← Back to Learn Hub

How to Set Up DMARC on Cloudflare

There are two ways to set up DMARC on Cloudflare: use Cloudflare's built-in DMARC Management tool, which adds the record and processes your reports for you, or add a DMARC record by hand in your DNS. This guide covers both, plus how to move to enforcement safely.

DMARC tells providers what to do with mail that fails authentication, and it reports who is sending as your domain. Without it, anyone can send email that appears to come from you.

Option A: Cloudflare DMARC Management (easiest)

Cloudflare's DMARC Management tool sets up the record and processes your aggregate reports so you can read them in the dashboard. It works on apex domains (example.com, not blog.example.com).

  • In the Cloudflare dashboard, select your domain and go to Email, then DMARC Management.
  • Select Enable DMARC Management. Cloudflare scans your zone for an existing DMARC record.
  • If you have no record, Cloudflare offers to add one for you, then select Add. If you already have one, Cloudflare adds its reporting address (rua) so it can process your reports.
  • You can then edit the policy and view reports from the dashboard.

Option B: Add the record manually

To control the record yourself, add it as a TXT record in Cloudflare's DNS.

  • Go to your domain, then DNS, then Records, and select Add record.
  • Type: TXT
  • Name: _dmarc
  • Content: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  • Save. Starting at p=none monitors without blocking anything yet.

Set up SPF and DKIM first

DMARC relies on SPF and DKIM, so make sure those are in place before you tighten DMARC. Cloudflare hosts your DNS, but your DKIM key comes from whatever service sends your mail (Microsoft 365, Google Workspace, and so on).

Our guide to DMARC explains how the three records work together.

Move to enforcement

p=none only watches. Once your reports confirm your real senders pass, move from p=none to p=quarantine (failing mail to spam), then p=reject (failing mail blocked). Reject is the goal, but only once you've confirmed your legitimate mail passes. Moving too fast can block your own email.

How to check it worked

Confirm your record any time with our free DMARC checker. It reads your published record and shows your policy in plain English.

Common problems

Most Cloudflare DMARC issues come from a few causes.

  • DMARC Management won't enable: it only works on apex domains, not subdomains.
  • Record at the wrong name: the TXT record's name must be _dmarc.
  • Policy stuck at p=none: the record exists but isn't blocking anything yet.
  • Mail failing after enforcement: a real sender isn't covered by SPF or DKIM. Fix that before tightening further.

Check your domain now

Enter your domain to see your current email security status.

Frequently Asked Questions

Where do I add DMARC in Cloudflare?

Two places: Email then DMARC Management, which sets up the record and reads your reports for you; or DNS then Records, where you add a TXT record named _dmarc manually. The managed tool is quicker; the manual record gives you full control.

Is Cloudflare DMARC Management free?

Yes. DMARC Management is included with Cloudflare's DNS at no extra cost. It adds or updates your DMARC record and processes your aggregate reports so you can read them in the dashboard, rather than parsing raw report files yourself.

Does Cloudflare set up DMARC automatically?

Not on its own, but its DMARC Management tool will offer to add a starter record when you enable it, and will process your reports. You still choose the policy and move it to enforcement yourself. Cloudflare doesn't tighten it for you.

Do I need SPF and DKIM before DMARC on Cloudflare?

Yes. DMARC checks the results of SPF and DKIM and whether they align with your From address, so set those up first. Cloudflare hosts the DNS records, but your DKIM key is generated by whatever service sends your email.

Setting up DMARC on Cloudflare is quick, whether through DMARC Management or a manual TXT record. The risky part is what comes next: reaching enforcement without blocking your own email.

One wrong move at p=reject can stop your legitimate mail, and a policy left at p=none protects nobody. readyDMARC configures DMARC and rolls it out safely, monitoring the reports so spoofing is blocked without disrupting your real email.

Related Articles

What Is DMARC? How It Protects Your Email

Learn what DMARC is, how it stops email spoofing and phishing, and why every domain needs a DMARC po...

Read more →

How to Set Up DMARC for Office 365 (Microsoft 365)

Set up DMARC for Office 365: why there's no DMARC toggle in Microsoft 365, how to publish the DNS re...

Read more →

How to Set Up DMARC for Google Workspace (Gmail)

Set up DMARC for Google Workspace (Gmail): publish the _dmarc DNS record, pick a policy, and move to...

Read more →

Misconfiguring this is easy, and costly

One wrong record can let attackers send email as your domain, or block your own legitimate mail once you turn on enforcement. Getting from a published record to real protection, without breaking delivery, is where most teams get stuck. Our specialists set up SPF, DKIM, and DMARC for you and roll it out safely, checking at every stage.

Book a call with our team