How to Add a DMARC Record in Cloudflare: Step-by-Step DNS Guide

Adding a DMARC record to your domain through Cloudflare DNS is a straightforward process that takes less than five minutes once you know the exact steps. DMARC (Domain-based Message Authentication, Reporting and Conformance) works entirely at the DNS level, which means you are simply adding a TXT record to your domain’s DNS zone. Cloudflare’s DNS management interface makes this particularly easy because it supports instant propagation across its global network, so your DMARC record becomes visible to receiving mail servers almost immediately after you save it. Whether you are setting up DMARC for the first time or migrating your DNS to Cloudflare from another provider, this guide walks you through every step from login to verification.

Quick Steps

The entire process consists of five actions: log into Cloudflare, select your domain, open the DNS settings page, create a new TXT record with the name _dmarc and your policy string as the value, and then verify the record is live. The rest of this guide breaks each step down in detail and explains the decisions you need to make about policy level and reporting configuration along the way.

As of 2025, DMARC is mandatory under multiple compliance frameworks. CISA BOD 18-01 requires p=reject for US federal domains. PCI DSS v4.0 mandates DMARC for organizations processing payment card data as of March 2025. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and Microsoft began rejecting non-compliant email in May 2025. The UK NCSC, Australia’s ASD, and Canada’s CCCS all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.

What Are the Prerequisites?

Before you begin, you need an active Cloudflare account with your domain added and its nameservers pointed to Cloudflare. You also need to know your current SPF and DKIM status because DMARC builds on top of both protocols. If you have not yet configured SPF and DKIM for your domain, do that first, as a DMARC record without underlying SPF or DKIM authentication will generate reports full of failures and provide no protective value. You should also decide on an email address where you want to receive DMARC aggregate reports, commonly something like dmarc-reports@yourdomain.com or a dedicated address provided by a reporting service like DMARC Report. According to Google’s 2024 bulk sender requirements, any domain sending more than 5,000 messages per day to Gmail must have at minimum a p=none DMARC record published.

How Do You Add the DMARC Record Step by Step?

Log into the Cloudflare dashboard and select the domain you want to protect. From the left sidebar, click on “DNS” and then “Records” to open the DNS management page. Click the “Add record” button. In the form that appears, set the following fields. For Type, select “TXT” from the dropdown menu. For Name, enter _dmarc exactly as written, without any trailing dot or domain suffix since Cloudflare appends your domain automatically. For Content, enter your DMARC policy string. A minimal starting record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Leave the TTL set to “Auto” unless you have a specific reason to change it. Cloudflare’s auto TTL typically resolves to 300 seconds, which is fine for DMARC records. Click “Save” and your record is live. Cloudflare propagates DNS changes across its global anycast network within seconds, so the record should be queryable almost immediately from most locations worldwide.

How Should You Choose Your DMARC Policy?

The p tag in your DMARC record defines what receiving servers should do with messages that fail both SPF and DKIM alignment. The three options are none, quarantine, and reject. Starting with p=none is strongly recommended for any domain that has not previously had DMARC because this policy tells receivers to deliver all messages normally while sending you aggregate reports about authentication results. These reports are essential for identifying all legitimate sending sources before tightening the policy. Moving from p=none to p=quarantine and eventually to p=reject is a phased process that typically takes 9 to 18 months for organizations with complex email ecosystems involving multiple third-party senders, marketing platforms, and transactional email services. Rushing to enforcement without thorough report analysis risks blocking legitimate email from sources you did not know were sending on your behalf.

How Do You Configure the rua Reporting Address?

The rua tag tells receiving mail servers where to send DMARC aggregate reports in XML format. These reports contain data about every message sent using your domain, including whether it passed or failed SPF and DKIM checks and which IP addresses sent the messages. If your reporting address is on the same domain as the DMARC record, no additional DNS configuration is needed. However, if you send reports to an address on a different domain, such as a third-party monitoring service, the receiving domain must publish a DNS record authorizing it to accept reports for your domain. That authorization record takes the form of a TXT record at yourdomain.com._report._dmarc.reportingdomain.com with the value v=DMARC1. According to Agari’s 2024 Email Fraud and Identity Trends report, organizations that actively monitor their DMARC aggregate reports reduce successful phishing impersonation by up to 85% compared to those that publish DMARC without reviewing reports.

How Do You Verify the Record Is Live?

After saving the record in Cloudflare, verify it using DMARC Report’s free checker tool. Enter your domain and the tool will query the _dmarc subdomain, display the full record value, parse each tag, and flag any syntax issues or misconfigurations. You can also verify from the command line by running dig TXT _dmarc.yourdomain.com +short on Linux or macOS, or nslookup -type=TXT _dmarc.yourdomain.com on Windows. The response should contain your exact DMARC policy string. If the record does not appear, wait a few minutes and try again, or check that you entered the name as _dmarc without accidentally including the full domain name in the Cloudflare interface.

Does Cloudflare’s Proxy Affect DMARC?

This is a common source of confusion. Cloudflare’s orange-cloud proxy feature routes web traffic (HTTP and HTTPS) through its network for performance and security benefits, but DMARC operates entirely over DNS using TXT records. DNS records are not proxied regardless of the proxy toggle setting. When you create a TXT record in Cloudflare, there is no proxy option because TXT records are always served directly from DNS. Your DMARC record functions identically whether your domain’s A or AAAA records are proxied through Cloudflare or set to DNS-only mode. The proxy has no interaction with email authentication whatsoever because email servers query DNS directly for TXT records and never route through the Cloudflare HTTP proxy layer.

What About Cloudflare’s Built-In DMARC Management?

Cloudflare offers a basic DMARC management feature inside its dashboard under Email > DMARC Management. It can create a DMARC record for you and show a simplified view of aggregate report data. However, there are two important caveats. First, it only works if your domain’s DNS is hosted on Cloudflare — if you use Cloudflare as a reverse proxy but manage DNS elsewhere, the feature is unavailable. Second, the reporting is extremely basic compared to a dedicated DMARC reporting platform. Cloudflare’s DMARC Management shows high-level pass/fail summaries but lacks source classification, per-sender drill-down, forensic report analysis, trend tracking over time, alerting, and the guided remediation workflow that tools like DMARC Report provide. For organizations serious about reaching DMARC enforcement, Cloudflare’s built-in tool is a starting point at best — it does not give you the visibility needed to safely move from p=none to p=reject across complex sending environments with dozens of third-party services.

What Should You Do After Adding the Record?

Publishing the DMARC record is the beginning of the process, not the end. Over the following weeks, aggregate reports will begin arriving at the address you specified in the rua tag. These XML reports are dense and difficult to read manually, which is why most organizations use a reporting platform like DMARC Report to parse, visualize, and alert on the data. Your immediate next steps are to confirm reports are arriving, identify all legitimate sending sources in the data, ensure each source passes SPF or DKIM with proper alignment, and then plan your phased move toward enforcement. If you have already set up DMARC on other DNS providers, you may find our GoDaddy DMARC setup guide helpful for comparison.

FAQ

Can I have more than one DMARC record for a domain?

No. RFC 7489 specifies that a domain must have exactly one DMARC record. If multiple TXT records exist at _dmarc.yourdomain.com, receiving servers may treat the configuration as invalid and ignore the policy entirely. Always ensure you have only a single DMARC TXT record per domain.

Do I need a separate DMARC record for each subdomain?

Not necessarily. By default, subdomains inherit the parent domain’s DMARC policy unless you publish a separate record at _dmarc.subdomain.yourdomain.com. You can also use the sp tag in the parent record to set a different policy specifically for subdomains without creating individual records for each one.

Will adding a DMARC record affect my existing email delivery?

A p=none policy will not change how any receiving server handles your email. It only enables reporting so you can observe authentication results. Email delivery is only affected when you later move to p=quarantine or p=reject, which is why starting with p=none and analyzing reports thoroughly before enforcement is critical.

Sources

• CISA Binding Operational Directive 18-01
• Microsoft Outlook DMARC Enforcement May 2025 (2025)
• PCI DSS v4.0 — DMARC Requirement (2025)