Defaults.Exposed › Setup › SPF

How to set up SPF on Cloudflare

Add an SPF record in Cloudflare DNS so mailbox providers can tell your real email from forgeries.

Why this matters to your business

SPF (Sender Policy Framework) is a short note in your domain’s DNS that lists which mail servers are allowed to send email using your name. When someone receives a message claiming to be from you, their mail provider checks that list. If the sending server isn’t on it, the message looks suspicious — and either lands in spam or gets blocked.

In plain terms: SPF makes it harder for someone to impersonate your business by email, and it helps your genuine emails reach the inbox instead of the junk folder. It is one record, it is free, and it takes a few minutes.

Before you start: is Cloudflare actually running your DNS?

This is the step most people get wrong. A DNS record only works if Cloudflare is the one answering DNS questions for your domain.

Cloudflare is a DNS host, not a mailbox provider — it answers DNS but it does not run your inboxes. For Cloudflare’s DNS to be live, your domain’s nameservers (set at wherever you registered the domain) must point to the two Cloudflare nameservers shown in your Cloudflare dashboard. In Cloudflare, open your domain and check the Overview page: it will say whether Cloudflare is active for the domain. If your nameservers still point at your registrar or another host, anything you add in Cloudflare does nothing — add the SPF record wherever your DNS actually lives instead.

Find one fact first: who sends your email?

SPF must name every service that sends mail for your domain. Common examples are Google Workspace, Microsoft 365, or whatever provider hosts your mailboxes. Each one publishes a value to put in your SPF record (often something like include:_spf.google.com for Google or include:spf.protection.outlook.com for Microsoft 365). Check your mail provider’s own help pages for the exact value — that’s the part you must get right.

If you use Cloudflare Email Routing to forward mail, note that it adds its own DNS records for forwarding but does not send outbound mail as you — your SPF still needs to list whatever service you actually send from.

Step-by-step on Cloudflare

1. Sign in to Cloudflare and select your domain from the dashboard.
2. In the left-hand menu, go to your DNS settings (look for DNS / Records).
3. Click Add record.
4. Set Type to TXT.
5. In the Name field, enter @ — the @ means “the domain itself”. Do not type your full domain name here.
6. In the Content field, enter your SPF text. A typical record looks like: v=spf1 include:_spf.google.com ~all Replace the include: part with the value(s) your actual mail provider tells you to use.
7. Leave TTL on Auto.
8. Click Save.

Cloudflare quirks people get wrong

• Only one SPF record per domain. You cannot have two v=spf1 TXT records — mail providers will treat that as broken. If you already have one, edit it to add the new service rather than creating a second.
• Don’t wrap it in quotes. Cloudflare handles the quoting itself. Just paste the plain text starting with v=spf1. If you add your own " marks, you can end up with a malformed record.
• Name is @, not your domain. If you type the full domain name, Cloudflare will usually fold it back to the root anyway, but @ is the clear, reliable choice.
• The proxy (orange cloud) doesn’t apply. SPF lives in a TXT record, which is never proxied — there is no orange/grey cloud toggle to worry about on a TXT record.
• ~all vs -all. ~all (softfail) means “anything not listed is suspicious”; -all (hardfail) means “reject anything not listed”. Start with ~all while you confirm everything sends correctly, then tighten to -all once you’re sure your list is complete.
• Changes aren’t instant. DNS updates can take anywhere from a few minutes to a couple of hours to spread.

Verify it worked

Once you’ve saved the record and given it a little time to take effect, verify it with the free check on this site. It will tell you in plain language whether your SPF record is present and correctly formed.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.