Security records

Without email authentication records, anyone can send email that appears to come from your domain — a technique known as domain spoofing. To prevent this, you add DNS TXT records (text-based entries in your domain's DNS settings) that allow receiving mail servers to verify whether an email actually came from you:

• Sender Policy Framework (SPF) ↗: Lists the IP addresses and domains authorized to send email on behalf of your domain.
• DomainKeys Identified Mail (DKIM) ↗: Authenticates the sender's domain and verifies that email content was not altered in transit, using a cryptographic signature.
• Domain-based Message Authentication Reporting and Conformance (DMARC) ↗: Tells receiving servers what to do when SPF or DKIM checks fail (for example, reject or quarantine the email), and sends you aggregate reports about your email traffic.

Note

For additional background on email security records, refer to the introductory blog post ↗.

Create security records

To set up email security records:

1. Log in to the Cloudflare dashboard ↗, and select your account and domain.
2. Go to Email > DMARC Management.
3. In Email record overview, select View records.
4. Use the available options to set up SPF ↗, DKIM ↗, and DMARC records ↗. This page will also list any previous records you might already have in your account.

Edit or delete records

Refer to Manage DNS records for more information.