HomeBlogHow to Set Up DMARC Records in Cloudflare: Step-by-Step Guide
GuidesDMARCCloudflareDNSEmail SecurityTutorial

How to Set Up DMARC Records in Cloudflare: Step-by-Step Guide

Complete guide to configuring DMARC records in Cloudflare DNS. Learn how to protect your domain from email spoofing with proper DMARC setup.

MailSentinel Team

Author

January 16, 20245 min read

How to Set Up DMARC Records in Cloudflare: Step-by-Step Guide

DMARC (Domain-based Message Authentication, Reporting & Conformance) is essential for protecting your domain from email spoofing and phishing attacks. If you're using Cloudflare for DNS management, this guide will walk you through setting up DMARC records.

Why DMARC Matters

DMARC tells receiving mail servers:

  • How to authenticate emails from your domain
  • What to do with emails that fail authentication
  • Where to send authentication reports

Benefits:

  • Protects your domain from spoofing
  • Improves email deliverability
  • Required by Google, Yahoo, and Microsoft
  • Provides visibility into who's sending as your domain

Prerequisites

Before you begin, make sure you have:

  • Cloudflare account with your domain added
  • Access to Cloudflare DNS settings
  • SPF and DKIM already configured
  • MailSentinel account for DMARC monitoring (recommended)

Step 1: Get Your MailSentinel Report Address

Before adding the DMARC record, you'll need a report address to receive DMARC reports:

  1. Sign up for MailSentinel - Free 14-day trial
  2. Add your domain to MailSentinel
  3. Go to SettingsDMARC Configuration
  4. Copy your report address: your-org-id@reports.mailsentinel.io

Why MailSentinel?

  • Parses complex XML reports
  • Provides easy-to-understand dashboards
  • Sends alerts for authentication failures
  • Tracks your progress toward enforcement

Step 2: Access Cloudflare DNS Settings

  1. Log in to your Cloudflare dashboard
  2. Select your domain from the domain list
  3. Click DNS in the left sidebar
  4. You'll see your current DNS records

Step 3: Check for Existing DMARC Record

Important: Only ONE DMARC record is allowed per domain.

Before adding a new record, check if one already exists:

Look for:

  • TXT records with Name: _dmarc
  • Records containing v=DMARC1

If a DMARC record exists:

  • You need to edit it, not create a new one
  • Click Edit next to the existing record

Step 4: Choose Your DMARC Policy

Policy: p=none Purpose: Gather data without affecting email delivery

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io

After Monitoring: Quarantine

Policy: p=quarantine Purpose: Send failures to spam folder

v=DMARC1; p=quarantine; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Full Protection: Reject

Policy: p=reject Purpose: Block failures completely

v=DMARC1; p=reject; rua=mailto:your-org-id@reports.mailsentinel.io; ruf=mailto:your-org-id@forensic.mailsentinel.io; adkim=r; aspf=r

⚠️ Warning: Never start with p=reject. Always begin with p=none to avoid blocking legitimate emails.

Step 5: Add DMARC Record to Cloudflare

  1. Click Add record button
  2. Select TXT as the record type
  3. Configure the record:
FieldValue
TypeTXT
Name_dmarc
ContentYour complete DMARC record
TTLAuto (or set to 3600 for 1 hour)
Proxy statusDNS only (gray cloud) ⚠️

Critical: The Proxy status must be DNS only (gray cloud icon). Do NOT enable the proxy (orange cloud) for DMARC records.

  1. Click Save

Step 6: Verify DMARC Record

In Cloudflare

  1. Return to DNS records list
  2. Verify your DMARC record appears correctly
  3. Check that Name field shows _dmarc
  4. Verify Content field contains your DMARC record
  5. Ensure Proxy status is gray (DNS only)

Using MailSentinel

  1. Go to your domain in MailSentinel
  2. Click Check DNS
  3. Verify DMARC record is detected
  4. Check policy is correct

Using Online Tools

Common Issues and Solutions

Issue 1: DMARC Record Not Detected

Symptoms:

  • DMARC checkers don't find your record
  • MailSentinel shows "No DMARC record"

Solutions:

  1. Check Proxy Status

    • Ensure proxy is disabled (gray cloud)
    • DMARC records must resolve directly
    • Orange cloud breaks DMARC validation

  2. Verify Record Location

    • Name field must be exactly _dmarc
    • Not dmarc or _DMARC
    • Check for typos

  3. Wait for Propagation

    • Cloudflare usually propagates quickly (< 5 minutes)
    • Some DNS checkers cache results
    • Try multiple DNS checkers

Issue 2: Proxy Enabled (Orange Cloud)

Symptoms:

  • DMARC validation fails
  • DNS lookups timeout

Solutions:

  1. Disable Proxy:

    • Click the orange cloud icon
    • Change to gray cloud (DNS only)
    • Wait for propagation

  2. Why This Matters:

    • Cloudflare proxy changes DNS resolution
    • DMARC checks need direct DNS access
    • Proxy breaks DMARC validation

Issue 3: Reports Not Arriving

Symptoms:

  • No DMARC reports in MailSentinel
  • Reports not being sent

Solutions:

  1. Verify Report Address:

    • Check rua= tag is present
    • Verify email address is correct
    • Ensure mailto: prefix is included

  2. Wait for Reports:

    • Reports sent daily (not immediately)
    • First reports arrive within 24-48 hours
    • Some providers send weekly

DMARC Policy Progression Timeline

Week 1-2: Monitoring Phase

Policy: p=none Goal: Gather data, identify all sending sources

Monitor reports daily to:

  • Identify all legitimate senders
  • Find authentication issues
  • Document all sources

Week 3-4: Testing Phase

Policy: p=quarantine; pct=10 Goal: Test enforcement on small percentage

Start with 10% quarantine to:

  • Test enforcement without major impact
  • Verify legitimate emails still deliver
  • Fix any problems

Week 5-6: Gradual Increase

Policy: p=quarantine; pct=50 Goal: Increase enforcement coverage

Gradually increase to:

  • 50% quarantine
  • Monitor for issues
  • Ensure all sources authenticated

Week 7-8: Full Quarantine

Policy: p=quarantine Goal: Full quarantine enforcement

Remove percentage to:

  • Quarantine all failures
  • Monitor closely for first week
  • Prepare for reject policy

Week 9+: Full Protection

Policy: p=reject Goal: Maximum protection against spoofing

Final step:

  • Block all failures
  • Maximum security
  • Ongoing monitoring

Best Practices

1. Always Use DNS-Only Mode

  • Never enable proxy for DMARC records
  • Gray cloud icon required
  • Prevents validation issues

2. Start with Monitoring

  • Begin with p=none
  • Monitor for 2-4 weeks
  • Identify all sending sources
  • Then move to enforcement

3. Use MailSentinel for Reports

  • Set up DMARC reporting
  • Monitor authentication status
  • Get alerts for issues
  • Track progress toward enforcement

4. Progressive Enforcement

  • Don't jump to p=reject immediately
  • Use gradual progression
  • Test at each stage
  • Monitor for issues

Next Steps

After setting up DMARC in Cloudflare:

  1. Monitor DMARC Reports - Track authentication status
  2. Set Up Alerts - Get notified of issues
  3. Review SPF Validation - Check SPF setup
  4. Progressive Enforcement - Move toward p=reject

Additional Resources

Need help? Contact MailSentinel Support or check our documentation.

Back to all articles

Related Articles

Guides

Cold Email Authentication Quick Reference: SPF, DKIM, DMARC for Sales Teams

Quick reference guide for cold email authentication. Fast lookup for SPF, DKIM, and DMARC setup for Instantly, Smartlead, Email Bison, and other tools.

3 min read
Guides

Complete Email Authentication Checklist: Your Step-by-Step Guide

Download our free comprehensive email authentication checklist. Ensure your domain is properly configured with SPF, DKIM, and DMARC for maximum deliverability.

7 min read
Guides

DMARC FAQ: Frequently Asked Questions About Email Authentication

Answers to the most common questions about DMARC, SPF, DKIM, and email authentication. Get clear explanations for beginners and experts.

7 min read

Protect your domain with MailSentinel

Monitor DMARC, SPF, and DKIM in real-time. Get instant alerts when issues arise and improve your email deliverability.