---
title: "Cloudflare’s new SPF, DKIM, and DMARC requirements | DuoCircle"
description: "Cloudflare’s new SPF, DKIM, and DMARC requirements."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/dmarc/cloudflares-new-spf-dkim-and-dmarc-requirements/"
---

Quick Answer

Starting July 3, 2025, Cloudflare's Email Routing service requires inbound forwarded mail to pass at least one of SPF or DKIM. Mail without either may still be forwarded to the recipient's mailbox provider but is not treated as trusted, which means receivers like Gmail, Outlook, and Yahoo are likely to filter or reject it. Cloudflare also recommends DMARC on top. The change brings Cloudflare in line with the bulk-sender rules Google, Microsoft, and Yahoo already enforce. The practical effect: domains that route mail through Cloudflare without proper SPF and DKIM stop reaching inboxes reliably. The fix is the standard authentication setup. SPF: publish a TXT record listing the IPs and includes authorized to send for your domain. DKIM: generate a key pair, publish the public key as a TXT record at selector.\_domainkey.yourdomain.com, sign outbound mail with the private key. DMARC: publish a TXT record at \_dmarc.yourdomain.com starting at p=none with rua reporting, then move to p=quarantine and p=reject as you confirm legitimate sending streams pass alignment.

Cloudflare’s new SPF, DKIM, and DMARC requirements

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/07/Cloudflares-new-SPF-DKIM-and-DMARC-requirements.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdmarc%2Fcloudflares-new-spf-dkim-and-dmarc-requirements%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Cloudflare%E2%80%99s%20new%20SPF%2C%20DKIM%2C%20and%20DMARC%20requirements&url=undefined%2Fblog%2Fdmarc%2Fcloudflares-new-spf-dkim-and-dmarc-requirements%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdmarc%2Fcloudflares-new-spf-dkim-and-dmarc-requirements%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdmarc%2Fcloudflares-new-spf-dkim-and-dmarc-requirements%2F&title=Cloudflare%E2%80%99s%20new%20SPF%2C%20DKIM%2C%20and%20DMARC%20requirements "Share on Reddit") [ ](mailto:?subject=Cloudflare%E2%80%99s%20new%20SPF%2C%20DKIM%2C%20and%20DMARC%20requirements&body=Check out this article: undefined%2Fblog%2Fdmarc%2Fcloudflares-new-spf-dkim-and-dmarc-requirements%2F "Share via Email") 

![SPF, DKIM, and DMARC requirements](https://media.mailhop.org/duocircle/images/2025/07/sendgrid-alternative-8960.jpg) 

**Starting July 3, 2025**, Cloudflare requires all emails to be authenticated using at least one of the protocols. SPF or DKIM, to forward them. This requirement has been imposed in consideration of the [growing number of email-based phishing and spoofing attacks](https://securitybrief.co.uk/story/organisations-battle-with-ai-driven-phishing-threat-rise). These email authentication protocols ensure that only authorized emails reach the inboxes of recipients, thereby preventing them from being manipulated into transferring money or sharing confidential information. 

## What do SPF, DKIM, and DMARC do?

SPF, DKIM, and DMARC essentially prevent email-domain abuse so that emails sent by [threat actors](https://thehackernews.com/2024/07/tag-100-new-threat-actor-uses-open.html) don’t reach the targeted recipient. Here’s a little about **each of these protocols**\-

### SPF

SPF stands for Sender Policy Framework. It works by allowing the domain owners to publish an extensive list of [mail servers](https://www.activecampaign.com/glossary/mail-server) and IP addresses that are officially permitted to send emails on their behalf. Any email sent from a **server or IP address** outside of that list is considered potentially malicious. _With SPF in place, such a message is either marked as spam or rejected, depending on what action you have specified in your SPF record_. 

### DKIM

[DKIM](/resources/what-is-dkim) is short for DomainKeys Identified Mail. When an email is sent, your **domain’s private DKIM key** creates a digital signature. This digital signature is added to the email’s hidden headers, which aren’t visible to users.

So, when the recipient’s server gets your email, it also receives the secret signature, which is then checked against the [public key](https://www.investopedia.com/terms/p/public-key.asp) in your domain’s DNS records. If the **signature matches** (i.e., it has not been altered), the email is considered trustworthy.

[![ email deliverability ](https://media.mailhop.org/duocircle/images/2025/07/spf-record-checker-6512.jpg)](https://media.mailhop.org/duocircle/images/2025/07/spf-record-checker-6512.jpg)

This technology ultimately prevents email tampering, builds trust with inbox providers, and improves [email deliverability](/a-guide-on-email-deliverability). 

### DMARC

DMARC’s full form is Domain-based Message Authentication, Reporting, and Conformance. This email authentication protocol is like a **security guard** for your [email domain](https://www.one.com/en/email/what-is-an-email-domain). DMARC works in tandem with SPF and DKIM; it always checks-

- If your email has passed at least one of the protocols, [SPF](https://autospf.com/blog/spf-guide-understanding-sender-policy-framework/) or DKIM
- _Whether the domain in the “From” address matches the domain authenticated by SPF/DKIM (this is called alignment)_.

If the email fails these checks, [DMARC](/resources/what-is-dmarc) instructs the receiving server on how to handle it, allow it, send it to spam, or reject it entirely, based on the domain owner’s published policy. It also sends reports to the domain owner, allowing them to **monitor and rectify** any misuse or misconfigurations.

## Cloudflare’s Update on SPF and DKIM (Starting July 3, 2025)

**Starting July 3, 2025**, Cloudflare will only allow emails sent through its Email Routing service if they pass either SPF or [DKIM checks](/resources/dkim-checker). If an email doesn’t have either, Cloudflare will still forward it to the mailbox provider (like Gmail or Outlook), but it may not be trusted.

Cloudflare also recommends setting up **DMARC for better protection**.

This update indicates that Cloudflare is becoming stricter about [email security](/), similar to major email providers such as Google, Microsoft, and Yahoo, which already follow similar rules to prevent email fraud and protect users.

[![prevent email fraud ](https://media.mailhop.org/duocircle/images/2025/07/spf-record-6512.jpg)](https://media.mailhop.org/duocircle/images/2025/07/spf-record-6512.jpg)

## Why do these requirements matter?

Cloudflare’s SPF and DKIM requirements help-

### Fight spam, phishing, and spoofing

_This new requirement from Cloudflare will make it harder for threat actors to send unauthenticated and forged emails_. By insisting that all emails sent through its [Email Routing](https://www.cloudflare.com/learning/email-security/what-is-email-routing/) service must pass either SPF or DKIM checks, Cloudflare ensures that only messages with a verifiable link to the sender’s domain can be delivered. 

This way, cybercriminals won’t be able to impersonate a brand’s identity and bypass [spam filters](/content/email-spam-filter/what-is-a-spam-filter-and-how-does-it-work). As a result, recipients are less likely to fall for phishing emails disguised as **legitimate communication**. 

### Protect recipients and domains

_Without SPF and DKIM, emails from unverified and unauthenticated sources reach your recipient’s inbox, leaving a dangerous gap that bad actors exploit to send misleading messages_. By enforcing authentication, Cloudflare minimizes the risk of recipients falling for scams that appear to come from trusted sources, such as their bank, HR department, or a recognized brand. 

For domain owners, SPF and DKIM prevent adversaries from [spoofing their domains](https://www.infosecurity-magazine.com/news/infosec2025-email-domains-spoofing/), thereby protecting their **brand reputation** and potentially avoiding legal consequences. By enforcing authentication for emails, domains remain in good standing and maintain long-term trust with mailboxes and recipients.

[![ brand reputation ](https://media.mailhop.org/duocircle/images/2025/07/spf-record-check-6512.jpg)](https://media.mailhop.org/duocircle/images/2025/07/spf-record-check-6512.jpg)

In simple words, **Cloudflare’s new requirement** is not just a technical upgrade; it’s a move that strengthens both sender credibility and recipient safety across the board.

### Align with industry standards

_This move by Cloudflare will also ensure that brands align with evolving industry-wide email standards established by major players such as Google, Microsoft, and Yahoo_. These providers have already begun enforcing strict authentication rules, including mandatory SPF, DKIM, and DMARC checks, to reduce spam, phishing, and domain abuse across the board. By requiring SPF or DKIM for all outbound messages, Cloudflare ensures that brands using its Email Routing platform meet the same foundational standards expected by **top inbox providers**. 

This alignment goes beyond just technical compliance; it essentially shows that the domain owner cares about protecting their **communications and respecting** the security expectations of modern email ecosystems.

## How to get started with SPF and DKIM?

### Steps to deploy SPF

#### Step 1: Identify your sending sources

Make a list of all the services that send emails on your behalf, like your own mail server, [CRM tools](https://www.salesforce.com/crm/what-is-crm/tools/), marketing platforms (Mailchimp, HubSpot), etc.

[![ CRM ](https://media.mailhop.org/duocircle/images/2025/07/sender-policy-framework-6512.jpg)](https://media.mailhop.org/duocircle/images/2025/07/sender-policy-framework-6512.jpg)

#### Step 2: Access your domain’s DNS settings

Log in to your domain registrar or DNS provider (like GoDaddy, Cloudflare, or Namecheap) and open the [DNS management panel](https://www.cloudns.net/blog/what-is-dns-management-how-to-use-cloudns-control-panel/) for your domain.

#### Step 3: Create your SPF record

Write an SPF TXT record that lists all the **IPs or services allowed** to send emails for your domain.

Example: v=spf1 include:domain.org ip4:192.0.2.1 -all

#### Step 4: Add the SPF record to DNS

Add a new [TXT record](https://www.digicert.com/faq/dns/what-is-a-txt-record) to your domain’s DNS with:

- **Name/Host**: @ or your domain name
- **Value**: The SPF record you just created
- **TTL**: Default or 3600 seconds (1 hour) is fine

#### Step 5: Test and validate

Use tools like MXToolbox or Kitterman SPF Checker to ensure your SPF record is valid and covers all sending sources.

[![SPF Record Validation Tips](https://media.mailhop.org/duocircle/images/2025/07/spf-permerror-9021.jpg)](https://media.mailhop.org/duocircle/images/2025/07/spf-permerror-9021.jpg)

### Steps to deploy DKIM

#### Step 1: Check if your email service provider supports DKIM

Most email services (like Google Workspace, Microsoft 365, Zoho, Mailchimp, etc.) support DKIM. Log in to your **email provider’s admin settings** and search for DKIM settings.

#### Step 2: Generate the DKIM keys

Your provider will give you a DKIM public key (to publish in DNS) and use a [private key](https://www.coinbase.com/en-in/learn/crypto-basics/what-is-a-private-key) behind the scenes to **sign your emails**.

#### Step 3: Add the DKIM record to DNS

In your DNS provider’s dashboard:

- Record type: TXT
- _Name/Host: Something like selector.\_domainkey (selector is chosen by your provider, like google, default, or mail)_
- Value: The long DKIM public key
- TTL: Default (1 hour or 3600 seconds is fine)

#### Step 4: Enable DKIM signing in your email platform

Once the DNS record is live, go back to your email provider and activate DKIM signing. This will start adding [DKIM signatures](https://docs.mapp.com/docs/dkim-signature) to your outgoing emails.

#### Step 5: Verify it’s working

Send a test email to tools like **dkimcore.org/tools** or check the headers in Gmail to see if DKIM=pass.

If you **need assistance** setting up SPF, DKIM, and DMARC, please don’t hesitate to [reach out to us](/contact). We deploy and manage these protocols on behalf of domain owners.

## Topics

DKIMDMARCemail securitySecurityspfSPF record 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  DMARC 5m  DMARC is now mandatory in New Zealand: Here’s what the NZ government expects  Jul 9, 2025 ](/blog/dmarc/dmarc-mandatory-new-zealand-nz-government-email-security-requirements/)[  DMARC 6m  How can the finance sector leverage DMARC to defend against email fraud?  Aug 20, 2025 ](/blog/dmarc/how-finance-sector-leverages-dmarc-to-defend-against-email-fraud/)[  DMARC 17m  SPF Record Generator: Create Accurate SPF Records for Email Authentication  Apr 1, 2025 ](/blog/dmarc/spf-record-generator-create-accurate-spf-records-for-email-authentication/)[  DMARC 6m  How to become a DMARC expert: a 6-step learning path  Sep 24, 2024 ](/blog/dmarc/a-detailed-guide-on-becoming-a-dmarc-expert/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Cloudflare’s new SPF, DKIM, and DMARC requirements","description":"Cloudflare’s new SPF, DKIM, and DMARC requirements.","url":"https://www.duocircle.com/blog/dmarc/cloudflares-new-spf-dkim-and-dmarc-requirements/","datePublished":"2025-07-18T18:10:24.000Z","dateModified":"2025-07-18T18:15:14.000Z","dateCreated":"2025-07-18T18:10:24.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/cloudflares-new-spf-dkim-and-dmarc-requirements/"},"articleSection":"dmarc","keywords":"DKIM, DMARC, email security, Security, spf, SPF record","wordCount":1208,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/07/sendgrid-alternative-8960.jpg","caption":"SPF, DKIM, and DMARC requirements","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"DMARC"},{"@type":"ListItem","position":3,"name":"Cloudflare’s new SPF, DKIM, and DMARC requirements","item":"https://www.duocircle.com/blog/dmarc/cloudflares-new-spf-dkim-and-dmarc-requirements/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"DMARC","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Cloudflare’s new SPF, DKIM, and DMARC requirements","item":"https://www.duocircle.com/blog/dmarc/cloudflares-new-spf-dkim-and-dmarc-requirements/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Cloudflare’s new SPF, DKIM, and DMARC requirements","description":"Cloudflare’s new SPF, DKIM, and DMARC requirements.","url":"https://www.duocircle.com/blog/dmarc/cloudflares-new-spf-dkim-and-dmarc-requirements/","datePublished":"2025-07-18T18:10:24.000Z","dateModified":"2025-07-18T18:15:14.000Z","dateCreated":"2025-07-18T18:10:24.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/dmarc/cloudflares-new-spf-dkim-and-dmarc-requirements/"},"articleSection":"dmarc","keywords":"DKIM, DMARC, email security, Security, spf, SPF record","wordCount":1208,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/07/sendgrid-alternative-8960.jpg","caption":"SPF, DKIM, and DMARC requirements","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```