SPF DNS TXT record entries at the same hostname - Missing third-party service includes in the Sender Policy Framework record - Incorrect DKIM selector names for DomainKeys Identified Mail - Broken public keys caused by copied line breaks or **extra quotation marks** - DMARC record syntax errors, especially malformed rua tag values - A DMARC policy that is too strict before all senders are authenticated Cloudflare DMARC Management is valuable because aggregate reporting reveals which [email server](https://www.mailgenius.com/what-is-email-server/) or platform is sending on behalf of your domain. If a source appears legitimate but fails SPF or DKIM, update the [DNS TXT record](https://www.cloudflare.com/learning/dns/dns-records/dns-txt-record/) or enable DKIM in the vendor’s admin console. If a source is unknown, treat it as a potential unauthorized sender and investigate before allowing it. _When troubleshooting email delivery, remember that DMARC requires either SPF or DKIM to pass and align_. SPF can fail when messages are forwarded, while DKIM often survives forwarding if the message body and signed headers are not changed. This is why enabling both **SPF and DKIM provides stronger** email authentication than relying on one method alone. For operational monitoring, review DMARC Management data regularly, especially after adding a new third-party service, changing email infrastructure, or migrating providers. Keep Cloudflare DNS records current, document every authorized sender, and adjust the DMARC policy gradually from none policy to a quarantine policy and eventually reject when reporting confirms stable compliance. ![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Ready to get started? Try AutoSPF free — no credit card required. [ Book a Demo ](/book-a-demo/) ## Related Articles [ Intermediate 6m 10 Reasons Why DIY-ing SPF isn’t a Good Choice for Companies Apr 4, 2024 ](/blog/10-reasons-diy-ing-spf-isnt-good-choice-for-companies/)[ Intermediate 5m The 12.4 billion shield for your email communications: Why DMARC software is the unsung hero in the war against phishing actors! Nov 19, 2025 ](/blog/12-4-billion-dmarc-software-shield-protecting-email-from-phishing-actors/)[ Intermediate 3m 3 points to consider before setting your SPF record to -all (HardFail) May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[ Intermediate 3m 5 key contributors to the development of the Sender Policy Framework Nov 12, 2024 ](/blog/5-key-contributors-to-sender-policy-framework-development/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"A Complete Guide to Configuring Cloudflare DMARC, SPF & DKIM","description":"Learn how to configure Cloudflare DMARC, SPF, and DKIM records to strengthen email authentication, prevent spoofing, and improve email deliverability.","url":"https://autospf.com/blog/a-complete-guide-to-configuring-cloudflare-dmarc-spf-dkim/","datePublished":"2026-06-15T00:00:00.000Z","dateModified":"2026-06-15T00:00:00.000Z","dateCreated":"2026-06-15T00:00:00.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/a-complete-guide-to-configuring-cloudflare-dmarc-spf-dkim/"},"articleSection":"intermediate","keywords":"","image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/spf-record-checker-5228-1781520687399.jpg","caption":"Configuring Cloudflare DMARC"},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"A Complete Guide to Configuring Cloudflare DMARC, SPF & DKIM","item":"https://autospf.com/blog/a-complete-guide-to-configuring-cloudflare-dmarc-spf-dkim/"}]} ```