Setting Up SPF Records in Cloudflare

Step-by-step guide to configuring SPF records in Cloudflare DNS. Includes screenshots, troubleshooting, and best practices.

Setting Up SPF Records in Cloudflare

Cloudflare is one of the most popular DNS providers. This guide walks you through configuring SPF records in Cloudflare's DNS dashboard.

Prerequisites

  • Cloudflare account with your domain added
  • Access to Cloudflare DNS settings
  • Your SPF record ready to publish

Step 1: Access Cloudflare DNS Settings

  1. Log in to your Cloudflare dashboard
  2. Select your domain from the domain list
  3. Click DNS in the left sidebar
  4. You'll see your current DNS records

Step 2: Check for Existing SPF Record

Before adding a new SPF record, check if one already exists:

Look for:

  • TXT records at the root domain (@)
  • Records containing v=spf1

If an SPF record exists:

  • You need to edit it, not create a new one
  • Only ONE SPF record is allowed per domain
  • Multiple SPF records cause validation errors

Step 3: Add or Edit SPF Record

Option A: Adding New SPF Record

  1. Click Add record button
  2. Select TXT as the record type
  3. Configure the record:
FieldValue
TypeTXT
Name@ (or leave blank for root domain)
ContentYour complete SPF record (e.g., v=spf1 include:_spf.google.com -all)
TTLAuto (or set to 3600 for 1 hour)
Proxy statusDNS only (gray cloud)

Important:

  • The Proxy status should be DNS only (gray cloud icon)
  • Do NOT enable the proxy (orange cloud) for SPF records
  • SPF records must resolve directly, not through Cloudflare's proxy
  1. Click Save

Option B: Editing Existing SPF Record

  1. Find your existing SPF TXT record
  2. Click the Edit icon (pencil) next to the record
  3. Update the Content field with your new SPF record
  4. Ensure Proxy status is DNS only (gray cloud)
  5. Click Save

Step 4: Verify SPF Record

In Cloudflare

  1. Return to DNS records list
  2. Verify your SPF record appears correctly
  3. Check that it's at the root domain (@)

Using MailSentinel

  1. Add your domain to MailSentinel
  2. Run DNS scan
  3. Verify SPF record is detected
  4. Check validation status

Using Online Tools

Common SPF Record Examples

Google Workspace Only

v=spf1 include:_spf.google.com -all

Cloudflare Configuration:

  • Type: TXT
  • Name: @
  • Content: v=spf1 include:_spf.google.com -all
  • Proxy: DNS only

Microsoft 365 Only

v=spf1 include:spf.protection.outlook.com -all

Multiple Services

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -all

Troubleshooting Cloudflare SPF Issues

Issue 1: SPF Record Not Detected

Symptoms:

  • SPF checkers don't find your record
  • MailSentinel shows "No SPF record"

Solutions:

  1. Check Proxy Status

    • Ensure proxy is disabled (gray cloud)
    • SPF records must resolve directly
    • Orange cloud breaks SPF validation

  2. Verify Record Location

    • Record must be at root domain (@)
    • Not on a subdomain
    • Check Name field is @ or blank

  3. Wait for Propagation

    • Cloudflare usually propagates quickly (< 5 minutes)
    • Some DNS checkers cache results
    • Try multiple DNS checkers

  4. Check for Typos

    • Verify v=spf1 (not v=spf or v=spf2)
    • Ensure no extra spaces
    • Check include statements are correct

Issue 2: Multiple SPF Records

Symptoms:

  • "Multiple SPF records" error
  • SPF validation fails

Solutions:

  1. Find all SPF records:

    • Look for all TXT records with v=spf1
    • Check both root and subdomains

  2. Merge records:

    • Combine all includes into one record
    • Keep only one SPF record

  3. Delete duplicates:

    • Remove extra SPF records
    • Keep only the merged record

Issue 3: Proxy Enabled (Orange Cloud)

Symptoms:

  • SPF validation fails
  • DNS lookups timeout

Solutions:

  1. Disable Proxy:

    • Click the orange cloud icon
    • Change to gray cloud (DNS only)
    • Wait for propagation

  2. Why This Matters:

    • Cloudflare proxy changes DNS resolution
    • SPF checks need direct DNS access
    • Proxy breaks SPF validation

Issue 4: DNS Lookup Limit Exceeded

Symptoms:

  • "Too many DNS lookups" error
  • SPF validation fails

Solutions:

  1. Count Your Lookups:

    • Each include: counts as 1+ lookups
    • Each a: or mx: counts as 1 lookup
    • Maximum is 10 lookups total

  2. Reduce Lookups:

    • Remove unused includes
    • Flatten includes to IP ranges (if possible)
    • Use subdomains for some services

  3. Check Included Records:

    • Some includes expand to many lookups
    • Use SPF checker to see breakdown
    • Optimize included services

Cloudflare-Specific Features

DNS-Only Mode

When to Use:

  • Always use DNS-only for SPF records
  • Required for email authentication
  • Prevents proxy interference

How to Set:

  • Ensure cloud icon is gray (not orange)
  • Click cloud icon to toggle if needed

Automatic TTL

Cloudflare Default:

  • Auto TTL (usually 300 seconds)
  • Can set custom TTL
  • Lower TTL = faster changes propagate

Recommendation:

  • Use Auto for most cases
  • Set to 3600 if you want explicit control
  • Lower TTL before making changes

DNS Record Management

Best Practices:

  • Use Cloudflare's comment feature to document records
  • Tag records for easier management
  • Keep records organized

Best Practices for Cloudflare SPF

1. Always Use DNS-Only Mode

  • Never enable proxy for SPF records
  • Gray cloud icon required
  • Prevents validation issues

2. Document Your Records

  • Use Cloudflare's comment feature
  • Note why each include is needed
  • Document when records were added

3. Regular Audits

  • Review SPF records quarterly
  • Remove unused includes
  • Check lookup count
  • Verify all services still needed

4. Test Before Production

  • Use test subdomain first
  • Verify SPF validation
  • Check lookup count
  • Then apply to production

5. Monitor Changes

  • Use MailSentinel to monitor SPF
  • Set up alerts for changes
  • Track validation status
  • Review DMARC reports

Advanced Cloudflare SPF Configuration

Using Cloudflare Workers (Advanced)

For complex SPF management, you can use Cloudflare Workers, but this is rarely necessary. Standard DNS records are sufficient for most use cases.

Cloudflare Email Routing

If using Cloudflare Email Routing:

  • Add Cloudflare's SPF include if needed
  • Check Cloudflare documentation for current include
  • May need: include:_spf.mx.cloudflare.net

Next Steps

After setting up SPF in Cloudflare:

  1. Configure DKIM - Set up DKIM signing
  2. Set Up DMARC - Configure DMARC policy
  3. Monitor SPF - Track validation status
  4. Set Up Alerts - Get notified of issues

Additional Resources