Adding DMARC, SPF, and DKIM records in Cloudflare

Before you start: confirm Cloudflare answers your DNS

When you add a domain to Cloudflare on the standard (full) setup, Cloudflare assigns two nameservers of the form name.ns.cloudflare.com (a pair of short first names, for example bob and lola, picked at random and unique to your zone) and you switch your registrar to them. Confirm your domain is on them:

dig +short NS yourdomain.com

If the answers end in ns.cloudflare.com, you are in the right place.

Step 1: Open the DNS editor

1. Log in to the Cloudflare dashboard and select your domain.
2. Go to DNS, then Records.
3. Select Add record and set Type to TXT.

The orange cloud does not apply here. Only A, AAAA, and CNAME records can be proxied through Cloudflare; TXT records (and MX) are always DNS-only. So there is no proxy setting to worry about for any of your DMARC, SPF, DKIM, or MTA-STS records.

Step 2: Add the record

Cloudflare's TXT editor has a Name field, a Content field (the value), and a TTL you can leave on Auto. Use @ in Name for the root domain, or a prefix for everything else.

DMARC

Type:    TXT
Name:    _dmarc
Content: v=DMARC1; p=none; rua=mailto:you@yourdomain.com
TTL:     Auto

Start at p=none, then move past p=noneonce your reports are clean. If you turn on Cloudflare's built-in DMARC Management, it adds a Cloudflare rua= address to this record so it can read your reports. That is expected, not tampering.

SPF

Type:    TXT
Name:    @
Content: v=spf1 include:_spf.yourprovider.com ~all
TTL:     Auto

Publish only one v=spf1 record. This matters more than usual on Cloudflare: see the Email Routing note below.

DKIM

Type:    TXT
Name:    selector._domainkey
Content: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG... (your full public key)
TTL:     Auto

Paste the whole key as one value. Cloudflare handles the 255-character string segmentation that DNS requires internally, so you never split the key or add quotes.

MTA-STS pointer

Type:    TXT
Name:    _mta-sts
Content: v=STSv1; id=20260623000000
TTL:     Auto

Pointer only. The policy file is served over HTTPS at mta-sts.yourdomain.com, which trustyourinbox can host. TLS-RPT (_smtp._tls) is the same shape. Select Save.

Cloudflare quirks that bite

• Email Routing's SPF record. If you use Cloudflare Email Routing, it automatically adds an SPF record of v=spf1 include:_spf.mx.cloudflare.net ~all. If you also send through an ESP, do not add a second SPF record. Merge them into one, for example v=spf1 include:_spf.mx.cloudflare.net include:_spf.yourprovider.com ~all.
• DNSSEC during the move. If you are switching to Cloudflare, turn DNSSEC off at your old registrar before changing nameservers, then re-enable it in Cloudflare afterward. DNSSEC itself does not interfere with email authentication.
• Two SPF records. Cloudflare will let you create a second one. Keep a single v=spf1 record at the apex.

Step 3: Verify it published

dig +short TXT _dmarc.yourdomain.com
dig +short TXT yourdomain.com | grep spf1
dig +short TXT selector._domainkey.yourdomain.com

Or paste the hostname into dns.google with type TXT. Cloudflare changes propagate fast, usually within a minute or two.

Tell trustyourinbox to recheck

Each per-domain protocol tab has a Recheck button next to the current record. Click it once the change resolves and we re-run the lookup and refresh the dashboard.