When we first introduced DMARC Management, it was rooted in a core belief: every domain on the Internet should have robust email authentication, and cost should never stand in the way. As part of our commitment to building a better Internet, we offered DMARC Management for free to all Cloudflare customers. Our goal was to empower everyone to assess and strengthen their DMARC posture—without needing to hire an email security expert or manually sift through XML report files.
Today, we’re deepening that commitment. Cloudflare DMARC Management is now generally available, featuring a redesigned experience designed to help you achieve full DMARC enforcement with ease.
The DMARC Management dashboard provides a unified view of your email authentication status.
What email authentication actually does for you
Whenever someone receives an email that appears to come “from” your domain, their email provider checks a key question: did the actual owner of this domain really send it? Without a reliable way to answer that, anyone can impersonate you—and your recipients won’t be able to tell the difference.
Email authentication is the set of DNS records that answers that question. Four key protocols protect your domain:
SPF (Sender Policy Framework) specifies which IP addresses and services are authorized to send email on behalf of your domain.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each outgoing email, allowing receiving servers to confirm the message hasn’t been altered during transit.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) links SPF and DKIM together and instructs receiving servers on how to handle emails that fail authentication—whether to deliver them, quarantine them, or reject them entirely. It also sends you reports about who is sending email using your domain.
BIMI (Brand Indicators for Message Identification) enables your brand logo to appear next to your emails in compatible inboxes—but only if your DMARC policy is sufficiently strong.
When all four are properly configured, spoofed emails are blocked before reaching inboxes, and your legitimate messages are far more likely to be delivered. If they’re missing or misconfigured, you risk brand impersonation and deliverability issues from major email providers.
DMARC is no longer optional
DMARC has always been important—but over the past two years, the consequences of neglecting it have grown significantly. Google, Microsoft, and Yahoo have all introduced or enforced stricter email authentication requirements. Domains without correctly configured DMARC, SPF, and DKIM records (or worse, with incorrect configurations) are increasingly seeing their legitimate emails routed to spam or rejected outright. What was once considered a best practice is now a necessity. Poor email hygiene directly harms deliverability—and for many businesses, that means lost revenue and disrupted communication.
The industry’s message is clear: if you send email from your domain, you must configure these records correctly. The grace period has ended.
The problem: DMARC is confusing, and mistakes are costly
Here’s the challenge: moving from p=none (monitoring only, no emails blocked) to p=quarantine (suspicious emails sent to spam) to p=reject (unauthenticated emails blocked entirely) is fraught with risk. Enforce too soon, and you might disrupt legitimate email flows from third-party services you forgot were sending on your behalf. Move too slowly, and you leave your domain vulnerable to spoofing—and now, to deliverability penalties from the very providers your customers rely on.
Most organizations understand they need DMARC enforcement. But achieving it requires interpreting aggregate XML reports, identifying every legitimate sending source in your infrastructure, and building confidence that tightening your policy won’t break anything.
We created Cloudflare DMARC Management so any customer can navigate this process independently—no professional services needed, no manual analysis of aggregate reports, no guessing which IP belongs to which vendor. Our goal is to make the path to full DMARC enforcement as self-service as possible, giving you the visibility and confidence to tighten your policy safely.
DMARC reports reveal sending source alignment across your domain.
Deeper report visibility with source investigation
We’ve overhauled the reporting interface to give you a clearer picture of your email traffic. At a glance, you can now identify which sending sources are passing or failing DMARC, SPF, and DKIM checks — and dig deeper into the details than ever before.
Every report now displays the source IP address alongside the sending service name, giving you the precision to separate legitimate senders from unauthorized ones. You can click any IP address to open it directly in our Investigate tab, where you’ll find all the threat intelligence Cloudflare has gathered — including reputation scores, geographic location, autonomous system number (ASN) data, and any known links to malicious activity.
This transforms your DMARC reports from a static log into a dynamic investigation tool.
Clicking into a sending source reveals IP-level details and Cloudflare threat intelligence in the Investigate tab.
What you see | What it tells you |
Source IP address | The specific server sending email on behalf of your domain |
Sending service name | The company or provider operating that IP |
DMARC / SPF / DKIM alignment | Whether each authentication check passed or failed for that source |
Investigate tab | Cloudflare threat intelligence: reputation, geolocation, ASN, and known threat associations |
Email authentication record status
One of the most frequent questions we hear from customers is: “Are my records configured correctly?”
Previously, answering that meant manually inspecting DNS TXT records and deciphering the meaning of each tag and value across multiple technical specifications. With this update, you can now view the status of every essential email authentication record — DMARC, DKIM, SPF, and BIMI — all in one place.
Each record type receives a clear pass, warning, or fail rating based on automated analysis. You can click into any record to see specific findings about what we detected and get recommendations on how to resolve any issues. If your DKIM key is improperly formatted, we’ll flag it. If you’re missing a BIMI record and your DMARC policy is strong enough to support one, we’ll let you know about that too.
Record analysis cards display pass, warning, or fail status for each email authentication record, along with actionable recommendations.
The recommendations are written in plain language, not technical RFC jargon. The goal is to make the next step obvious, no matter your level of email security expertise.
Record | What we check |
SPF | Multiple records, lookup limits, permissive +all, missing mechanisms |
DKIM | Key formatting, missing or malformed public keys |
DMARC | Policy strength, monitoring vs. enforcement, reporting configuration |
BIMI | Logo URL format, Verified Mark Certificate (VMC) presence |
This feature tackles a problem that quietly breaks email delivery for more organizations than you might think. The SPF specification (RFC 7208) enforces a strict limit of 10 DNS lookups per SPF evaluation. Every include:, a, mx, redirect, and exists mechanism in your SPF record counts toward that limit, and so do the nested lookups triggered by each include:. Go over 10 and receiving mail servers return a permerror, causing your SPF check to fail entirely.
Most people don’t realize they’ve exceeded the limit until their emails start getting rejected.
DMARC Management now lets you audit your SPF record and see exactly how many lookups it triggers. You can explore every mechanism in the record, identify which include: chains consume the most lookups, and figure out where to consolidate or flatten your record to get back under the limit.
The SPF lookup audit maps out every DNS lookup in your SPF record, showing exactly where you stand against the 10-lookup limit.
To use DMARC Management, your domain’s DNS must be on Cloudflare. Once that’s set up, you can enable DMARC Management under the Email tab for your domain in the Cloudflare dashboard.
1. Navigate to your domain in the Cloudflare dashboard.
2. Go to Email > DMARC Management.
3. Follow the setup wizard to begin receiving DMARC reports.
4. Review your record analysis and recommendations.
5. Work toward p=quarantine (suspicious emails routed to spam) or p=reject (unauthenticated emails blocked entirely) at your own pace.
We plan to keep building on DMARC Management with the goal of keeping it easy to use. We have several exciting features in the pipeline: deeper forensic reporting, smarter recommendations, and tighter integration with the broader Cloudflare platform.
If you’re not yet using Cloudflare for your DNS, you can get started here. Once your domain is on Cloudflare, DMARC Management is available immediately — no extra configuration or cost required.
Your domain is either protected or it isn’t. Head to Email > DMARC Management in your Cloudflare dashboard to get started.
