--- title: Email authentication description: Email authentication verifies sender identity and improves deliverability. Cloudflare Email Service handles authentication automatically, but understanding these concepts helps troubleshoot issues. image: https://developers.cloudflare.com/dev-products-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/email-service/concepts/email-authentication.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Email authentication Learn about SPF, DKIM, and DMARC for secure and deliverable email sending. Email authentication verifies sender identity and improves deliverability. **Cloudflare Email Service handles authentication automatically**, but understanding these concepts helps troubleshoot issues. ## SPF (Sender Policy Framework) SPF ensures that no one else can send emails with your domain by authorizing which mail servers are allowed to send on your behalf. Email Service configures separate SPF records for sending and routing: * **Email Sending** SPF record on `cf-bounce.yourdomain.com`: ``` TXT cf-bounce.yourdomain.com "v=spf1 include:_spf.mx.cloudflare.net ~all" ``` * **Email Routing** SPF record on the root domain: ``` TXT yourdomain.com "v=spf1 include:_spf.mx.cloudflare.net ~all" ``` SPF works by: 1. Publishing authorized IP addresses in DNS 2. Recipient servers checking your SPF record 3. Comparing the sending IP against authorized IPs 4. Passing or failing based on the result ## DKIM (DomainKeys Identified Mail) DKIM ensures that emails have not been tampered during transit by cryptographically signing them with your domain's private key. **How DKIM works:** 1. Email headers and body are signed with a private key 2. DKIM-Signature header is added to the email 3. Public key is published in DNS 4. Recipients use the public key to verify the signature Email Service uses separate DKIM selectors for sending and routing: * **Email Sending**: `cf-bounce._domainkey.yourdomain.com` * **Email Routing**: `cf2024-1._domainkey.yourdomain.com` Cloudflare automatically generates and manages DKIM keys. You add the provided DNS records from the dashboard. ## DMARC (Domain-based Message Authentication, Reporting & Conformance) DMARC ensures that emails claiming to be from your domain actually pass SPF and DKIM checks, telling recipients what to do with emails that fail authentication. **DMARC record example:** ``` TXT _dmarc.yourdomain.com "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com" ``` **DMARC policies:** * `p=none` \- Monitor only (recommended to start) * `p=quarantine` \- Quarantine suspicious emails * `p=reject` \- Reject unauthenticated emails **Deployment strategy:** 1. Start with `p=none` to monitor authentication 2. Gradually increase to `p=quarantine` 3. Finally implement `p=reject` after confirming legitimate mail authenticates ## Key benefits Email authentication provides: * **Deliverability**: Improves inbox placement * **Security**: Protects your domain from spoofing * **Reputation**: Maintains good sender reputation with ISPs Cloudflare Email Service handles authentication automatically, but you need to configure the DNS records for SPF, DKIM, and DMARC as provided in your dashboard. Email Sending and Email Routing use separate DNS records -- refer to [Domain configuration](https://developers.cloudflare.com/email-service/configuration/domains/) for the full details. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/email-service/","name":"Email Service"}},{"@type":"ListItem","position":3,"item":{"@id":"/email-service/concepts/","name":"Concepts"}},{"@type":"ListItem","position":4,"item":{"@id":"/email-service/concepts/email-authentication/","name":"Email authentication"}}]} ```