Last updated: July 2026
In short: After this guide your domain publishes a DMARC TXT record in the Cloudflare DNS zone — safely staggered from observation to enforcement.
Prerequisites
- A domain whose DNS is managed at Cloudflare (DNS > Records)
- SPF and DKIM must be in place — DMARC builds on them
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together. As Cloudflare’s docs put it, “DMARC ensures that emails claiming to be from your domain actually pass SPF and DKIM checks, telling recipients what to do with emails that fail authentication.” It also lets you receive aggregate reports. You configure it via a TXT record in your DNS zone. It’s “not required”, but Cloudflare notes “DMARC significantly improves email deliverability”.
The policies
Cloudflare names the three levels concisely:
none— “Monitor only (recommended to start)”quarantine— “Quarantine suspicious emails”reject— “Reject unauthenticated emails”
This is also the deployment order: start at none, and “Finally implement p=reject after confirming legitimate mail authenticates”.
Step-by-step guide
1. Start with observation
Go to DNS > Records, select Add record, and create:
| Field | Value |
|---|---|
| Type | TXT |
| Name | _dmarc |
| Content | v=DMARC1; p=none; rua=mailto:dmarc@beispiel.de |
| TTL | Auto |
Cloudflare’s own example record is v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com — for a first rollout you start at p=none so nothing gets blocked while you watch the reports. Analyze the rua reports with a DMARC monitor.
Reports on another domain? If your
ruaaddress lives on a different domain (common with a DMARC aggregator), Cloudflare notes “the receiving domain must publish a_report._dmarc.yourdomain.comTXT record to authorize reports”.
2. Read reports, clean up sources
“Monitor DMARC reports for several weeks.” The reports show which sources don’t yet pass SPF/DKIM. Only once all legitimate senders are clean do you tighten.
3. Stagger up to reject
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de
4. Wait until the change is live
DNS changes take time — a while depending on caching.
The most important tags
| Tag | Meaning |
|---|---|
v=DMARC1 | version, must be at the start |
p= | policy: none / quarantine / reject |
rua= | address for aggregated reports |
pct= | portion of mail the policy applies to |
sp= | policy for subdomains |
adkim= / aspf= | alignment (r relaxed, s strict) |
Verify the result
Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.
Or directly:
dig TXT _dmarc.example.com +short
Common mistakes
Straight to reject. Without a none phase you block legitimate sources — Cloudflare recommends p=none to start.
No rua. Without a report address you’re flying blind.
DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.
Two _dmarc records. Only one DMARC record per domain — a second one invalidates the policy.
Further reading
- Cloudflare Docs: Email authentication (SPF, DKIM, DMARC) (retrieved: July 10, 2026)
- Cloudflare Docs: Email Service troubleshooting (retrieved: July 10, 2026)
- RFC 7489 — DMARC
