Email authentication methods

Enable email authentication via SPF, DKIM, and DMARC DNS records when Cloudflare acts as the authoritative DNS provider (Full setup). 


Overview

Cloudflare supports the use of DNS TXT records to authenticate and/or validate emails. By using one or more email authentication methods, the sender identity can be verified by the recipient email services.

The instructions on this page are available to all customers.


Cloudflare supported authentication methods

Cloudflare supports all DNS TXT records authentication methods which include records such as SPF, DKIM, DMARC.

Cloudflare also supports SPF format records, but note that the SPF format has been deprecated due to the DNS RFC.

Although most DNS providers (Cloudflare included) support the dedicated SPF record type, some DNS clients prefer the TXT record instead. To ensure backward compatibility, Cloudflare recommends setting up an SPF record and a TXT record on your domain.


 How do I add an SPF record?

Sender Policy Frame (SPF) record specifies the list of approved hostnames (or IPs) from where email can originate for a particular domain.

To set up an SPF record:
  1. Log into your Cloudflare Account. 
  2. From the drop-down on the top left, select your domain.
  3. Click the DNS app at the top of the page.
  4. Under DNS Records, complete the fields for your TXT record, including your SPF values record (see image below). 
  5. Choose TXT. Enter the Name of the record and its corresponding value.
  6. (optional) Add your SPF format record string under the value section and click Add Record. Note that the SPF format has been deprecated due to the DNS RFC and thus, you should always have at least the TXT record definition present, even if you use the SPF type.

More information on SPF record syntax and formatting is found below. 

The mechanisms can be prefixed with one of four qualifiers:


Prefix Qualifier
+ Pass
- Fail
~ Soft Fail
? Neutral

 

Evaluation of an SPF record can return any of these results:

Pass Explanation Intended action
Pass The SPF record designates the host to be allowed to send. Accept
Fail The SPF record has designated the host as NOT being allowed to send. Reject
SoftFail The SPF record has designated the host as NOT being allowed to send but is in transition. Accept but mark 
Neutral The SPF record specifies explicitly that nothing can be said about the validity. Accept
None  The domain does not have an SPF record or the SPF record does not evaluate to a result. Accept 
PermError  A permanent error has occurred (e.g. badly formatted SPF record). Unspecified
TempError  A transient error has occurred. Accept or reject

For more information about SPF Record Syntax, see, Open SPF project - syntax.

If you're unsure, double check what the value should be with your mail service provider.

Read more about Cloudflare's DNS services.


How do I add a DKIM record?

Domain Keys Identified Mail (DKIM) allows the receiver to verify the email sender's identity. The verification is done by using the signer's (sender's) public keys published in the DNS.

To add a TXT DKIM record:

  1. Log into your Cloudflare Account.
  2. From the drop-down on the top left, select your domain.
  3. Click the DNS app at the top of the page.
  4. Under DNS Records, complete the fields for your TXT record, including your DKIM values record (see image below).
  5. Click Add Record.  

dkim.png

 
Some services require additional CNAME records for DKIM verification. CNAME DKIM records should be gray-clouded; otherwise, the record value won't be available and verification will fail.

DKIM records can often exceed the 255-character limit for TXT records. Most DNS providers, including Cloudflare, will automatically split these into multiple records at the same domain name, producing a record that looks like this in dig/nslookup:

default._domainkey.example.com. 299 IN TXT "v=DKIM1; k=rsa; p=<encoded public key>" "<rest of public key>;"
 
You should remove the quotation marks and the spaces between them when adding DKIM records to your zone.

You do not need to escape semicolons for your DKIM records on Cloudflare.

If you still encounter issues copy-pasting the DKIM record values, you could also try importing a zone file and then remove " and \.

To test DKIM records, there are several validation tools available online, but keep in mind these tools are often incorrect. One tool seems to be better at testing both in terms of the validity of the test results and the additional information associated with it for troubleshooting (DKIM check tools).

However, the recommended way to test is to look up the records using a dig command. To learn more, see How to fetch DKIM records from DNS.


How do I add a DMARC record?

Domain-based Message Authentication, Reporting & Conformance (DMARC) allows the receiver to know if the email is protected by SPF and/or DKIM and what how to proceed if neither of those authentication methods passes.

  1. Log into your Cloudflare Account.
  2. From the drop-down on the top left, select your domain.
  3. Click the DNS app at the top of the page.
  4. Under DNS Records, complete the fields for your TXT record, including your DMARC values record (see image below). 
  5. Click Add Record.

To learn more about DMARC records, visit DMARC project.


Related articles

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk