Articles

Configure DMARC, DKIM, and SPF with Cloudflare Email Security (2026)

April 16, 2026 5 min read

You can protect your domain from email spoofing and phishing by publishing DMARC, DKIM, and SPF records.

Let’s see how this plays out in practice. Imagine you’re sending an email from yourdomain.com to recipient.com.

  1. SPF (Sender Policy Framework): When recipient.com’s mail server receives your email, it checks your domain’s SPF record. This record, published as a TXT record in your DNS, lists the IP addresses of mail servers authorized to send email on behalf of yourdomain.com. If the sending IP isn’t on the list, the email might be marked as spam or rejected.

    Example TXT record in Cloudflare DNS: v=spf1 include:_spf.google.com ~all This means: "This is an SPF record. Emails from Google’s SPF servers are allowed. All other emails should be treated as 'softfail' (marked as suspicious but not necessarily rejected)."

  2. DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your emails. Your mail server generates a private key, and a corresponding public key is published in your DNS as a TXT record. When an email is sent, the server signs the email’s header and body with the private key. The receiving server uses the public key from your DNS to verify the signature. If the signature is valid, it proves the email hasn’t been tampered with in transit and that it originated from a server authorized by your domain.

    Example TXT record for DKIM in Cloudflare DNS (generated by your email provider, e.g., Google Workspace, Microsoft 365): k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy... This record contains the public key. The p= part is the public key itself.

  3. DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC builds on SPF and DKIM. It tells receiving servers what to do if SPF or DKIM checks fail, and where to send reports about these checks. DMARC is also published as a TXT record.

    Example TXT record for DMARC in Cloudflare DNS: _dmarc.yourdomain.com TXT record: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; This means: "This is a DMARC record. If SPF or DKIM checks fail, quarantine the email (send it to spam). Send aggregate reports to dmarc-reports@yourdomain.com."

Cloudflare Email Security Integration:

Cloudflare doesn’t directly send email for your domain, so it doesn’t generate SPF or DKIM records itself. Instead, Cloudflare acts as your DNS provider where you publish the SPF, DKIM, and DMARC records that are generated by your actual email sending service (like Google Workspace, Microsoft 365, SendGrid, Mailgun, etc.).

Here’s how you’d set it up in Cloudflare:

  1. Get Records from Your Email Provider:

    • SPF: Your email provider will tell you what include or ip4 mechanisms to add to your SPF record. For example, Google Workspace often uses include:_spf.google.com.
    • DKIM: Your email provider will generate a unique DKIM selector and provide you with the TXT record containing the public key. This is usually a long string starting with k=rsa; p=....
    • DMARC: You’ll create your own DMARC record, often starting with v=DMARC1; p=....

  2. Add Records in Cloudflare DNS:

    • Log in to your Cloudflare account.

    • Select your domain.

    • Go to the "DNS" tab.

    • Click "Add record".

    • For SPF:

      • Type: TXT
      • Name: @ (This represents your root domain, yourdomain.com)
      • Content: v=spf1 include:_spf.google.com ~all (Replace _spf.google.com with your provider’s specific include, and adjust ~all as needed. A common mistake is having multiple SPF records; you should only have one.)
      • TTL: Auto

    • For DKIM:

      • Type: TXT
      • Name: The DKIM selector provided by your email host (e.g., google._domainkey)
      • Content: The DKIM public key string (e.g., k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy...)
      • TTL: Auto

    • For DMARC:

      • Type: TXT
      • Name: _dmarc
      • Content: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; (Adjust p and rua as per your policy.)
      • TTL: Auto

  3. Verification:

    • After adding the records, it can take a few minutes to a few hours for DNS changes to propagate.
    • You can use online tools like MXToolbox, DMARC Analyzer, or the "Email Security" section within Cloudflare’s dashboard (if you’re using Cloudflare Email Routing or similar services) to check if your records are correctly published and resolving.

The "Why" Behind Cloudflare:

Cloudflare’s role here is purely as the authoritative DNS provider. It doesn’t inherently "do" email security for your domain unless you’re using specific Cloudflare services like Email Routing. For standard DMARC, DKIM, and SPF, Cloudflare ensures that the records your email provider tells you to publish are accessible to the internet’s mail servers.

The most surprising truth about DMARC is that its primary enforcement mechanism isn’t about rejecting emails; it’s about reporting. The p= tag (none, quarantine, reject) is what tells receivers what to do, but the real power comes from the rua= (reporting URI, aggregate) and ruf= (reporting URI, forensic) tags, which feed you data about who is sending email using your domain, and whether it’s passing or failing these checks.

Let’s say you’ve configured your SPF for Google Workspace, your DKIM from Microsoft 365, and your DMARC. Your Cloudflare DNS will hold these records. When an email arrives at recipient.com, their server queries Cloudflare for yourdomain.com’s TXT records. It finds your SPF, DKIM, and DMARC records. It then checks the sending IP against SPF, and the DKIM signature against the public key from the DKIM record. Finally, it consults your DMARC policy to decide how to handle the email.

The next thing you’ll need to understand is how to interpret the DMARC aggregate reports (.zip files containing XML data) to refine your policies and identify legitimate sending sources you might have missed.

Want structured learning?

Take the full Cloudflare course →