Purpose: A and AAAA Records direct browser requests to an origin web server (A for IPv4 addresses and AAAA for IPv6 addresses).

Fields:

• Name: A subdomain or the root domain, which must:
  • Be 63 characters or less
  • Start with a letter and end with a letter or digit
  • Only contain letters, digits, or hyphens (underscores are allowed but discouraged in A and CNAME records)
• IPv4/IPv6 address: Your origin web server address (cannot be a Cloudflare IP)
• TTL: Time to live (only available if traffic is not proxied through Cloudflare)
• Proxy status: Select the cloud icon to change proxy status. If your record is proxied, that means that Cloudflare is:
  • Hiding the origin IP address from attackers
  • Caching
  • Storing an HTTPS certificate on its edge servers
  • Providing support for Page Rules, Caching, Firewall, and more

Notes:

If you want to sustainably spread traffic across multiple domains, check out Cloudflare Load Balancing.

Though you could spread traffic with multiple A or AAAA records — because Cloudflare alternates requests based on each record — this approach might send your traffic to unreachable IP addresses. Load balancing provides a much more reliable solution.

Purpose:

CNAME records direct browser requests to an origin web server, but — unlike an A or AAA record — do so via a hostname like www.example.com instead of an IP address.

Fields:

• Name: A subdomain or the root domain, which must:
  • Be 63 characters or less
  • Start with a letter and end with a letter or digit
  • Only contain letters, digits, or hyphens (underscores allowed but discouraged)
• Target: The hostname where traffic should be directed
• TTL: Time to live (only available if traffic is not proxied through Cloudflare)
• Proxy status: Select the cloud icon to change proxy status. If your record is proxied, that means that Cloudflare is:
  • Hiding the origin IP address from attackers
  • Caching
  • Storing an HTTPS certificate on its edge servers
  • Providing support for Page Rules, Caching, Firewall, and more

Notes:

You can use CNAME records to point to other CNAME records (www.example2.com --> www.example1.com --> www.example.com), but the final record must point to a hostname with a valid IP address (and therefore a valid A or AAAA record).

Purpose: TXT records are commonly used for mail authentication. Review the SPF and DKIM sections of this guide for examples.

Important fields:

• Name: A subdomain or the root domain, which must:
  • Be 63 characters or less
  • Start with a letter and end with a letter or digit
  • Only contain letters, digits, or hyphens
• Content: Must be 2048 characters or less.

Purpose: MX records are necessary for delivery of email to a mail server. Any MX record Server name requires a corresponding A record that lists the IP address of the mail server.

How to:

Since Cloudflare does not proxy SMTP traffic, you need to:

1. Create a DNS-only (gray-clouded) A record for a mail subdomain (mail.example.com) that points to the IP address of your mail server.

2. Create a DNS-only (gray-clouded) MX record that points to that subdomain (mail.example.com handles mail for example.com).

Notes: The name of a typical MX record is the root domain such as example.com. However, contact your email hosting provider to confirm the MX Name and Mail server.

Purpose: DKIM records are a type of TXT record that associate email messages with domain names.

Important fields:

• Name: A subdomain or the root domain, which must:
  • Be 63 characters or less
  • Start with a letter and end with a letter or digit
  • Only contain letters, digits, or hyphens

Notes:

DKIM records can often exceed the 255-character limit for TXT records. Therefore, Cloudflare will automatically split these into multiple records at the same domain name, producing a record with a format similar to the following when queried:

default._domainkey.example.com. 299 IN TXT "v=DKIM1; k=rsa; p=<encoded public key>" "<rest of public key>;"

Remove quotation marks and spaces when adding DKIM records to your domain. Also, you do not need to prefix (escape) semicolons with a "\" character for DKIM records added to Cloudflare.

Some services require additional CNAME records for DKIM verification. Verification will fail for CNAME records used to verify DKIM unless there is a grey-cloud icon beside the CNAME record in the DNS app.

The SPF record type was deprecated in RFC 7208. Instead of an SPF record, use a TXT record.

Cloudflare is also slowly phasing out SPF support.

Purpose: DMARC records are a type of TXT record that allows an email recipient to know if the email is protected by SPF and/or DKIM.

Important fields:

• Name: A subdomain or the root domain, which must:
  • Be 63 characters or less
  • Start with a letter and end with a letter or digit
  • Only contain letters, digits, or hyphens

Notes:

DMARC also describes how the email recipient should process the email if neither of those authentication methods passes.

To learn more about DMARC records, visit the DMARC project.

Refer to our support guide dedicated to configuring CAA records.

Purpose: A DNS service record (SRV) specifies a host and port for specific services like voice over IP (VOIP), instant messaging, and more.

Fields:

• Name: A subdomain or the root domain, which must:
  • Be 63 characters or less
  • Start with a letter and end with a letter or digit
  • Only contain letters, digits, or hyphens
• For more details about other SRV fields, see SRV records.

Purpose: A PTR record links a domain name to an IP address. Cloudflare only allows PTR records for Forward DNS resolution.

Important fields:

• Name: A subdomain or the root domain, which must:
  • Be 63 characters or less
  • Start with a letter and end with a letter or digit
  • Only contain letters, digits, or hyphens

Notes:

Because of how Cloudflare works — responding to DNS queries with its own dynamic IP addresses — PTR records cannot be added to most Cloudflare accounts or for reverse DNS lookups:

• If you are a customer with an Enterprise domain and using the DNS Firewall, contact customer support for assistance.
• To set up a PTR record for email messages, contact the provider of your mail server's IP address

If you are using Cloudflare as your authoritative DNS, you do not need to configure an SOA record.

Cloudflare automatically creates your SOA record when you migrate your domain to Cloudflare.

SVCB (Service Binding) is a multi-purposed DNS record. Its main advantage is that it provides a client with information about how it should communicate with an origin server/endpoint/service. Its other advantage is that it allows you to have an alias (like a CNAME) at the apex, or if needed, multiple aliases. 

The SVCB Record has two forms: an alias form and a service form.

 An alias form allows the SVCB record to alias to another name, or to multiple names. Meanwhile, the service form provides connection information for a service endpoint.  

The alias form serves the same purpose as a CNAME record, but it also allows zone owners to have an alias record at the apex, without it being a CNAME at the apex (not allowed, per https://tools.ietf.org/html/rfc1912). SVCB records also support multiple aliases, which is important because it allows you to build origin pools with different configurations. For example, you can have these records:

example.com HTTPS 0 quic.example.com

example.com HTTPS 0 failover.cdn.net

which indicates different HTTPS configurations for two origins on the same record. This is useful in case one origin supports HTTP/2 and the other supports HTTP/3. Another use case for this are multi-CDN setups. By having multiple aliases on one record, you can say "communicate to Cloudflare over this protocol and communicate to this_cdn over this protocol".

The current format of the service form only defines a few keys like ALPN and client hello config, but you could in theory extend it to configure a load balancing on the pool with keys like "lb-strategy=roundrobin" or stuff like that, that the client or proxy could use.

HTTPS (HTTPS Service) record is a type of SVCB record specific to the HTTP protocol. SVCB has exactly the same format as HTTPS, but HTTPS is a separate type because it tells the client that the protocol for an origin is HTTPS regardless of the port used. If you want to use this for non-HTTP traffic, like Spectrum, the SVCB record is a better fit.