Last updated: July 2026
In short: After this guide your Cloudflare-hosted DNS zone publishes a correct SPF record for your mail server. Receiving servers can then tell who is allowed to send in your name.
Prerequisites
- A domain whose DNS is managed at Cloudflare (the DNS > Records page in the dashboard)
- You know which servers send email for your domain (your own mail server, hosting mailbox, newsletter service, or Cloudflare Email Routing)
What is SPF?
SPF (Sender Policy Framework) is a TXT record in your domain’s DNS. Cloudflare’s own docs put the purpose plainly: without email authentication records, “anyone can send email that appears to come from your domain — a technique known as domain spoofing”. The SPF record “Lists the IP addresses and domains authorized to send email on behalf of your domain.” Receiving mail servers check on every incoming message whether the delivering server is on this list.
For context: SPF alone is not complete protection. Only together with DKIM and DMARC does it become a solid foundation. But SPF is the easiest entry point.
The starting point at Cloudflare
Cloudflare is primarily a DNS provider: there is no ready-made SPF switch, because the record’s content depends on where your mail runs. As Cloudflare’s docs note, “The exact values for your DNS mail records depend on your email provider.” You publish the TXT record yourself in the dashboard.
One Cloudflare specific: unlike some shared hosts, the dashboard does not ask you to wrap the value in quotation marks — you paste the record content into a plain Content field. And a TXT record is never proxied (the orange-cloud proxy only applies to A, AAAA, and CNAME records), so there is nothing to toggle there.
Step-by-step guide
1. Check whether SPF is already active
Fastest via the terminal:
dig TXT example.com +short | grep spf
Alternatively, drop your domain into the free MXAudit scanner — it checks the record for syntax and lookup limits at the same time.
2. Build the record for your setup
The classic case, when the same servers send that also receive (your MX points to your own mail server):
v=spf1 mx ~all
The mx mechanism authorizes the IP addresses of all your domain’s MX hostnames — if the server IP changes, the SPF record stays correct automatically, as long as the MX record is right. Once you are confident about your sending paths, tighten the ending to -all:
v=spf1 mx -all
If you send through Cloudflare Email Routing, Cloudflare documents the exact record to use:
v=spf1 include:_spf.mx.cloudflare.net ~all
Cloudflare’s own syntax rules from the docs:
| Rule | Effect |
|---|---|
start with v=spf1 | ”SPF records must start with v=spf1” |
include: | combine services with separate include: statements |
~all / -all | ”Use ~all (SoftFail) or -all (Fail), not +all” |
| max. 10 lookups | ”SPF records are limited to 10 DNS lookups total” |
3. Enter the record in the Cloudflare dashboard
Go to DNS > Records, select Add record, then choose a record Type:
| Field | Value |
|---|---|
| Type | TXT |
| Name | @ (for the root domain) |
| Content | v=spf1 mx ~all |
| TTL | Auto |
Select Save.
4. Add external sending services (if needed)
A newsletter tool, CRM, or a second provider needs its include: value in the same record. Cloudflare’s documented merge format:
v=spf1 include:_spf.mx.cloudflare.net include:other-service.com ~all
For example, Cloudflare Email Routing plus Google Workspace:
v=spf1 include:_spf.mx.cloudflare.net include:_spf.google.com ~all
The rule holds: only one SPF record per domain. Cloudflare is explicit — “Having multiple SPF records on your domain is not allowed” — so edit the existing record, never create a second.
5. Wait until the change is live
DNS changes take time: depending on TTL and caching it can take a while until every server worldwide sees the new record. For domains on Cloudflare DNS this is usually fast.
Verify the result
Check your configuration with the free MXAudit scanner — it shows immediately whether your SPF record is syntactically correct and how many DNS lookups it consumes (the limit is 10).
Or directly in the terminal:
dig TXT example.com +short | grep spf
The output must contain exactly one record with v=spf1.
Common mistakes
Two SPF records. Two TXT entries with v=spf1 cause a permerror — receiving servers then ignore SPF entirely. Cloudflare states multiple SPF records are not allowed; all sources belong in a single record.
+all at the end. A +all allows any server to send and makes the whole record useless — Cloudflare says to use ~all or -all, not +all.
mx without matching MX records. v=spf1 mx -all authorizes exactly the servers from your MX records. If a machine sends that doesn’t appear there, it’s rejected — add it via include:, ip4:, or a:.
Exceeded the DNS lookup limit. SPF allows a maximum of 10 DNS lookups per check; mx, a:, and every include: count. With many external services it gets tight — MXAudit counts along for you.
Further reading
- Cloudflare Docs: Set up email records (retrieved: July 10, 2026)
- Cloudflare Docs: Email authentication (SPF, DKIM, DMARC) (retrieved: July 10, 2026)
- Cloudflare Docs: Email Service troubleshooting (retrieved: July 10, 2026)
- RFC 7208 — Sender Policy Framework (SPF)
