How can I add a DMARC record in Cloudflare?

Adding a DMARC record to Cloudflare protects your domain from email spoofing and improves deliverability. Follow these simple steps to configure the TXT record in the Cloudflare DNS dashboard.

Quick Takeaways

• DMARC is added as a TXT record under the _dmarc host.
• Start with p=none to monitor email traffic before enforcing policies.
• Use Palisade’s DMARC generator to create a compliant record instantly.
• Cloudflare’s DNS UI lets you add, edit, or delete TXT records in seconds.
• Verify the record with Palisade’s Check your DMARC score tool.
• Combine DMARC with BIMI for brand visibility.
• Ensure SPF and DKIM are also configured – Generate SPF records and Validate DKIM setup.

Frequently Asked Questions (12)

What is DMARC and why should I add it to Cloudflare?

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving mail servers how to handle unauthenticated emails. Adding it in Cloudflare prevents spoofed messages from your domain, boosts inbox placement, and gives you visibility through aggregate reports.

How do I generate a DMARC record for my domain?

Use Palisade’s DMARC Record Generator – simply enter your domain, select a policy (none, quarantine, reject), and copy the generated TXT string.

Which DNS record type does Cloudflare require for DMARC?

Choose TXT as the record type. The host name must be _dmarc and the value is the full DMARC string you generated.

Where in Cloudflare do I add the new TXT record?

Log into Cloudflare, select your domain, go to the DNS tab, click Add record, then fill in Type = TXT, Name = _dmarc, and paste the DMARC string into the Content field.

Do I need to remove an existing DMARC record before adding a new one?

If a DMARC record already exists, edit it instead of creating a duplicate. Having multiple DMARC TXT records can cause validation failures.

What does the p=none policy mean?

p=none tells receivers to monitor email traffic without rejecting or quarantining messages. It’s the safest starting point to collect reports and fine‑tune your SPF/DKIM alignment.

How can I move from p=none to p=quarantine or p=reject?

After a few weeks of monitoring, review the aggregate reports in Palisade’s dashboard. When you’re confident legitimate sources are authenticated, update the p tag to quarantine or reject to enforce stricter handling.

What are the rua and ruf tags?

rua specifies an email address for aggregate reports, while ruf requests forensic (failure) reports. Palisade can forward both to your inbox or a SIEM for analysis.

How do I verify that Cloudflare has published my DMARC record?

Use Palisade’s DMARC lookup tool or run a DNS query like dig TXT _dmarc.example.com. The response should match the string you entered.

Can I add DMARC to a subdomain?

Yes. Create a separate TXT record for _dmarc.subdomain.example.com. This lets you enforce different policies per sub‑domain if needed.

What if I use multiple email services (e.g., G Suite and SendGrid)?

List all legitimate sending sources in your SPF record and ensure each service signs outgoing mail with DKIM. DMARC will then align both SPF and DKIM to pass authentication.

Will adding DMARC affect my existing email flow?

With p=none, there is no impact on delivery. Only after you switch to quarantine or reject will unauthenticated messages be blocked or sent to spam.

Additional FAQs (5)

Do I need to update my SPF record after adding DMARC?

SPF is a separate mechanism, but DMARC relies on SPF alignment. Ensure your SPF includes all authorized sending IPs; you can generate one with Palisade’s SPF tool.

How does DKIM complement DMARC?

DKIM adds a cryptographic signature to each email. DMARC checks that the DKIM signature aligns with the From domain. Use Palisade’s DKIM validator to confirm proper setup.

What is BIMI and should I enable it alongside DMARC?

BIMI (Brand Indicators for Message Identification) displays your logo in supporting inboxes, increasing brand trust. It requires a DMARC policy of p=quarantine or p=reject. Learn more at Palisade’s BIMI guide.

How often should I review my DMARC reports?

Check the aggregate reports weekly during the monitoring phase, then monthly once you’re in enforcement mode. Palisade’s dashboard can send you automated summaries.

Can I test DMARC changes without affecting live email?

Yes. Use a subdomain for testing, apply the DMARC record there, and send test messages. Once verified, copy the record to the primary domain.

For personalized assistance, reach out to Palisade’s support team or explore our suite of email security tools.