SPF, DKIM & DMARC on Cloudflare.
Set up SPF, DKIM, and DMARC for a domain whose DNS is managed in Cloudflare. These are the three records that get your mail authenticated; add them in the order below and start DMARC at p=none so you can read the reports before enforcing.
Sign in at dash.cloudflare.com, pick your domain, and open the DNS → Records tab. All three records are added here with the 'Add record' button.
Cloudflare's orange-cloud proxy applies to web traffic (A/AAAA/CNAME), not to TXT records, so SPF/DKIM/DMARC TXT records are unaffected by proxy status. If your DKIM is a CNAME to your sending service, set that CNAME to 'DNS only' (grey cloud) so it resolves to the provider's key rather than a Cloudflare-proxied address.
The record values below are illustrative templates. Your real DKIM key, DMARC report address, and SPF includes are specific to your sending service — copy the exact records from that service's console (RadMail generates them for its tenants) and paste those. Adding records never sends mail or changes anything until the records propagate, usually within an hour.
The steps.
Add the SPF record
DNS → Records → Add record. Type: TXT. Name: @ (the root of your domain). Content: your SPF string, including every service that sends for you. Keep it to a single SPF record — if one already exists, edit it to add an include rather than creating a second.
TXT @ "v=spf1 include:your-sending-service.example ~all"Add the DKIM record
Add record. Most services give you either a TXT record at a selector name or a CNAME. For a TXT: Type TXT, Name selector._domainkey (Cloudflare appends your domain automatically — enter just the left part), Content the long public key your service issued. For a CNAME-style key, add a CNAME at the selector name pointing at the target your service gave you, set to 'DNS only'.
TXT s1._domainkey "v=DKIM1; k=rsa; p=MIGfMA0...your-public-key..."Add the DMARC record
Add record. Type: TXT. Name: _dmarc. Content: start at p=none so you can read reports before enforcing, and set rua to a mailbox you watch. After a couple of weeks of clean reports, edit the record to p=quarantine, then later to p=reject.
TXT _dmarc "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; fo=1"Verify propagation
Give it up to an hour, then check each record resolves. Cloudflare usually propagates in minutes. You can confirm with a DNS lookup tool or your sending service's own verification button. Only move DMARC to quarantine/reject after the reports show your legitimate mail aligning on SPF or DKIM.