How to Add an SPF Record in Cloudflare
Step-by-step guide to adding SPF records with Cloudflare DNS. Learn how to create, edit, and manage SPF TXT records in the Cloudflare dashboard.
Cloudflare is one of the most popular DNS providers for a reason: fast propagation, a clean dashboard, and a generous free tier. If you've moved your domain's DNS to Cloudflare -- or you're using Cloudflare as your registrar -- adding an SPF record is quick and painless. But there are still a few things you need to get right.
This guide covers everything: adding a new SPF record, editing an existing one, combining multiple services, and verifying the result.
Why Cloudflare Is Popular for DNS Management
Cloudflare's DNS is fast. Changes propagate globally in seconds to minutes, compared to the hours or days you might wait with other providers. It also has a straightforward interface for managing DNS records, free DNSSEC, and detailed analytics.
For email authentication, Cloudflare is purely a DNS host. It stores your TXT records (including SPF, DKIM, and DMARC) and serves them to receiving mail servers when they query your domain. Cloudflare doesn't send or receive email for you -- it just publishes the DNS records that tell the world who's authorized to do so.
Cloudflare's proxy feature (the orange cloud icon) only applies to HTTP traffic. TXT records like SPF are always served directly via DNS -- there's no proxy involved. You don't need to worry about proxy settings when adding SPF records.
Step-by-Step: Adding an SPF Record in Cloudflare
Log in to the Cloudflare dashboard
Go to dash.cloudflare.com and sign in to your account.
Select your domain
From the account home page, click on the domain you want to configure. This takes you to the domain's overview page.
Navigate to DNS Records
In the left sidebar, click DNS and then Records. This shows all existing DNS records for your domain.
Check for existing SPF records
Scroll through the TXT records and look for any value starting with v=spf1. If one exists, you'll need to edit it instead of creating a new one. A domain can only have one SPF record.
Add a new TXT record
Click Add record. Set the type to TXT. In the Name field, enter @ (this represents your root domain). In the Content field, paste your SPF record value (for example: v=spf1 include:_spf.google.com -all). Click Save.
Verify the record is live
Cloudflare DNS changes propagate almost instantly. Within a minute or two, you can verify your record at SPF Record Check. Enter your domain and confirm the SPF record appears with the correct value.
Cloudflare's Fast Propagation
One of Cloudflare's biggest advantages for DNS management is propagation speed. When you save a TXT record in Cloudflare, it's typically available worldwide within seconds to a few minutes. Compare this to traditional DNS providers where changes can take 30 minutes to 48 hours. This makes Cloudflare ideal for testing and iterating on your SPF record -- you can make a change and verify it almost immediately.
The Proxy (Orange Cloud) Doesn't Apply to TXT Records
If you've used Cloudflare before, you know about the proxy toggle -- the orange cloud icon next to A and CNAME records. When enabled, HTTP traffic is routed through Cloudflare's network for CDN, DDoS protection, and other features.
TXT records don't have a proxy toggle. They're always served directly via DNS. This means:
- Your SPF record is served as-is, with no Cloudflare processing
- There's no caching layer to worry about
- Changes take effect as soon as DNS propagation completes (which with Cloudflare is very fast)
You don't need to do anything special -- just add the TXT record and it works.
Monitor your email authentication
After setting up SPF in Cloudflare, make sure it keeps working. Get daily checks on SPF, DKIM, and DMARC.
Editing an Existing SPF Record in Cloudflare
If you already have an SPF record and need to update it -- to add a new email service, remove an old one, or fix an error -- Cloudflare makes this straightforward.
Find your SPF record
Go to DNS > Records in the Cloudflare dashboard. Locate the TXT record whose content starts with v=spf1.
Click Edit
Click the Edit button next to the record. This opens the record for modification.
Update the Content field
Modify the SPF value as needed. Add new include: mechanisms, remove old ones, or adjust the all qualifier. Make sure v=spf1 stays at the beginning and your all mechanism stays at the end.
Save and verify
Click Save. Wait a minute, then check the updated record at SPF Record Check to confirm the change is live and valid.
Take a screenshot before editing
Before modifying your SPF record, copy the current value somewhere safe. If the change causes delivery problems, you can quickly revert to the previous version.
SPF Record Examples for Cloudflare
Here are complete SPF records for common setups, ready to paste into Cloudflare's Content field.
Google Workspace Through Cloudflare
v=spf1 include:_spf.google.com -all
The most common setup for businesses using Google Workspace with Cloudflare DNS. Google's include covers Gmail, Google's SMTP relay, and all Google Workspace sending infrastructure.
Microsoft 365 Through Cloudflare
v=spf1 include:spf.protection.outlook.com -all
For organizations using Exchange Online or Microsoft 365 email with Cloudflare as the DNS provider.
SendGrid Through Cloudflare
v=spf1 include:sendgrid.net -all
If you use SendGrid for transactional or marketing email and nothing else.
Google Workspace + SendGrid
v=spf1 include:_spf.google.com include:sendgrid.net -all
Employee email through Google, transactional email through SendGrid. This is one of the most common multi-provider setups.
Microsoft 365 + Mailchimp
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all
Corporate email through Microsoft, marketing campaigns through Mailchimp.
Google Workspace + SendGrid + Mailchimp
v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -all
A typical SaaS or e-commerce setup: Google for team email, SendGrid for transactional, Mailchimp for marketing.
| Setup | SPF Record | Est. Lookups |
|---|---|---|
| Google Workspace | v=spf1 include:_spf.google.com -all | ~3 |
| Microsoft 365 | v=spf1 include:spf.protection.outlook.com -all | ~2 |
| Google + SendGrid | v=spf1 include:_spf.google.com include:sendgrid.net -all | ~4 |
| Google + SendGrid + Mailchimp | v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -all | ~6 |
| M365 + Mailchimp | v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all | ~4 |
| M365 + Amazon SES | v=spf1 include:spf.protection.outlook.com include:amazonses.com -all | ~3 |
Keep an eye on your total DNS lookup count. Each include triggers at least one lookup, and nested includes add more. The SPF specification limits you to 10 total lookups. Use SPF Record Check to count yours.
Common Cloudflare SPF Mistakes
Cloudflare's interface is cleaner than most DNS managers, but mistakes still happen.
Creating a Second SPF Record Instead of Editing
This is the most common error across all DNS providers, and Cloudflare is no exception. When you add a new email service, you need to edit your existing SPF record -- not create a second TXT record starting with v=spf1. Two SPF records cause a permerror, which breaks SPF for every email sent from your domain.
Fix: Always check for an existing SPF record first. If one exists, click Edit and add the new include to the existing record.
Using the Wrong Name Field
The Name field should be @ for your root domain's SPF record. Cloudflare will show this as your domain name in the records list. Don't enter a subdomain name unless you specifically want an SPF record on that subdomain.
Forgetting to Remove Old Includes
When you switch email providers (say, from Mailgun to SendGrid), update your SPF record to reflect the change. Leaving old includes in your record wastes DNS lookups and can cause confusion during troubleshooting.
Confusing Cloudflare Email Routing With SPF
Cloudflare offers an Email Routing feature that forwards email to another address. If you use this feature, be aware that it may require its own SPF consideration depending on your setup. Email Routing forwarding can affect SPF alignment because the forwarding server's IP won't match your SPF record on the receiving end. This is a forwarding issue, not something you fix in your SPF record.
Cloudflare Email Routing and SPF
If you use Cloudflare's Email Routing to forward incoming mail, understand that forwarding and SPF don't always play well together. When Cloudflare forwards a message to your Gmail or Outlook inbox, the receiving server sees Cloudflare's IP as the sender -- but Cloudflare's IP isn't in the original sender's SPF record. This can cause SPF failures on the forwarded copy.
This isn't something you fix in your own SPF record. It's an inherent limitation of email forwarding. DKIM typically survives forwarding, which is why having both SPF and DKIM (with DMARC) is important.
Cloudflare's Email Routing is for receiving and forwarding email, not for sending. Your outbound SPF record is separate from any Email Routing configuration.
Verifying Your Cloudflare SPF Record
After adding or editing your SPF record in Cloudflare, verify it's correct.
Check with SPF Record Check
Go to SPF Record Check and enter your domain. It will show your published SPF record, validate the syntax, count DNS lookups, and flag any issues.
Send a test email
Send an email from each service listed in your SPF record. On the receiving end, check the email headers for Authentication-Results: spf=pass. If any service shows spf=fail, its include may be missing from your record.
Check from the command line
Run dig TXT yourdomain.com +short or nslookup -type=TXT yourdomain.com to see the raw TXT records. Look for the one starting with v=spf1.
Complete Your Email Authentication
SPF is the first step. For full email authentication, you need all three protocols:
- DKIM adds a cryptographic signature to your outgoing emails. Use DKIM Creator to generate your DKIM keys and add the CNAME or TXT records in Cloudflare.
- DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Use DMARC Creator to build your DMARC policy.
Adding DKIM and DMARC records in Cloudflare follows the same process as SPF -- create a TXT record with the appropriate name and value. With Cloudflare's fast propagation, all three records can be live within minutes.
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring