How to Add a DMARC Record in Cloudflare (Step-by-Step)
Learn how to add a DMARC record in Cloudflare DNS step by step. Includes example records, common mistakes, and verification with free tools.
How to Add a DMARC Record in Cloudflare (Step-by-Step)
Adding a DMARC record in Cloudflare is one of the most effective steps you can take to protect your domain from email spoofing and phishing. If your domain's DNS is managed by Cloudflare, this guide will walk you through the entire process in under 10 minutes.
Prerequisites
Before you begin, make sure you have:
- A Cloudflare account with your domain added
- DNS management access for your domain in Cloudflare
- An existing SPF record (recommended — check yours here)
- An existing DKIM setup with your email provider (recommended — verify here)
If you haven't set up SPF yet, use our SPF Generator to create one before proceeding.
Step 1: Navigate to DNS Settings in Cloudflare
- Log in to your Cloudflare dashboard
- Select the domain you want to protect
- Click DNS in the left sidebar, then Records
- You'll see your existing DNS records listed here
Step 2: Add a TXT Record for DMARC
Click the Add record button and fill in the following fields:
| Field | Value |
|---|---|
| Type | TXT |
| Name | _dmarc |
| Content | v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100 |
| TTL | Auto |
| Proxy status | DNS only (grey cloud) |
Here's what each part of the DMARC record means:
v=DMARC1 → DMARC version (always DMARC1)
p=none → Policy: monitor only (no action on failures)
rua=mailto:... → Where to send aggregate reports
pct=100 → Apply to 100% of emailsChoosing Your Policy
p=none— Start here. Monitors email without affecting delivery. Lets you collect data first.p=quarantine— Sends failing emails to spam. Use after reviewing reports.p=reject— Blocks failing emails entirely. The strongest protection.
We recommend starting with p=none and upgrading gradually. Use our DMARC Policy Generator to create the exact record you need.
Step 3: Verify Your DMARC Record
After saving the record in Cloudflare, verify it's published correctly:
- Go to our DMARC Checker tool
- Enter your domain name
- Click Check DMARC
The tool will show you the parsed DMARC record and flag any issues. DNS propagation usually takes a few minutes with Cloudflare, but can take up to 24 hours in rare cases.
Step 4: Verify Your SPF Record
DMARC works best when paired with SPF. Check your SPF record using the SPF Checker:
A basic SPF record for common email providers looks like:
v=spf1 include:_spf.google.com ~allIf you don't have one, use the SPF Generator to create it and add it as another TXT record in Cloudflare (with Name set to @).
Step 5: Monitor Your Reports
Once your DMARC record is live, you'll start receiving XML reports from email providers like Google and Yahoo. These reports show:
- Which IPs are sending email on behalf of your domain
- Whether those emails pass SPF and DKIM checks
- Whether they align with your DMARC policy
Manually reading XML reports is tedious. DMARC Examiner automates the entire process — parsing reports, identifying unauthorized senders, and alerting you to problems.
Common Mistakes to Avoid
1. Enabling Cloudflare Proxy on the TXT Record
Cloudflare's proxy (orange cloud) is for HTTP traffic only. TXT records must always use "DNS only" (grey cloud). If proxy is enabled, the DMARC record won't be visible to email servers.
2. Wrong Record Name
The name must be exactly _dmarc — not _dmarc.yourdomain.com (Cloudflare appends the domain automatically) and not dmarc without the underscore.
3. Multiple DMARC Records
You should have exactly one DMARC TXT record. If you have duplicates, email providers may ignore both. Check for existing records before adding a new one.
4. Missing SPF or DKIM
DMARC validates email by checking SPF and DKIM alignment. Without at least one of these in place, all emails will fail DMARC checks. Set up both for the best protection:
5. Jumping Straight to p=reject
Moving to p=reject without first monitoring with p=none can block legitimate emails from services like your CRM, newsletter platform, or transactional email provider. Always review your reports first.
Upgrading Your Policy Over Time
A safe DMARC deployment follows this progression:
- Week 1–4:
p=none— Collect reports and identify all legitimate senders - Week 5–8:
p=quarantine; pct=25— Quarantine 25% of failing emails - Week 9–12:
p=quarantine; pct=100— Quarantine all failing emails - Week 13+:
p=reject— Full protection
Use the DMARC Policy Generator to create the right record for each stage.
Run a Full Compliance Check
Want to see how your domain stacks up across all email authentication standards? Run a complete audit:
Monitor with DMARC Examiner
Setting up a DMARC record is just the beginning. To actually protect your domain, you need to monitor your reports continuously, identify unauthorized senders, and respond to issues before they affect deliverability.
DMARC Examiner does all of this automatically — parsing your aggregate reports, visualizing sending patterns, and alerting you when something goes wrong. Start monitoring for free →
Related Articles:
Ready to improve your email deliverability?
Start monitoring your DMARC reports and get insights into your email authentication setup.
Start Free TrialRelated Articles
How to Add a DMARC Record in GoDaddy DNS
Step-by-step guide to adding a DMARC record in GoDaddy DNS. Includes DNS settings, example records, troubleshooting tips, and free verification tools.
How to Set Up DMARC for Google Workspace (Step-by-Step)
Complete guide to configuring DMARC for Google Workspace with screenshots and examples. Protect your domain and improve deliverability.
platform guidesHow to Set Up DMARC, SPF and DKIM for Constant Contact
Complete guide to configuring SPF, DKIM, and DMARC for Constant Contact. Fix authentication issues and improve email deliverability.