Skip to content

Cloudflare Email: DKIM, SPF and DMARC Configuration -- Complete Guide

DodaTech Updated 2026-06-23 5 min read

In this tutorial, you will learn how to configure DKIM signing, SPF records, and DMARC policies for your domain in Cloudflare DNS to improve email deliverability, prevent spoofing, and protect your domain reputation.

Why Email Authentication Matters

Email was designed without built-in authentication, making it trivial for attackers to forge the "From" address and send emails that appear to come from your domain. Without DKIM, SPF, and DMARC, your domain is vulnerable to spoofing attacks that can damage your reputation, trick your customers, and land your legitimate emails in spam folders. Cloudflare provides the DNS infrastructure to publish these authentication records, and when combined with Email Routing, you can configure sender authentication to ensure your forwarded emails pass recipient checks. Internet service providers like Gmail and Outlook now require DMARC for bulk senders, and they use SPF and DKIM failures as signals for spam classification.

Real-world use: A startup sends transactional emails through SendGrid and uses Gmail for team communication. Without SPF and DKIM, recipient servers may reject both types of email or mark them as spam. Configuring SPF with both SendGrid and Google's include statements, DKIM with SendGrid's public key, and a DMARC policy of p=quarantine ensures all legitimate email passes authentication checks.

Email Authentication Flow

flowchart LR
    S[Sender MTA] --> D[DNS Lookup]
    D --> SPF[SPF Record]
    D --> DKIM[DKIM Record]
    D --> DMARC[DMARC Record]
    SPF --> R[Receiving MTA]
    DKIM --> R
    DMARC --> R
    R --> P["Pass/Fail/Quarantine"]
    style D fill:#f90,color:#fff
    style R fill:#f90,color:#fff

Configuring SPF Records in Cloudflare DNS

SPF (Sender Policy Framework) declares which mail servers are authorized to send email on behalf of your domain. Without it, anyone can send email claiming to be from your domain.

# Add a TXT record in Cloudflare DNS:
# Type: TXT
# Name: @
# Value: v=spf1 include:_spf.cloudflare.com include:sendgrid.net ~all
# TTL: Auto
# Proxy status: DNS Only (gray cloud)
# Verify SPF record with dig
dig TXT yourdomain.com +short | grep "v=spf1"
# Expected output:
# "v=spf1 include:_spf.cloudflare.com include:SendGrid.net ~all"

Expected output: The SPF record declares that Cloudflare and SendGrid are authorized senders for your domain. The ~all mechanism tells recipients to softfail (mark as suspicious) messages from unauthorized servers.

Configuring DKIM Signatures

DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing emails. Receiving servers verify this signature by looking up your public key in DNS.

# Example DKIM record (generated by your email provider):
# Type: TXT
# Name: sendgrid._domainkey
# Value: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
# TTL: Auto
# Proxy status: DNS Only (gray cloud)
# Verify DKIM record
dig TXT sendgrid._domainkey.yourdomain.com +short
# Expected output:
# "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

Expected output: The DKIM record publishes your public key. When your email provider sends a DKIM-signed message, the recipient can verify the signature against this public key, confirming the email was not tampered with in transit.

Configuring DMARC Policies

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when SPF or DKIM checks fail. It also generates reports so you can monitor authentication failures.

# Add DMARC TXT record:
# Type: TXT
# Name: _dmarc
# Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com;
#        ruf=mailto:forensic@yourdomain.com; pct=100
# TTL: Auto
# Verify DMARC record
dig TXT _dmarc.yourdomain.com +short
# Expected output:
# "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensic@yourdomain.com; pct=100"

Expected output: The DMARC policy p=quarantine tells recipients to send failing emails to spam. The rua address receives aggregate reports (XML) about who is sending email from your domain, helping you detect unauthorized use.

Testing Authentication

After configuring all three records, test your setup using online tools or command-line checks.

# Comprehensive check with dig for all records
echo "=== SPF ==="
dig TXT yourdomain.com +short | grep "v=spf1"
echo "=== DKIM ==="
dig TXT sendgrid._domainkey.yourdomain.com +short
echo "=== DMARC ==="
dig TXT _dmarc.yourdomain.com +short

Common Errors

Error Cause Fix
SPF permerror Multiple SPF records or more than 10 DNS lookups Merge all includes into one SPF record; use include: sparingly
DKIM signature invalid Public key does not match private key Regenerate DKIM keys in your email provider and update DNS
DMARC <a href="/compiler-design/syntax-analysis/">Parsing</a> error Invalid syntax in DMARC value Validate at dmarctester.com; ensure semicolons separate tags
DMARC reports not received RUA address does not accept XML reports Create a dedicated dmarc@yourdomain.com address; parse XML reports
SPF neutral ?all instead of ~all or -all Change to ~all (softfail) or -all (hardfail) for stricter policy

Practice Questions

  1. What three DNS records are required for full email authentication, and what does each do?
  2. What does a DMARC policy of p=reject tell receiving mail servers to do?
  3. Why should you use include: mechanisms sparingly in your SPF record?

FAQ

What is the difference between SPF, DKIM, and DMARC?

SPF authorizes which servers can send email for your domain using IP address checking. DKIM uses cryptographic signatures to verify email integrity and authenticity. DMARC tells receiving servers what to do when SPF or DKIM checks fail and sends you reports about authentication results. All three work together to protect your domain.

Do I need all three records?

Yes for optimal deliverability. SPF alone prevents IP-based spoofing but fails with forwarded email. DKIM alone is not checked by all receivers. DMARC without SPF and DKIM gives no benefit. All major email providers (Gmail, Outlook, Yahoo) check all three and use the combined result for spam classification and DMARC enforcement.

How often should I monitor DMARC reports?

Review aggregate reports at least weekly when first implementing DMARC to identify unauthorized senders. After establishing a baseline, monthly review is sufficient. Set up automated Parsing of the XML reports using DMARC analysis tools or forward them to a service that provides dashboard visualization.

Summary

Configuring SPF, DKIM, and DMARC in Cloudflare DNS protects your domain from email spoofing, improves deliverability, and gives you visibility into who is sending email on your behalf. SPF authorizes sending servers, DKIM adds cryptographic verification, and DMARC enforces policies while providing reports.

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro -- security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro