Cloudflare Email Authentication Setup

DNS and security provider with Email Routing for custom domains. This guide covers the complete email authentication stack for Cloudflare: SPF, DKIM, and DMARC. Each section gives you the exact DNS records, step-by-step instructions, common pitfalls, and how to verify your setup.

Jump to a Protocol

SPF

Authorize which servers can send email for your domain.

DKIM

Cryptographically sign your outgoing email so receivers can verify it.

DMARC

Tell receivers what to do when SPF or DKIM fail.

SPFTest with our SPF Checker →

How to Set Up SPF for Cloudflare Email Routing

Configure SPF for domains using Cloudflare Email Routing to ensure forwarded and routed email passes authentication.

Quick Answer — The Record You Need

Type

TXT

Host / Name

Value

v=spf1 include:_spf.mx.cloudflare.net ~all

This SPF include is for Cloudflare Email Routing. Cloudflare itself is not an email sender -- it routes email to your actual mailbox provider.

Step-by-Step Setup

Log in to Cloudflare

Go to dash.cloudflare.com and sign in.

Select your domain

Choose the domain where you want to set up Email Routing.

Enable Email Routing

Go to Email > Email Routing. Follow the setup wizard to configure routing rules.

Add the SPF record

Cloudflare may auto-add DNS records during Email Routing setup. If not, add the SPF include manually.

v=spf1 include:_spf.mx.cloudflare.net ~all

Verify configuration

Send a test email to your routed address and confirm delivery and SPF pass.

Before & After

Before

v=spf1 include:_spf.google.com ~all

After

v=spf1 include:_spf.google.com include:_spf.mx.cloudflare.net ~all

SPF Gotchas

Cloudflare is not an email sender. The include:_spf.mx.cloudflare.net is only needed if you use Cloudflare Email Routing.
If you use Cloudflare only for DNS (not Email Routing), you do not need this SPF include. Add the includes for your actual email provider instead.
Cloudflare Email Routing forwards email. The SPF record authorizes Cloudflare's routing servers, not your final mailbox provider.

SPF FAQ

Do I need an SPF record for Cloudflare?

Only if you use Cloudflare Email Routing. If Cloudflare is just your DNS provider, add SPF records for your actual email service instead.

What is Cloudflare Email Routing?

Cloudflare Email Routing lets you create email addresses on your domain and forward them to existing mailboxes (like Gmail). It does not host mailboxes.

Can I use Cloudflare Email Routing with Google Workspace SPF?

Yes. Combine both: v=spf1 include:_spf.google.com include:_spf.mx.cloudflare.net ~all.

DKIMTest with our DKIM Checker →

How to Set Up DKIM for Cloudflare Email Routing

Understand DKIM configuration when using Cloudflare Email Routing or Cloudflare as your DNS provider.

Quick Answer — The Record You Need

Type

CNAME

Host / Name

Depends on your email provider

Value

Depends on your email provider

Cloudflare Email Routing does not require its own DKIM record. Add DKIM records for your actual email sending provider. Cloudflare DNS is where you manage all DKIM records.

Step-by-Step Setup

Understand Cloudflare's role

Cloudflare is typically your DNS provider, not your email sender. DKIM records for your email provider (Google Workspace, Microsoft 365, etc.) are added through Cloudflare's DNS dashboard.

Log in to Cloudflare

Go to dash.cloudflare.com and select your domain.

Navigate to DNS records

Go to DNS > Records.

Add your email provider's DKIM records

Add the DKIM TXT or CNAME records provided by your email service. Cloudflare DNS supports both record types.

# Example for Google Workspace:
google._domainkey  TXT  "v=DKIM1; k=rsa; p=YOUR_KEY"

# Example for Microsoft 365:
selector1._domainkey  CNAME  selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Verify with your email provider

After adding DKIM records in Cloudflare DNS, verify them in your email provider's dashboard.

DKIM Gotchas

Cloudflare Email Routing does not add its own DKIM signature. DKIM signing comes from your email sending provider.
When adding DKIM CNAME records in Cloudflare, make sure the proxy toggle (orange cloud) is OFF. DNS-only (gray cloud) is required for email records.
If Cloudflare auto-flattens CNAME records, DKIM CNAME records may not resolve correctly. Ensure the proxy is disabled for all _domainkey records.

DKIM FAQ

Does Cloudflare Email Routing need its own DKIM record?

No. Cloudflare Email Routing forwards email and does not add its own DKIM signature. DKIM signing is handled by your email sending provider.

How do I add DKIM records in Cloudflare DNS?

Go to DNS > Records in your Cloudflare dashboard. Add the TXT or CNAME records provided by your email service. Ensure the proxy is set to DNS-only (gray cloud).

Why must Cloudflare proxy be off for DKIM records?

Email DNS records (MX, TXT for SPF/DKIM, CNAME for DKIM) must resolve directly, not through Cloudflare's HTTP proxy. The orange cloud proxy is only for web traffic.

DMARCTest with our DMARC Checker →

How to Set Up DMARC with Cloudflare DNS

Add a DMARC record to your domain through Cloudflare DNS to protect against email spoofing.

Quick Answer — The Record You Need

Type

TXT

Host / Name

_dmarc

Value

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Cloudflare provides a DMARC management tool in the dashboard under Email > DMARC Management.

Step-by-Step Setup

Log in to Cloudflare

Go to dash.cloudflare.com and select your domain.

Check for DMARC Management

Cloudflare offers a DMARC Management feature under Email > DMARC Management. This provides a guided setup and report visualization.

Create the DMARC record

Use Cloudflare DMARC Management or manually add a TXT record via DNS > Records.

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"

Monitor with Cloudflare DMARC Management

Cloudflare DMARC Management can parse and display your DMARC reports, showing which senders pass or fail.

Enforce gradually

Use the insights from Cloudflare DMARC Management to identify all legitimate senders, then move to p=quarantine and p=reject.

DMARC Gotchas

Cloudflare DMARC Management is a free tool that helps visualize DMARC reports. It can auto-create the DMARC record with their rua address.
If you use Cloudflare DMARC Management, it adds its own rua address for report collection. You can add your own rua address alongside it.
DMARC applies to all email from your domain, not just Cloudflare Email Routing. Ensure all email providers are authenticated before enforcing.

DMARC FAQ

Does Cloudflare have a DMARC tool?

Yes. Cloudflare offers a free DMARC Management tool under Email > DMARC Management that helps set up and monitor DMARC.

Can Cloudflare analyze my DMARC reports?

Yes. Cloudflare DMARC Management collects and visualizes aggregate DMARC reports, showing you which senders pass or fail authentication.

Is Cloudflare DMARC Management free?

Yes. Cloudflare DMARC Management is available on all plans including the free tier.

Verify Your Cloudflare Setup

Once your SPF, DKIM, and DMARC records are in place, run a full domain scan to confirm everything is configured correctly. DNS changes typically propagate within minutes but can take up to 48 hours.

Setup Guides for Other Providers

Google Workspace Microsoft 365 SendGrid Mailchimp Mailgun Amazon SES Postmark HubSpot Zendesk Zoho Mail Salesforce Brevo All Guides →