Last updated: July 2026

In short: After this guide your domain publishes a DMARC TXT record in the Cloudflare DNS zone — safely staggered from observation to enforcement.

Prerequisites

  • A domain whose DNS is managed at Cloudflare (DNS > Records)
  • SPF and DKIM must be in place — DMARC builds on them

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together. As Cloudflare’s docs put it, “DMARC ensures that emails claiming to be from your domain actually pass SPF and DKIM checks, telling recipients what to do with emails that fail authentication.” It also lets you receive aggregate reports. You configure it via a TXT record in your DNS zone. It’s “not required”, but Cloudflare notes “DMARC significantly improves email deliverability”.

The policies

Cloudflare names the three levels concisely:

  • none — “Monitor only (recommended to start)”
  • quarantine — “Quarantine suspicious emails”
  • reject — “Reject unauthenticated emails”

This is also the deployment order: start at none, and “Finally implement p=reject after confirming legitimate mail authenticates”.

Step-by-step guide

1. Start with observation

Go to DNS > Records, select Add record, and create:

FieldValue
TypeTXT
Name_dmarc
Contentv=DMARC1; p=none; rua=mailto:dmarc@beispiel.de
TTLAuto

Cloudflare’s own example record is v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com — for a first rollout you start at p=none so nothing gets blocked while you watch the reports. Analyze the rua reports with a DMARC monitor.

Reports on another domain? If your rua address lives on a different domain (common with a DMARC aggregator), Cloudflare notes “the receiving domain must publish a _report._dmarc.yourdomain.com TXT record to authorize reports”.

2. Read reports, clean up sources

“Monitor DMARC reports for several weeks.” The reports show which sources don’t yet pass SPF/DKIM. Only once all legitimate senders are clean do you tighten.

3. Stagger up to reject

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@beispiel.de
v=DMARC1; p=reject; rua=mailto:dmarc@beispiel.de

4. Wait until the change is live

DNS changes take time — a while depending on caching.

The most important tags

TagMeaning
v=DMARC1version, must be at the start
p=policy: none / quarantine / reject
rua=address for aggregated reports
pct=portion of mail the policy applies to
sp=policy for subdomains
adkim= / aspf=alignment (r relaxed, s strict)

Verify the result

Check your configuration with the free MXAudit scanner — it shows you DMARC, SPF, and DKIM at a glance.

Or directly:

dig TXT _dmarc.example.com +short

Common mistakes

Straight to reject. Without a none phase you block legitimate sources — Cloudflare recommends p=none to start.

No rua. Without a report address you’re flying blind.

DMARC without SPF/DKIM. First SPF and DKIM, then DMARC.

Two _dmarc records. Only one DMARC record per domain — a second one invalidates the policy.

Further reading