Cloudflare Email: DKIM, SPF and DMARC Configuration -- Complete Guide
In this tutorial, you will learn how to configure DKIM signing, SPF records, and DMARC policies for your domain in Cloudflare DNS to improve email deliverability, prevent spoofing, and protect your domain reputation.
Why Email Authentication Matters
Email was designed without built-in authentication, making it trivial for attackers to forge the "From" address and send emails that appear to come from your domain. Without DKIM, SPF, and DMARC, your domain is vulnerable to spoofing attacks that can damage your reputation, trick your customers, and land your legitimate emails in spam folders. Cloudflare provides the DNS infrastructure to publish these authentication records, and when combined with Email Routing, you can configure sender authentication to ensure your forwarded emails pass recipient checks. Internet service providers like Gmail and Outlook now require DMARC for bulk senders, and they use SPF and DKIM failures as signals for spam classification.
Real-world use: A startup sends transactional emails through SendGrid and uses Gmail for team communication. Without SPF and DKIM, recipient servers may reject both types of email or mark them as spam. Configuring SPF with both SendGrid and Google's include statements, DKIM with SendGrid's public key, and a DMARC policy of p=quarantine ensures all legitimate email passes authentication checks.
Email Authentication Flow
flowchart LR
S[Sender MTA] --> D[DNS Lookup]
D --> SPF[SPF Record]
D --> DKIM[DKIM Record]
D --> DMARC[DMARC Record]
SPF --> R[Receiving MTA]
DKIM --> R
DMARC --> R
R --> P["Pass/Fail/Quarantine"]
style D fill:#f90,color:#fff
style R fill:#f90,color:#fff
Configuring SPF Records in Cloudflare DNS
SPF (Sender Policy Framework) declares which mail servers are authorized to send email on behalf of your domain. Without it, anyone can send email claiming to be from your domain.
# Add a TXT record in Cloudflare DNS:
# Type: TXT
# Name: @
# Value: v=spf1 include:_spf.cloudflare.com include:sendgrid.net ~all
# TTL: Auto
# Proxy status: DNS Only (gray cloud)
# Verify SPF record with dig
dig TXT yourdomain.com +short | grep "v=spf1"
# Expected output:
# "v=spf1 include:_spf.cloudflare.com include:SendGrid.net ~all"
Expected output: The SPF record declares that Cloudflare and SendGrid are authorized senders for your domain. The ~all mechanism tells recipients to softfail (mark as suspicious) messages from unauthorized servers.
Configuring DKIM Signatures
DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing emails. Receiving servers verify this signature by looking up your public key in DNS.
# Example DKIM record (generated by your email provider):
# Type: TXT
# Name: sendgrid._domainkey
# Value: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
# TTL: Auto
# Proxy status: DNS Only (gray cloud)
# Verify DKIM record
dig TXT sendgrid._domainkey.yourdomain.com +short
# Expected output:
# "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
Expected output: The DKIM record publishes your public key. When your email provider sends a DKIM-signed message, the recipient can verify the signature against this public key, confirming the email was not tampered with in transit.
Configuring DMARC Policies
DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when SPF or DKIM checks fail. It also generates reports so you can monitor authentication failures.
# Add DMARC TXT record:
# Type: TXT
# Name: _dmarc
# Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com;
# ruf=mailto:forensic@yourdomain.com; pct=100
# TTL: Auto
# Verify DMARC record
dig TXT _dmarc.yourdomain.com +short
# Expected output:
# "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:forensic@yourdomain.com; pct=100"
Expected output: The DMARC policy p=quarantine tells recipients to send failing emails to spam. The rua address receives aggregate reports (XML) about who is sending email from your domain, helping you detect unauthorized use.
Testing Authentication
After configuring all three records, test your setup using online tools or command-line checks.
# Comprehensive check with dig for all records
echo "=== SPF ==="
dig TXT yourdomain.com +short | grep "v=spf1"
echo "=== DKIM ==="
dig TXT sendgrid._domainkey.yourdomain.com +short
echo "=== DMARC ==="
dig TXT _dmarc.yourdomain.com +short
Common Errors
| Error | Cause | Fix |
|---|---|---|
SPF permerror |
Multiple SPF records or more than 10 DNS lookups | Merge all includes into one SPF record; use include: sparingly |
DKIM signature invalid |
Public key does not match private key | Regenerate DKIM keys in your email provider and update DNS |
DMARC <a href="/compiler-design/syntax-analysis/">Parsing</a> error |
Invalid syntax in DMARC value | Validate at dmarctester.com; ensure semicolons separate tags |
DMARC reports not received |
RUA address does not accept XML reports | Create a dedicated dmarc@yourdomain.com address; parse XML reports |
SPF neutral |
?all instead of ~all or -all |
Change to ~all (softfail) or -all (hardfail) for stricter policy |
Practice Questions
- What three DNS records are required for full email authentication, and what does each do?
- What does a DMARC policy of
p=rejecttell receiving mail servers to do? - Why should you use
include:mechanisms sparingly in your SPF record?
FAQ
Summary
Configuring SPF, DKIM, and DMARC in Cloudflare DNS protects your domain from email spoofing, improves deliverability, and gives you visibility into who is sending email on your behalf. SPF authorizes sending servers, DKIM adds cryptographic verification, and DMARC enforces policies while providing reports.
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro -- security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro