Cloudflare's Speed Doesn't Secure Your Email
You've routed your site through Cloudflare for performance and DDoS protection. Great. But here's what their dashboard won't tell you: Cloudflare does nothing for your email security by default.
Your domain can have a perfect A+ on SSL Labs and still have emails rejected by Gmail because you're missing SPF, DKIM, or DMARC records.
This guide walks you through adding all three—correctly. There's one critical Cloudflare-specific trap that catches most people. We'll cover that first.
⚠️ The Orange Cloud Trap (Read This First)
Critical Warning: DNS records for email authentication (SPF, DKIM, DMARC) must be set to "DNS Only" (grey cloud), NOT "Proxied" (orange cloud).
Why This Matters
When you enable Cloudflare's proxy (orange cloud) on a record, Cloudflare routes traffic through their servers and may modify DNS responses. This works great for websites but breaks email authentication:
| What Happens | Result |
|---|---|
| SPF lookups resolve to Cloudflare IPs | SPF fails (wrong server IPs) |
| DKIM CNAME records get flattened | DKIM signature validation fails |
| TXT records may be cached/modified | Unpredictable authentication failures |
The Rule
For ALL email-related DNS records:
- SPF records → Grey cloud (DNS Only)
- DKIM records → Grey cloud (DNS Only)
- DMARC records → Grey cloud (DNS Only)
- MX records → Grey cloud (DNS Only)
A and AAAA records pointing to your web server.Prerequisites
Before you start, confirm you have:
- Cloudflare account access with DNS edit permissions for your domain
- Your domain's DNS is managed through Cloudflare (nameservers pointed to Cloudflare)
- List of services that send email for your domain (Google Workspace, SendGrid, Postmark, etc.)
- Their SPF include statements (from their documentation)
- DKIM keys from each email provider
Step 1: Set Up SPF (Sender Policy Framework)
SPF declares which mail servers are authorized to send email for your domain.
1.1 Navigate to DNS Settings
- 1.Log into your Cloudflare Dashboard
- 2.Select your domain
- 3.Click DNS → Records in the left sidebar
- 4.Click Add record
1.2 Create the SPF Record
Configure the record with these values:
| Field | Value |
|---|---|
| Type | TXT |
| Name | @ |
| Content | (see below) |
| Proxy status | DNS only (grey cloud) |
| TTL | Auto |
Your SPF record value depends on your email providers. Use this template:
v=spf1 include:_spf.google.com include:sendgrid.net ~all1.3 Common SPF Includes
| Provider | Include Statement |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailchimp/Mandrill | include:servers.mcsv.net |
| Amazon SES | include:amazonses.com |
| Postmark | include:spf.mtasv.net |
| Mailgun | include:mailgun.org |
1.4 Example: Google Workspace + Postmark
If you use Google Workspace for team email and Postmark for transactional:
v=spf1 include:_spf.google.com include:spf.mtasv.net ~allWarning: SPF has a hard limit of 10 DNS lookups. Exceeding this causes SPF to fail entirely—not just for the extra entries, but for everything. Verify your lookup count after saving.
Click Save when done.
Step 2: Set Up DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to outgoing emails. Receiving servers verify this signature using a public key in your DNS.
2.1 Get Your DKIM Keys
Each email provider gives you a DKIM record to add. The format is typically:
- Selector: A unique name (e.g.,
google,sendgrid,pm) - Record name:
selector._domainkey(e.g.,google._domainkey) - Record type: TXT or CNAME (provider-specific)
- Record value: The public key or CNAME target
| Provider | Location |
|---|---|
| Google Workspace | Admin Console → Apps → Gmail → Authenticate email |
| SendGrid | Settings → Sender Authentication → Domain Authentication |
| Postmark | Sender Signatures → DNS Settings |
| Mailgun | Sending → Domain Settings → DNS Records |
2.2 Add the DKIM Record in Cloudflare
Click Add record and configure:
| Field | Value |
|---|---|
| Type | TXT (or CNAME, per your provider) |
| Name | selector._domainkey (e.g., google._domainkey) |
| Content | (the key from your provider) |
| Proxy status | DNS only ⚠️ |
| TTL | Auto |
Critical: If your provider gives you a CNAME record for DKIM, you MUST set it to DNS Only (grey cloud). Proxied CNAMEs will break DKIM verification.
Example DKIM TXT record value:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2K4P5...2.3 Multiple DKIM Records
If you use multiple email providers, add a separate DKIM record for each:
| Name | Type | Content |
|---|---|---|
google._domainkey | TXT | (Google's key) |
pm._domainkey | CNAME | (Postmark's target) |
s1._domainkey | TXT | (SendGrid's key) |
Each provider uses a different selector, so there's no conflict.
Step 3: Set Up DMARC
DMARC defines the policy for emails that fail SPF or DKIM checks. It also tells receiving servers where to send authentication reports.
3.1 Start in Monitor Mode
Warning: Do NOT start withp=reject. Begin withp=noneto collect data and identify all legitimate email sources before enforcing a policy.
3.2 Create the DMARC Record
Click Add record in Cloudflare:
| Field | Value |
|---|---|
| Type | TXT |
| Name | _dmarc |
| Content | (see below) |
| Proxy status | DNS only |
| TTL | Auto |
Starter DMARC record (monitoring mode):
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100Replace dmarc-reports@yourdomain.com with your reporting email.
3.3 DMARC Tag Reference
| Tag | Purpose | Example |
|---|---|---|
v=DMARC1 | Version identifier (required) | v=DMARC1 |
p= | Policy: none / quarantine / reject | p=none |
rua= | Aggregate report destination | rua=mailto:reports@example.com |
ruf= | Forensic report destination | ruf=mailto:forensic@example.com |
pct= | Percentage of emails to apply policy | pct=100 |
adkim= | DKIM alignment: strict (s) / relaxed (r) | adkim=r |
aspf= | SPF alignment: strict (s) / relaxed (r) | aspf=r |
Production DMARC record (after 2-4 weeks of monitoring):
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100; adkim=r; aspf=rStep 4: Verify Your Configuration
Cloudflare propagates DNS changes almost instantly (usually under 5 minutes). However, some ISPs and resolvers cache records, so allow up to 1 hour for global propagation.
4.1 Check with DmarcBeacon
Cloudflare propagates changes instantly. Check your DMARC status now with DmarcBeacon to see if you're protected.
The scanner shows:
- ✅ SPF record validity and lookup count
- ✅ DKIM configuration status
- ✅ DMARC policy and reporting setup
- ✅ Overall email security score
4.2 Manual Verification via Command Line
Check SPF:
dig TXT yourdomain.com +shortCheck DKIM:
dig TXT google._domainkey.yourdomain.com +shortCheck DMARC:
dig TXT _dmarc.yourdomain.com +short4.3 Send a Test Email
Send an email to a Gmail account, then:
- 1.Open the email in Gmail
- 2.Click the three dots (⋮) → Show original
- 3.Look for the authentication results:
SPF: PASS
DKIM: PASS
DMARC: PASSCommon Cloudflare-Specific Issues
| Problem | Cause | Solution |
|---|---|---|
| SPF fails intermittently | Record is proxied (orange cloud) | Switch to DNS Only (grey cloud) |
| DKIM CNAME not resolving | CNAME is proxied | Switch to DNS Only |
| "No DMARC record found" | TTL cache or typo in _dmarc | Verify exact name is _dmarc |
| SPF permerror | Exceeded 10 DNS lookups | Flatten or remove includes |
DMARC Rollout Timeline
| Week | Policy | What to Monitor |
|---|---|---|
| 1-2 | p=none | Identify all legitimate senders in reports |
| 3-4 | p=quarantine; pct=25 | Watch for deliverability complaints |
| 5-6 | p=quarantine; pct=100 | Confirm no legitimate mail is quarantined |
| 7+ | p=reject | Full protection—unauthorized emails blocked |
Quick Reference: Final DNS Records
When properly configured, your Cloudflare DNS should include:
| Type | Name | Content | Proxy |
|---|---|---|---|
| TXT | @ | v=spf1 include:_spf.google.com ~all | DNS only |
| TXT | google._domainkey | v=DKIM1; k=rsa; p=MII... | DNS only |
| TXT | _dmarc | v=DMARC1; p=none; rua=mailto:... | DNS only |
Next Steps
- 1.Verify immediately with DmarcBeacon—Cloudflare propagates fast
- 2.Wait 2-4 weeks before enforcing a strict DMARC policy to ensure all legitimate email sources are properly configured
- 3.Gradually enforce policy from none → quarantine → reject
- 4.Re-scan periodically with DmarcBeacon to catch configuration drift