SPF, DKIM, & DMARC Configuration

Authentication protocols help prove your emails are legitimate. Cloudflare makes setting these up straightforward.

Understanding the protocols

When you send an email, receiving providers (like Gmail and Outlook) run checks to confirm your identity.

• SPF (Sender Policy Framework): A list of servers allowed to send email on behalf of your domain.
• DKIM (DomainKeys Identified Mail): A signature attached to your email proving it hasn't been altered in transit.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): Instructions telling the receiver what to do if an email fails SPF or DKIM.

Setting up SPF for Cloudflare

When you enable Cloudflare Email Routing, Cloudflare generally adds this TXT record automatically. To verify, go to your DNS settings in Cloudflare and look for a TXT record on your root domain (@) that looks like this:

v=spf1 include:_spf.mx.cloudflare.net ~all

If you already have an SPF record for another service (like Google Workspace), do not create a second SPF record. You are only allowed one SPF record per domain. Instead, merge them:

v=spf1 include:_spf.google.com include:_spf.mx.cloudflare.net ~all

Setting up DKIM

WPFlareMail routes emails via Cloudflare Workers. As long as Email Routing is active, Cloudflare automatically signs your outgoing emails using internal DKIM keys.

Setting up DMARC

DMARC is enforced by providers like Gmail and Yahoo. If you do not have it, your emails will likely bounce.

1. Go to your Cloudflare DNS settings.
2. Click Add Record.
3. Type: TXT
4. Name: _dmarc
5. Content: v=DMARC1; p=none;

Setting p=none is the safest starting point because it monitors traffic without dropping emails. Once you know everything is authenticated, you can change it to p=quarantine or p=reject.