How to Add TXT Records in Cloudflare for SPF, DKIM, and DMARC (Step-by-Step Guide – 2026 Edition)

Why These Records Matter in 2026

• SPF (Sender Policy Framework): Specifies which servers/IPs are allowed to send email from your domain.
• DKIM (DomainKeys Identified Mail): Adds a cryptographic signature so receivers can verify the email wasn’t altered.
• DMARC (Domain-based Message Authentication, Reporting & Conformance): Tells receivers what to do if SPF/DKIM fails (quarantine, reject) and sends you reports.

Without them, your emails may land in spam, get blocked outright, or expose your domain to impersonation attacks.Important note: The actual values for SPF and DKIM come from your email service provider (Google Workspace, Microsoft 365, Zoho, Resend, SendGrid, etc.). DMARC is more flexible and you can create it yourself.Option 1: Use Cloudflare’s Built-in Email Security Wizard (Recommended for Most Users)Cloudflare has streamlined this in recent years via the DMARC Management section.

1. Log in to your Cloudflare dashboard.
2. Select your account → your domain.
3. Go to Email > DMARC Management.
4. In the Email record overview section, click View records.
5. You’ll see options to set up or edit:
   • SPF
   • DKIM
   • DMARC
6. Follow the on-screen prompts:
   • For SPF and DKIM, you’ll typically paste values provided by your email host.
   • For DMARC, Cloudflare offers a simple policy builder (start with p=quarantine or p=reject once tested).
7. Cloudflare automatically handles duplicates (e.g., merging rua= reporting addresses if a DMARC record already exists).
8. Save and wait 5–60 minutes for propagation.

This wizard detects existing records, prevents syntax errors, and is the easiest path in 2026.

If you prefer full control or the wizard doesn’t cover your exact use case, add them directly in DNS.

1. Log in to Cloudflare → select your domain → go to DNS > Records.
2. Click Add record.

A. Adding SPF (almost always a TXT record at the root)

• Type: TXT
• Name: @ (or leave blank — Cloudflare uses @ for the root domain)
• Content: Your SPF string from your email provider.
  Example (Google Workspace + one newsletter tool):
  v=spf1 include:_spf.google.com include:sendgrid.net ~all
• TTL: Auto
• Proxy status: DNS only (orange cloud off — email records should not be proxied)

Never have more than one SPF record — if you already have one, edit it instead of adding another.

B. Adding DKIM

DKIM almost always uses a TXT record (some providers use CNAME for easier setup).

• Type: TXT (or CNAME if your provider instructs)
• Name: The selector + ._domainkey
  Examples:
  google._domainkey
  selector1._domainkey
  k1._domainkey
• Content: The full value from your email provider.
  Typical format:
  v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA…
• TTL: Auto

C. Adding DMARC

• Type: TXT
• Name: _dmarc
• Content: A policy you define. Start conservative:
  Basic safe starter (reports only, no strict enforcement):
  v=DMARC1; p=none; rua=mailto:[email protected];Recommended after testing (most common in 2026):
  v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected];Strict (after 1–3 months of monitoring):
  v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; fo=1;
• TTL: Auto

Quick Reference Table: Record Examples

After Adding Records: Verification & Best Practices

1. Wait 5–60 minutes, then verify:
   • Use tools like MX Toolbox, DKIM Validator, or PowerDMARC Checker
   • Send test emails and check headers in Gmail/Outlook
2. Monitor DMARC reports (rua= address) for 2–4 weeks before tightening policy to reject.
3. Keep SPF under 10 DNS lookups (flatten if needed).
4. Renew DKIM keys before expiration (most providers notify you).
5. Never proxy email-related TXT records (keep them DNS-only).

Setting up SPF, DKIM, and DMARC in Cloudflare takes 10–20 minutes but dramatically improves deliverability and security. If you’re using a specific email provider (Google, Microsoft, Resend, etc.), check their docs for the exact values — then plug them into Cloudflare.