Cloudflare is one of the most popular DNS providers, and adding email authentication records is straightforward once you know where everything goes. This guide walks you through adding SPF, DKIM, and DMARC records in the Cloudflare dashboard, step by step.
If you are not sure what SPF, DKIM, and DMARC are or why you need them, read our Email Deliverability Guide first. If you need the actual record values for your email provider (Google Workspace, Microsoft 365, etc.), see our SPF, DKIM, and DMARC setup guide.
Before You Start
You will need:
- Access to your Cloudflare account with the domain you want to configure
- The SPF, DKIM, and DMARC values from your email provider (Google Workspace, Microsoft 365, etc.)
- About 10 minutes
Start by running a free MailScore scan on your domain so you know exactly which records are missing or misconfigured before you begin.
Step 1: Open Your Domain's DNS Settings
- Log in to dash.cloudflare.com
- Select the domain you want to configure from the dashboard
- Click DNS in the left sidebar, then Records
You will see a list of your existing DNS records. All email authentication records are TXT records, which you will add using the Add record button.
Step 2: Add Your SPF Record
SPF tells inbox providers which servers are allowed to send email from your domain.
- Click Add record
- Set Type to
TXT - Set Name to
@(this means your root domain) - Paste your SPF value into the Content field
- Leave TTL as Auto
- Click Save
Example SPF value for Google Workspace:
v=spf1 include:_spf.google.com ~all
Important: You can only have one SPF record per domain. If you already have an SPF record, edit it and add additional include: statements rather than creating a second record. Check our setup guide for the correct include values for each email provider.
Cloudflare SPF Tips
- Cloudflare auto-appends your domain name. If your domain is
example.com, entering@in the Name field creates the record atexample.com. - The proxy toggle (orange cloud) does not apply to TXT records. TXT records are always DNS-only, so you can ignore the proxy setting.
- If you see a warning about an existing SPF record, you need to edit the existing one rather than adding a new one.
Step 3: Add Your DKIM Records
DKIM records verify that emails were not tampered with in transit. Your email provider gives you a specific DNS record to add, which includes a public key.
- Click Add record
- Set Type to
TXT(orCNAMEif your provider specifies a CNAME record) - In the Name field, enter just the selector and
._domainkeypart. For example, if your provider says to create a record atgoogle._domainkey.example.com, entergoogle._domainkey. Cloudflare appends your domain automatically. - Paste the DKIM value into the Content field
- Click Save
Common DKIM Selectors by Provider
| Email Provider | Name Field in Cloudflare |
|---|---|
| Google Workspace | google._domainkey |
| Microsoft 365 | selector1._domainkey and selector2._domainkey (two CNAME records) |
| SendGrid | s1._domainkey and s2._domainkey |
| Amazon SES | Three CNAME records (check your SES console for exact values) |
Microsoft 365 note: Microsoft uses CNAME records for DKIM, not TXT records. Set the Type to CNAME instead of TXT, and make sure the proxy toggle is off (gray cloud / DNS-only). Cloudflare cannot proxy CNAME records used for email authentication.
Step 4: Add Your DMARC Record
DMARC tells inbox providers what to do when SPF and DKIM checks fail, and where to send reports.
- Click Add record
- Set Type to
TXT - Set Name to
_dmarc(Cloudflare appends your domain, creating_dmarc.example.com) - Set Content to:
v=DMARC1; p=none; rua=mailto:dmarc@example.com(replace the email with your own) - Click Save
Start with p=none to monitor without affecting email delivery. After 2-4 weeks of reviewing DMARC reports, tighten to p=quarantine and eventually p=reject. Our deliverability guide explains the progression.
Step 5: Verify Your Setup
DNS changes on Cloudflare typically propagate within a few minutes (much faster than the 24-48 hours you might see with other providers). After saving your records:
- Wait 2-5 minutes for propagation
- Run a free MailScore scan on your domain
- Verify that SPF, DKIM, and DMARC all show as passing
If any check fails, double-check the Name and Content fields in Cloudflare. The most common issue is entering the full domain name instead of just the prefix (for example, typing _dmarc.example.com instead of just _dmarc).
Cloudflare-Specific Tips and Common Mistakes
- Do not proxy email records. CNAME records for DKIM must use DNS-only mode (gray cloud). TXT records are always DNS-only regardless of the toggle.
- Cloudflare email routing can add its own records. If you use Cloudflare Email Routing, it may automatically create SPF and MX records. Make sure your manually added SPF record includes Cloudflare's sending servers if you use this feature:
include:_spf.mx.cloudflare.net. - Do not enter the full domain in the Name field. Cloudflare appends your domain automatically. Entering
_dmarc.example.comwould create a record at_dmarc.example.com.example.com, which is wrong. - Check for conflicting records. If you previously used a different email provider, old SPF or DKIM records may still be in your DNS. Delete or update them before adding new ones.
- DKIM value length: If your DKIM key exceeds 255 characters (common with 2048-bit keys), Cloudflare may automatically split it into multiple quoted strings. This is normal DNS behavior and does not affect functionality. Just paste the full value and Cloudflare handles the formatting.
Keep Your Records Monitored
Email authentication records can break silently when you change email providers, add a new sending service, or let a DKIM key expire. MailScore's monitoring plans (starting at $9/month) scan your domain on a schedule and alert you the moment something breaks.