Setting Up DMARC Records in Cloudflare

Step-by-step guide to configuring DMARC records in Cloudflare DNS. Includes screenshots, troubleshooting, and best practices.

Setting Up DMARC Records in Cloudflare

This guide walks you through configuring DMARC records in Cloudflare's DNS dashboard.

Prerequisites

  • Cloudflare account with your domain added
  • Access to Cloudflare DNS settings
  • Your MailSentinel report address ready
  • SPF and DKIM already configured

Step 1: Get Your MailSentinel Report Address

Before adding the DMARC record, get your report address:

  1. Sign up for MailSentinel - Free 14-day trial
  2. Add your domain to MailSentinel
  3. Go to SettingsDMARC Configuration
  4. Copy your report address: your-org-id@reports.mailsentinel.io

Step 2: Access Cloudflare DNS Settings

  1. Log in to your Cloudflare dashboard
  2. Select your domain from the domain list
  3. Click DNS in the left sidebar
  4. You'll see your current DNS records

Step 3: Check for Existing DMARC Record

Before adding a new DMARC record, check if one already exists:

Look for:

  • TXT records with Name: _dmarc
  • Records containing v=DMARC1

If a DMARC record exists:

  • You need to edit it, not create a new one
  • Only ONE DMARC record is allowed per domain
  • Multiple DMARC records cause unpredictable behavior

Step 4: Create Your DMARC Record

Choose Your Initial Policy

For monitoring (recommended to start):

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io

For quarantine (after monitoring):

v=DMARC1; p=quarantine; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

For full protection:

v=DMARC1; p=reject; rua=mailto:your-org-id@reports.mailsentinel.io; ruf=mailto:your-org-id@forensic.mailsentinel.io; adkim=r; aspf=r

Step 5: Add DMARC Record to Cloudflare

  1. Click Add record button
  2. Select TXT as the record type
  3. Configure the record:
FieldValue
TypeTXT
Name_dmarc
ContentYour complete DMARC record (e.g., v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io)
TTLAuto (or set to 3600 for 1 hour)
Proxy statusDNS only (gray cloud)

Important:

  • The Proxy status should be DNS only (gray cloud icon)
  • Do NOT enable the proxy (orange cloud) for DMARC records
  • DMARC records must resolve directly, not through Cloudflare's proxy
  1. Click Save

Step 6: Verify DMARC Record

In Cloudflare

  1. Return to DNS records list
  2. Verify your DMARC record appears correctly
  3. Check that Name field shows _dmarc
  4. Verify Content field contains your DMARC record

Using MailSentinel

  1. Go to your domain in MailSentinel
  2. Click Check DNS
  3. Verify DMARC record is detected
  4. Check policy is correct

Using Online Tools

Common DMARC Record Examples

Monitoring Only (Start Here)

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io

Cloudflare Configuration:

  • Type: TXT
  • Name: _dmarc
  • Content: v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io
  • Proxy: DNS only

Quarantine Policy

v=DMARC1; p=quarantine; pct=25; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Full Reject Policy

v=DMARC1; p=reject; rua=mailto:your-org-id@reports.mailsentinel.io; ruf=mailto:your-org-id@forensic.mailsentinel.io; adkim=r; aspf=r

Troubleshooting Cloudflare DMARC Issues

Issue 1: DMARC Record Not Detected

Symptoms:

  • DMARC checkers don't find your record
  • MailSentinel shows "No DMARC record"

Solutions:

  1. Check Proxy Status

    • Ensure proxy is disabled (gray cloud)
    • DMARC records must resolve directly
    • Orange cloud breaks DMARC validation

  2. Verify Record Location

    • Name field must be exactly _dmarc
    • Not dmarc or _DMARC
    • Check for typos

  3. Wait for Propagation

    • Cloudflare usually propagates quickly (< 5 minutes)
    • Some DNS checkers cache results
    • Try multiple DNS checkers

  4. Check for Typos

    • Verify v=DMARC1 (not v=DMARC or v=dmarc1)
    • Ensure semicolons separate tags
    • Check report address is correct

Issue 2: Multiple DMARC Records

Symptoms:

  • "Multiple DMARC records" warning
  • Unpredictable behavior

Solutions:

  1. Find all DMARC records:

    • Search for all TXT records with Name: _dmarc
    • Check for duplicates

  2. Keep only one:

    • Delete duplicate records
    • Keep the most complete record
    • Merge if needed (rare)

Issue 3: Proxy Enabled (Orange Cloud)

Symptoms:

  • DMARC validation fails
  • DNS lookups timeout

Solutions:

  1. Disable Proxy:

    • Click the orange cloud icon
    • Change to gray cloud (DNS only)
    • Wait for propagation

  2. Why This Matters:

    • Cloudflare proxy changes DNS resolution
    • DMARC checks need direct DNS access
    • Proxy breaks DMARC validation

Issue 4: Reports Not Arriving

Symptoms:

  • No DMARC reports in MailSentinel
  • Reports not being sent

Solutions:

  1. Verify Report Address:

    • Check rua= tag is present
    • Verify email address is correct
    • Ensure mailto: prefix is included

  2. Wait for Reports:

    • Reports sent daily (not immediately)
    • First reports arrive within 24-48 hours
    • Some providers send weekly

  3. Check DNS:

    • Verify DMARC record is published
    • Check for DNS errors
    • Verify record format is correct

Cloudflare-Specific Features

DNS-Only Mode

When to Use:

  • Always use DNS-only for DMARC records
  • Required for email authentication
  • Prevents proxy interference

How to Set:

  • Ensure cloud icon is gray (not orange)
  • Click cloud icon to toggle if needed

Automatic TTL

Cloudflare Default:

  • Auto TTL (usually 300 seconds)
  • Can set custom TTL
  • Lower TTL = faster changes propagate

Recommendation:

  • Use Auto for most cases
  • Set to 3600 if you want explicit control
  • Lower TTL before making changes

DMARC Policy Progression

Week 1-2: Monitoring Phase

Policy: p=none Goal: Gather data, identify all sending sources

Cloudflare Record:

Name: _dmarc
Type: TXT
Content: v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io

Week 3-4: Testing Phase

Policy: p=quarantine; pct=10 Goal: Test enforcement on small percentage

Cloudflare Record:

Name: _dmarc
Type: TXT
Content: v=DMARC1; p=quarantine; pct=10; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Week 5-6: Gradual Increase

Policy: p=quarantine; pct=50 Goal: Increase enforcement coverage

Cloudflare Record:

Name: _dmarc
Type: TXT
Content: v=DMARC1; p=quarantine; pct=50; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Week 7-8: Full Quarantine

Policy: p=quarantine Goal: Full quarantine enforcement

Cloudflare Record:

Name: _dmarc
Type: TXT
Content: v=DMARC1; p=quarantine; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Week 9+: Full Protection

Policy: p=reject Goal: Maximum protection against spoofing

Cloudflare Record:

Name: _dmarc
Type: TXT
Content: v=DMARC1; p=reject; rua=mailto:your-org-id@reports.mailsentinel.io; ruf=mailto:your-org-id@forensic.mailsentinel.io; adkim=r; aspf=r

Best Practices for Cloudflare DMARC

1. Always Use DNS-Only Mode

  • Never enable proxy for DMARC records
  • Gray cloud icon required
  • Prevents validation issues

2. Start with Monitoring

  • Begin with p=none
  • Monitor for 2-4 weeks
  • Identify all sending sources
  • Then move to enforcement

3. Use MailSentinel for Reports

  • Set up DMARC reporting
  • Monitor authentication status
  • Get alerts for issues
  • Track progress toward enforcement

4. Regular Monitoring

  • Review DMARC reports weekly
  • Check pass rates
  • Identify failures
  • Fix authentication issues

5. Progressive Enforcement

  • Don't jump to p=reject immediately
  • Use gradual progression
  • Test at each stage
  • Monitor for issues

Next Steps

After setting up DMARC in Cloudflare:

  1. Monitor DMARC Reports - Track authentication status
  2. Set Up Alerts - Get notified of issues
  3. Review SPF Validation - Check SPF setup
  4. Progressive Enforcement - Move toward p=reject

Additional Resources