Defaults.Exposed › Setup › DMARC

How to set up DMARC on Cloudflare

Add a DMARC record in Cloudflare to tell mail providers what to do with email that fails your checks.

Why this matters to your business

DMARC ties SPF and DKIM together and adds the missing instruction: what should a receiving mail provider do when an email claiming to be from you fails the checks? Without DMARC, each provider guesses. With it, you decide — and you can ask them to send you reports showing who is sending mail in your name.

In plain terms: DMARC is what actually stops criminals from spoofing your domain to scam your customers or staff. It’s the policy on top of the locks SPF and DKIM provide — free, and well worth the few minutes.

Set up SPF and DKIM first

DMARC works by checking the results of SPF and DKIM. If you haven’t added those yet, do them first — a DMARC policy with nothing underneath it has nothing to enforce.

Confirm Cloudflare runs your DNS

As with any DNS record, this only works if Cloudflare is answering DNS for your domain. Cloudflare is your DNS host, not your mailbox provider, and its DNS is only live when your domain’s nameservers point to the Cloudflare nameservers shown in your dashboard. Open your domain in Cloudflare and check the Overview page to confirm Cloudflare is active. If your nameservers point elsewhere, add the DMARC record at whichever provider runs your DNS instead.

Step-by-step on Cloudflare

1. Sign in to Cloudflare and select your domain.
2. In the left-hand menu, go to your DNS settings (look for DNS / Records).
3. Click Add record.
4. Set Type to TXT.
5. In the Name field, enter exactly: _dmarc Do not type your domain name after it — Cloudflare appends the domain for you.
6. In the Content field, start gently with a monitoring-only policy: v=DMARC1; p=none; rua=mailto:[email protected] Replace the address with a mailbox you actually read. This asks providers to email you summary reports without changing how any mail is treated yet.
7. Leave TTL on Auto.
8. Click Save.

Choosing your policy (the p= part)

• p=none — monitor only. Nothing is blocked; you just receive reports. Start here.
• p=quarantine — send failing mail to spam/junk.
• p=reject — refuse failing mail outright (the strongest protection).

Run p=none for a few weeks, read the reports to confirm all your legitimate mail passes, then move up to quarantine and finally reject. Jumping straight to reject before you’ve checked the reports risks blocking your own genuine email.

Cloudflare quirks people get wrong

• Name is _dmarc, with the underscore. A common mistake is leaving the underscore off, or typing _dmarc.yourdomain.com — in Cloudflare you enter just _dmarc. The leading underscore is required; don’t drop it.
• Don’t add your own quotes. Paste the plain value beginning v=DMARC1;. Cloudflare adds the quoting itself; manual " marks can break the record.
• One DMARC record only. Like SPF, there must be a single DMARC TXT record. If one exists, edit it rather than adding a second.
• No proxy on a TXT record. DMARC lives in a TXT record, which is never proxied — there is no orange/grey cloud toggle to worry about here.
• Use a real reporting mailbox. The address after rua=mailto: should be one you genuinely check, or the reports are wasted. It can be on the same domain or a different one.
• Give it time. DNS changes can take a few minutes up to a couple of hours to take effect.

Verify it worked

Once saved and propagated, run the free check on this site. It will tell you in plain language whether your DMARC record is in place and what policy you’ve set.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.