Skip to content
Cloudflare API
Start here
API Reference

Email Auth

Email AuthDMARC Reports

Get DMARC Report Status
GET/zones/{zone_id}/email/auth/dmarc-reports
Configure DMARC Reports
PATCH/zones/{zone_id}/email/auth/dmarc-reports
ModelsExpand Collapse
DMARCReportGetResponse object { approved_sources, created, created_at, 9 more }

Response for GET/PATCH /dmarc-reports

approved_sources: optional array of object { created, created_at, domain, 6 more }

List of approved sending sources (omitted when empty)

Deprecatedcreated: optional string

Deprecated, use created_at

formatdate-time
created_at: optional string

Creation timestamp

formatdate-time
domain: optional string

The source domain

ips: optional array of string

Resolved IP addresses from SPF

Deprecatedmodified: optional string

Deprecated, use modified_at

formatdate-time
modified_at: optional string

Last modification timestamp

formatdate-time
name: optional string

Source name (typically same as domain)

slug: optional string

URL-friendly identifier

tag: optional string

Source UUID

Deprecatedcreated: optional string

Deprecated, use created_at

formatdate-time
created_at: optional string

Creation timestamp

formatdate-time
enabled: optional boolean

Whether DMARC reports are enabled

Deprecatedmodified: optional string

Deprecated, use modified_at

formatdate-time
modified_at: optional string

Last modification timestamp

formatdate-time
records: optional object { bimi_records, cname_dkim_records, cname_dmarc_records, 4 more }

Live DNS records for the zone, grouped by type

bimi_records: optional array of object { id, content, name, 2 more }

BIMI TXT records

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

cname_dkim_records: optional array of object { id, content, name, 2 more }

CNAME records for DKIM

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

cname_dmarc_records: optional array of object { id, content, name, 2 more }

CNAME records at _dmarc (problematic)

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

cname_spf_records: optional array of object { id, content, name, 2 more }

CNAME records for SPF

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

dkim_records: optional array of object { id, content, name, 2 more }

DKIM TXT records

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

dmarc_records: optional array of object { id, content, name, 2 more }

DMARC TXT records

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

spf_records: optional array of object { id, content, name, 2 more }

SPF TXT records

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

rua_prefix: optional string

Prefix for DMARC RUA addresses (32-char hex string)

skip_wizard: optional boolean

Whether to skip the setup wizard

status: optional "missing-dmarc-report" or "multiple-dmarc-reports" or "missing-dmarc-rua" or "cname-on-dmarc-record"

DMARC configuration status

One of the following:
"missing-dmarc-report"
"multiple-dmarc-reports"
"missing-dmarc-rua"
"cname-on-dmarc-record"
Deprecatedtag: optional string

Use zone_id instead

zone_id: optional string

Zone identifier

DMARCReportEditResponse object { approved_sources, created, created_at, 9 more }

Response for GET/PATCH /dmarc-reports

approved_sources: optional array of object { created, created_at, domain, 6 more }

List of approved sending sources (omitted when empty)

Deprecatedcreated: optional string

Deprecated, use created_at

formatdate-time
created_at: optional string

Creation timestamp

formatdate-time
domain: optional string

The source domain

ips: optional array of string

Resolved IP addresses from SPF

Deprecatedmodified: optional string

Deprecated, use modified_at

formatdate-time
modified_at: optional string

Last modification timestamp

formatdate-time
name: optional string

Source name (typically same as domain)

slug: optional string

URL-friendly identifier

tag: optional string

Source UUID

Deprecatedcreated: optional string

Deprecated, use created_at

formatdate-time
created_at: optional string

Creation timestamp

formatdate-time
enabled: optional boolean

Whether DMARC reports are enabled

Deprecatedmodified: optional string

Deprecated, use modified_at

formatdate-time
modified_at: optional string

Last modification timestamp

formatdate-time
records: optional object { bimi_records, cname_dkim_records, cname_dmarc_records, 4 more }

Live DNS records for the zone, grouped by type

bimi_records: optional array of object { id, content, name, 2 more }

BIMI TXT records

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

cname_dkim_records: optional array of object { id, content, name, 2 more }

CNAME records for DKIM

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

cname_dmarc_records: optional array of object { id, content, name, 2 more }

CNAME records at _dmarc (problematic)

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

cname_spf_records: optional array of object { id, content, name, 2 more }

CNAME records for SPF

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

dkim_records: optional array of object { id, content, name, 2 more }

DKIM TXT records

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

dmarc_records: optional array of object { id, content, name, 2 more }

DMARC TXT records

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

spf_records: optional array of object { id, content, name, 2 more }

SPF TXT records

id: optional string

DNS record ID

content: optional string

Record content

name: optional string

DNS record name

ttl: optional number

Time to live in seconds

type: optional string

Record type

rua_prefix: optional string

Prefix for DMARC RUA addresses (32-char hex string)

skip_wizard: optional boolean

Whether to skip the setup wizard

status: optional "missing-dmarc-report" or "multiple-dmarc-reports" or "missing-dmarc-rua" or "cname-on-dmarc-record"

DMARC configuration status

One of the following:
"missing-dmarc-report"
"multiple-dmarc-reports"
"missing-dmarc-rua"
"cname-on-dmarc-record"
Deprecatedtag: optional string

Use zone_id instead

zone_id: optional string

Zone identifier

Email AuthSPF

Email AuthSPFInspect

Inspect SPF Record
GET/zones/{zone_id}/email/auth/spf/inspect
ModelsExpand Collapse
InspectGetResponse object { components, domain, record, 2 more }

Recursive SPF inspection tree

components: array of unknown

Parsed SPF components (mechanisms)

domain: string

Domain being inspected

record: string

Raw SPF record content

total_lookups: number

Total number of DNS lookups performed across all includes

errors: optional array of object { code, domain, message, details }

All errors encountered during inspection, collected from the entire tree. This includes errors from nested includes at any depth, providing a quick overview of all issues without needing to traverse the nested structure. Each error includes a domain field to identify where it occurred. Empty array if no errors (omitted from JSON when empty).

code: string

Error code. Known values:

  • lookup_failed — DNS TXT lookup failed
  • spf_not_found — no SPF record found
  • invalid_spf — record does not start with v=spf1
  • invalid_domain — PSL validation failed
  • loop_detected — include/redirect cycle detected
  • invalid_mechanism — unrecognised or malformed mechanism
  • resource_limit_exceeded — internal resource protection limits exceeded (recursion depth or query budget)
  • max_lookups — RFC 7208 10-lookup limit exceeded
domain: string

Domain where the error occurred

message: string

Human-readable error message

details: optional string

Additional error-specific details (optional).

  • For invalid_domain errors: the invalid domain string
  • For invalid_mechanism errors: the invalid mechanism text (e.g., “invalidmech123”)
  • For loop_detected errors: the domain that caused the loop
  • For other error types: not present