How to Set Up DMARC for Cloudflare Email Routing

Cloudflare Email Routing allows you to create custom email addresses for your domain and forward them to any destination without running your own mail server. Since Cloudflare manages your DNS, configuring SPF, DKIM, and DMARC records is done directly in the Cloudflare dashboard.

This guide walks you through configuring SPF, DKIM, and DMARC for Cloudflare Email Routing so your emails are fully authenticated and your domain is protected from spoofing. Proper configuration ensures your messages reach the inbox and comply with the requirements of Gmail, Yahoo, and Microsoft Outlook.

SPF Configuration

SPF (Sender Policy Framework) authorizes Cloudflare Email Routing's mail servers to send email on behalf of your domain. Add the following include directive to your existing SPF record:

v=spf1 include:_spf.mx.cloudflare.net ~all

If you already have an SPF record with other include directives, add include:_spf.mx.cloudflare.net before the ~all or -all mechanism. For example:

v=spf1 include:_spf.google.com include:_spf.mx.cloudflare.net ~all

Important: You can only have one SPF record per domain. If you have multiple sending services, combine all include directives into a single record. SPF also has a 10 DNS lookup limit - exceeding this will cause SPF to fail. Use our SPF Checker to verify your record stays within limits.

DKIM Configuration

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails, proving they were not altered in transit. For Cloudflare Email Routing, the DKIM selector(s) used are: varies (depends on your upstream sending provider).

DKIM is configured by adding a TXT or CNAME record to your DNS at the selector subdomain (e.g., varies (depends on your upstream sending provider)._domainkey.yourdomain.com). The exact record value is generated by Cloudflare Email Routing in their admin console or dashboard. Follow the provider-specific steps below to generate and publish your DKIM record.

After adding the DKIM record, use our DKIM Checker to verify the record is published correctly and the signature can be validated.

DMARC Record

Once SPF and DKIM are configured for Cloudflare Email Routing, publish a DMARC record to tie everything together. Add the following TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

Start with p=none to monitor authentication results without affecting mail delivery. The rua tag specifies where aggregate reports are sent, and fo=1 ensures you receive failure reports for any mechanism failure. After 2-4 weeks of monitoring, gradually move to p=quarantine and then p=reject for full protection.

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; fo=1

Step-by-Step Setup

Follow these Cloudflare Email Routing-specific steps to configure email authentication for your domain:

1. Log in to the Cloudflare dashboard at dash.cloudflare.com and select your domain.
2. Navigate to Email > Email Routing to configure your email forwarding rules.
3. Go to DNS > Records to manage your email authentication records.
4. Cloudflare typically auto-adds SPF and MX records when Email Routing is enabled. Verify the SPF record includes 'include:_spf.mx.cloudflare.net'.
5. If you also send outbound email through another provider (e.g., Google Workspace or Fastmail), add their SPF include directive to the same record.
6. For DKIM, configure signing through your outbound email provider and add the DKIM records they provide to Cloudflare DNS.
7. Make sure any DNS records related to email (MX, TXT, CNAME) have the proxy status set to 'DNS only' (grey cloud), as email records cannot be proxied.
8. Publish your DMARC record at _dmarc.yourdomain.com with p=none to begin monitoring.
9. Monitor DMARC aggregate reports to verify all legitimate email sources are authenticated.

Verify Your Setup

After completing the configuration, use our free tools to verify that SPF, DKIM, and DMARC are all correctly configured for your domain:

• DMARC Checker - Validate your DMARC record syntax, policy, and reporting configuration.
• SPF Checker - Verify your SPF record includes all authorized senders and stays within the 10 DNS lookup limit.
• DKIM Checker - Confirm your DKIM public key is published correctly and can validate signatures.

If any of these checks fail, review the steps above and ensure all DNS records have fully propagated. DNS changes can take up to 48 hours, though most propagate within a few hours.

Continuous Monitoring with Inbox Insignia

Setting up DMARC is just the beginning. Email authentication requires ongoing monitoring to catch configuration drift, new sending sources, and authentication failures before they impact deliverability. Inbox Insignia provides automated DMARC monitoring, aggregate report parsing, and compliance scoring for all your domains.

to start monitoring your Cloudflare Email Routing email authentication and receive alerts when your SPF, DKIM, or DMARC configuration needs attention.