Domain configuration
Configure domains for Cloudflare Email Service, manage DNS records, and verify domain setup for both email sending and routing.
Configure your domains to work with Cloudflare Email Service. This includes DNS record management, domain verification, and advanced domain settings.
You can quickly get your DNS configured by following the automatic DNS configuration flow as part of the onboarding onto Email Service.
-
Log in to the Cloudflare Dashboard ↗.
-
Navigate to Compute > Email Service > Email Sending or Email Routing.
-
Select Onboard Domain.
-
Choose a domain from your Cloudflare account.
-
Select Next to configure DNS records.
-
Press Add records and onboard. This will add the following DNS records to your domain:
- TXT records for SPF to authorize sending emails and routing forwarded emails.
- TXT records for DKIM to provide authentication for emails sent and forwarded from your domain.
- MX records to route incoming emails to Email Service.
Cloudflare automatically configures required DNS records for both email sending and routing when you onboard a domain onto Email Service. Here are the specific details of the DNS records configured:
These records authenticate your outbound emails. Email Sending creates DNS records on a cf-bounce. subdomain of your domain to handle bounce processing. These are separate from the records used by Email Routing.
Purpose: Route bounce emails back to Cloudflare for processing.
MX cf-bounce.yourdomain.com route1.mx.cloudflare.netMX cf-bounce.yourdomain.com route2.mx.cloudflare.netMX cf-bounce.yourdomain.com route3.mx.cloudflare.netConfiguration:
- Type: MX
- Name:
cf-bounce(subdomain) - Mail server: Cloudflare MX servers
- Priority: Assigned automatically by Cloudflare
Purpose: Authorizes Cloudflare to send emails on behalf of your domain.
TXT cf-bounce.yourdomain.com "v=spf1 include:_spf.mx.cloudflare.net ~all"Configuration:
- Type: TXT
- Name:
cf-bounce(subdomain) - Value:
v=spf1 include:_spf.mx.cloudflare.net ~all - TTL: Auto
Purpose: Provides cryptographic authentication for your emails.
TXT cf-bounce._domainkey.yourdomain.com "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."Configuration:
- Type: TXT
- Name:
cf-bounce._domainkey(selector managed by Cloudflare) - Value: DKIM public key (provided by Cloudflare)
- TTL: Auto
Purpose: Sets policy for email authentication failures.
TXT _dmarc.yourdomain.com "v=DMARC1; p=reject;"Configuration:
- Type: TXT
- Name:
_dmarc - Value: DMARC policy
- TTL: Auto
Policy options:
p=none- Monitor only (recommended for new setups)p=quarantine- Quarantine suspicious emailsp=reject- Reject unauthenticated emails
These records route incoming emails to Cloudflare and authenticate forwarded emails. Email Routing DNS records are configured on the root domain.
Purpose: Route incoming emails to Cloudflare's mail servers.
MX yourdomain.com route1.mx.cloudflare.netMX yourdomain.com route2.mx.cloudflare.netMX yourdomain.com route3.mx.cloudflare.netConfiguration:
- Type: MX
- Name:
@(root domain) - Mail server: Cloudflare routing MX servers
- Priority: Assigned automatically by Cloudflare
Purpose: Authorizes Cloudflare to forward emails on behalf of your domain.
TXT yourdomain.com "v=spf1 include:_spf.mx.cloudflare.net ~all"Configuration:
- Type: TXT
- Name:
@(root domain) - Value:
v=spf1 include:_spf.mx.cloudflare.net ~all - TTL: Auto
Purpose: Provides cryptographic authentication for forwarded emails.
TXT cf2024-1._domainkey.yourdomain.com "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."Configuration:
- Type: TXT
- Name:
cf2024-1._domainkey(selector provided by Cloudflare) - Value: DKIM public key (provided by Cloudflare)
- TTL: Auto
Separate from sending DKIM - Email Routing uses its own DKIM selector (cf2024-1._domainkey) and keys, distinct from the sending DKIM selector (cf-bounce._domainkey).
Email Sending and Email Routing have separate DNS records and separate settings pages where you can verify their status.
- Go to Compute > Email Service > Email Sending > Settings.
- The DNS records section shows all sending-related records:
- MX records on
cf-bounce.yourdomain.com - SPF record on
cf-bounce.yourdomain.com - DKIM record on
cf-bounce._domainkey.yourdomain.com - DMARC record on
_dmarc.yourdomain.com
- MX records on
- Each record shows a Locked status when properly configured.
- Go to Compute > Email Service > Email Routing > Settings.
- The DNS records section shows all routing-related records:
- MX records on
yourdomain.com - SPF record on
yourdomain.com - DKIM record on
cf2024-1._domainkey.yourdomain.com
- MX records on
- Each record shows a Locked status when properly configured.
- Wait 5-15 minutes for DNS propagation.
- Check DNS configuration in your domain's DNS > Records settings.
Issue: Records show as "Not Found" immediately after adding.
Solution:
- Wait 5-15 minutes for DNS propagation
- Check propagation status:
dig TXT yourdomain.com - Cloudflare domains propagate faster than external domains
Check propagation globally:
# Check sending SPF recorddig TXT cf-bounce.yourdomain.com | grep spf
# Check routing SPF recorddig TXT yourdomain.com | grep spf
# Check sending DKIM recorddig TXT cf-bounce._domainkey.yourdomain.com
# Check routing DKIM recorddig TXT cf2024-1._domainkey.yourdomain.com
# Check routing MX recordsdig MX yourdomain.com
# Check sending MX records (bounce handling)dig MX cf-bounce.yourdomain.comIssue: Existing DNS records conflict with Email Service.
SPF Conflicts:
- Merge existing SPF records
- Remove duplicate
v=spf1entries - Ensure only one SPF record exists
MX Conflicts:
- Email Routing requires Cloudflare MX records
- Remove or update existing MX records
- Cannot use Email Routing with external mail servers
DKIM Conflicts:
- Use different selectors for different services
cf-bounce._domainkeyfor Email Sendingcf2024-1._domainkeyfor Email Routinggoogle._domainkeyfor Google Workspace
- Go to Compute > Email Service > Email Sending > Settings.
- Select the domain to remove.
- Select Remove Domain.
- Confirm removal.
Domain Removal Impact
Removing a domain will:
- Stop all email sending from that domain
- Disable email routing for that domain
- Require reconfiguration if re-added
When you remove a domain from Email Service, you have two options for handling the DNS records:
Option 1: Remove all records
This removes all Email Service DNS records from your domain:
- All SPF, DKIM, and MX records for Email Service are deleted
- Your domain will no longer receive or send emails through Email Service
- If you want to use Email Service again in the future, you will need to onboard the domain and add all records from scratch
Option 2: Keep records
This keeps the DNS records in place but disables Email Service:
- DNS records remain in your domain configuration
- Email Service stops processing emails for the domain
- You can re-enable Email Service by onboarding the domain again
- DNS records that were automatically added will remain locked to prevent accidental deletion
To modify locked records after removal:
- Go to your domain's DNS > Records.
- Find the locked Email Service records.
- Select the record and choose Edit.
- Toggle Unlock record to enable editing.
- Make your changes and save.
- Domain must remain in the same Cloudflare account.
- DNS records are tied to the account, not specific users.
- Use Cloudflare account-level permissions to manage access.
- Send emails API: Workers binding and REST API reference
- Domain authentication (DKIM and SPF): Learn about SPF, DKIM, and DMARC
- Deliverability: Optimize email delivery