How to Set Up DMARC on Cloudflare: Step-by-Step DNS Guide

Cloudflare is one of the most widely used DNS providers, and adding a DMARC record through its dashboard is quick and straightforward. Whether you transferred your entire domain to Cloudflare or just pointed your nameservers there, the process for adding a DMARC TXT record is the same.

This guide walks you through every step, from the prerequisites to verifying your record is live. If you are not sure what DMARC policy to choose, read our how to create a DMARC record guide first.

Before You Start

You need a few things in place before you add your DMARC record in Cloudflare.

SPF and DKIM should already be configured. DMARC builds on these two protocols. Without them, your DMARC record cannot do its job properly. Your SPF record tells receiving mail servers which IP addresses are allowed to send email for your domain. DKIM adds a cryptographic signature to outgoing messages so receivers can verify they were not tampered with. If you need to set these up, use spfcreator.com for SPF and dkimcreator.com for DKIM.

Your domain's nameservers must point to Cloudflare. If your domain is registered at GoDaddy or Namecheap but your nameservers point to Cloudflare, then Cloudflare is where you manage DNS. Adding a DMARC record at your registrar will have no effect if Cloudflare is handling your DNS.

You need your DMARC record value ready. A basic monitoring record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;

Start with p=none so you can collect reports without affecting email delivery. You can tighten the policy later after reviewing your data. For help choosing between none, quarantine, and reject, see our DMARC policy levels guide.

If your DMARC quarantine or reject policy is not enabled and you are seeing warnings in email deliverability tools, starting with p=none is still the right first step. Jumping straight to enforcement without data can break legitimate email.

Step-by-Step: Adding DMARC in Cloudflare

Log in to your Cloudflare dashboard

Go to dash.cloudflare.com and sign in. You will see a list of all domains you have added to Cloudflare. Click on the domain you want to protect with DMARC.

Navigate to DNS Records

In the left sidebar, click DNS and then Records. This opens the DNS management panel where you can see all existing records for your domain, including any A, CNAME, MX, and TXT records already in place.

Click Add Record

Click the Add record button at the top of the records list. A new row will appear with fields for the record type, name, content, and TTL.

Set the record type to TXT

In the Type dropdown, select TXT. DMARC records are always published as TXT records. Do not use CNAME or any other type.

Enter _dmarc as the name

In the Name field, type _dmarc. Cloudflare will automatically append your domain, so the full record will resolve at _dmarc.yourdomain.com. Do not type the full domain name — just _dmarc with the underscore.

Paste your DMARC record as the content

In the Content field, paste your complete DMARC record string. For example: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;. Do not wrap the value in quotes. Cloudflare handles formatting automatically.

Set the TTL

Cloudflare defaults TXT record TTL to Auto, which is usually fine. If you want more control, you can set it to 1 hour (3600 seconds). A shorter TTL makes it faster to update the record later if you need to change your policy.

Save the record

Click Save. The record will appear in your DNS records list as a TXT record with the name _dmarc and your DMARC string as the content. There is no proxy toggle for TXT records — they are always DNS-only, which is exactly what you want.

Cloudflare-Specific Details

Proxy Status Does Not Apply to TXT Records

Cloudflare's orange cloud proxy icon only applies to A and CNAME records that serve web traffic. TXT records like your DMARC record are always served directly through DNS without any proxy. You will not see a proxy toggle when adding a TXT record, and you do not need to worry about it.

Cloudflare Email Routing

Cloudflare offers an Email Routing feature that lets you forward emails from your domain to another inbox without running a mail server. If you use Cloudflare Email Routing, you should still set up DMARC. Email Routing handles inbound mail, while DMARC protects your domain's outbound reputation. The two features work independently.

If Cloudflare Email Routing is the only email service on your domain and you do not send outbound email, you can still publish a DMARC record. In fact, a strict record like v=DMARC1; p=reject; is a good idea for domains that never send email. It prevents anyone from spoofing your domain.

Cloudflare Does Not Manage SPF or DKIM for You

Cloudflare is a DNS provider, not an email service. It hosts your DNS records, but it does not generate SPF or DKIM records for you. You need to get those from your actual email provider (Google Workspace, Microsoft 365, Zoho, etc.) and then add them as TXT records in Cloudflare, just like you added your DMARC record. For a clear breakdown of how these three protocols work together, see SPF vs DKIM vs DMARC.

Verifying Your DMARC Record

After saving the record in Cloudflare, give it a few minutes to propagate. Cloudflare DNS propagation is typically fast — often under five minutes.

Check your record using dmarcrecordchecker.com. Enter your domain and verify that:

The record starts with v=DMARC1
Your chosen policy (p=none, p=quarantine, or p=reject) is present
Your rua address is correct if you included one
There is only one DMARC record (not duplicates)

If the record does not appear after five minutes, double-check that your domain's nameservers actually point to Cloudflare. You can see this in the Overview tab of your domain in the Cloudflare dashboard. If the status shows "Active," your nameservers are correctly configured and the record should propagate shortly.

Troubleshooting Common Issues

Record Not Resolving

If your DMARC record does not show up in a lookup tool, check these things:

Nameserver confirmation. Make sure your domain is active in Cloudflare (not in a pending or moved state). If you recently changed nameservers, it can take up to 24 hours for the change to propagate globally.
Typo in the name field. The name must be exactly _dmarc with the underscore. If you entered dmarc without it, the record is at the wrong location.
Duplicate records. If you have two TXT records at _dmarc, delete the incorrect one. Multiple DMARC records cause validation failures.

Editing Your Record Later

When you are ready to move from p=none to p=quarantine or p=reject, find your existing DMARC record in the Cloudflare DNS panel and click the Edit button. Update the policy value, save, and the change will propagate within minutes.

We recommend a gradual approach: start with p=quarantine; pct=10; to apply quarantine to only ten percent of failing messages. Monitor for a week, increase the percentage, and eventually move to p=reject once you are confident all legitimate email is passing.

Complete your email authentication

DMARC works alongside SPF and DKIM. If you have not set up SPF yet, use spfcreator.com to generate your record. For DKIM key generation, use dkimcreator.com. All three records should be in place for full email authentication.

After Setup: What to Expect

Once your DMARC record is live in Cloudflare, receiving mail servers will start processing it right away. If you included a rua tag, expect your first aggregate reports within 24 to 48 hours. These XML reports show which IP addresses sent email using your domain and whether those messages passed authentication.

Review these reports regularly during the first few weeks. They reveal whether any legitimate email services are failing checks. Fix any issues before tightening your policy. If you use Cloudflare to manage DNS for applications that send email programmatically, our DMARC for developers guide covers authentication patterns for automated sending. For a complete walkthrough of the DMARC implementation process, see our DMARC setup guide.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring