How to Add an SPF Record in Cloudflare: Step-by-Step Guide
Add or edit an SPF record in Cloudflare with step-by-step instructions. Covers exact field values, DNS settings, and email routing.
Last updated: 2026-05-06
Cloudflare is one of the most popular DNS providers, and adding an SPF record there takes just a few minutes. Whether you are setting up email authentication for the first time or updating an existing record, this guide walks you through every step in Cloudflare's dashboard. No technical experience required. New to SPF? Read What is SPF? for background, or see our complete SPF guide for a full overview.
Before You Start
You need two things:
- Your Cloudflare account login. You need access to the account that manages DNS for your domain.
- Your SPF record value. This is the text string you will add. If you are not sure what it should contain, SPF Creator can build the correct record based on the email services you use.
A typical SPF record looks like this:
v=spf1 include:_spf.google.com ~all
Your record will be different depending on what services send email for your domain. Common includes are _spf.google.com for Google Workspace, spf.protection.outlook.com for Microsoft 365, and sendgrid.net for SendGrid. See SPF record examples for common configurations, or check the SPF syntax guide for details on each mechanism.
Check for an existing SPF record first
Your domain may already have an SPF record. You can only have one SPF record per domain, so adding a second one causes a PermError. Always check first and edit the existing record if one is already there.
Step-by-Step: Adding an SPF Record in Cloudflare
Log into the Cloudflare dashboard
Go to dash.cloudflare.com and sign in. You will see a list of your domains (called "websites" in Cloudflare). Click on the domain you want to add the SPF record to.
Navigate to DNS settings
In the left sidebar, click "DNS" and then "Records" (Cloudflare DNS docs). This shows all the DNS records for your domain. Scroll through the list to check if an SPF record (a TXT record starting with v=spf1) already exists.
Add a new TXT record (or edit existing)
If no SPF record exists, click the "Add record" button. If one already exists, click the "Edit" button next to it.
Fill in the fields as follows:
- Type: Select
TXT - Name: Enter
@(this represents your root domain) - Content: Enter your full SPF record value, for example:
v=spf1 include:_spf.google.com ~all - TTL: Leave this set to "Auto" (Cloudflare's default)
Save the record
Click "Save" to publish the record. Cloudflare typically applies DNS changes very quickly — often within a minute or two — because of their global network. However, other DNS caches may take up to a few hours to update.
Verify the record is live
After saving, use the checker tool above to confirm your SPF record is published and valid. The tool will show you the record contents, check the syntax, and count your DNS lookups.
Cloudflare-Specific Details
Proxy vs DNS Only — Does It Affect SPF?
No. Cloudflare's proxy feature (the orange cloud icon) controls how web traffic is routed through Cloudflare's network. It only applies to A, AAAA, and CNAME records that handle web traffic.
TXT records like SPF are always "DNS only." There is no proxy toggle for TXT records in Cloudflare. Your SPF record goes straight into DNS without passing through Cloudflare's proxy. You do not need to worry about proxy settings when adding SPF.
Cloudflare's TTL Setting
When you set TTL to "Auto" in Cloudflare, it defaults to 300 seconds (5 minutes) for most record types. This is fine for SPF records. A short TTL means changes propagate quickly, which is helpful if you need to update your SPF record later.
Some guides recommend longer TTLs for SPF records (like 3600 seconds or higher). While that works, Cloudflare's auto TTL is perfectly adequate and makes future changes easier since they take effect faster.
Cloudflare Email Routing and SPF
Cloudflare's Email Routing feature lets you forward emails to another inbox. When you enable it, Cloudflare may automatically create MX records and an SPF TXT record. If you already have an SPF record, this can create a duplicate — which causes a PermError.
Check for duplicate SPF records after enabling Email Routing
If you enable Cloudflare Email Routing on a domain that already has an SPF record, verify that Cloudflare did not create a second one. Go to DNS > Records and look for TXT records containing v=spf1. You should see exactly one.
Cloudflare SPF Record Examples
Here are common SPF record configurations you might add in Cloudflare, depending on your email setup:
Google Workspace only:
v=spf1 include:_spf.google.com ~all
Microsoft 365 only:
v=spf1 include:spf.protection.outlook.com ~all
Google Workspace + Mailchimp:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
Microsoft 365 + SendGrid:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net ~all
Domain that does not send email:
v=spf1 -all
If you have a domain that should never send email (a parked domain, a redirect domain), publish v=spf1 -all to prevent spoofing.
Editing an Existing SPF Record in Cloudflare
If you need to add a new email service, edit the existing SPF record rather than creating a new one. In Cloudflare's DNS Records section, find the TXT record starting with v=spf1, click "Edit," and add the new include before ~all.
For example, to add Zendesk, change v=spf1 include:_spf.google.com ~all to v=spf1 include:_spf.google.com include:mail.zendesk.com ~all. Click "Save" and verify with the tool above to confirm it stays within the 10 DNS lookup limit.
Common Mistakes When Adding SPF in Cloudflare
Creating a second SPF record instead of editing. This is the most common mistake across all DNS providers. You can only have one SPF record. If you need to add a service, edit the existing record.
Putting SPF in the wrong record type. SPF records must be TXT records as specified in RFC 7208. Do not use the old SPF record type. TXT is the correct standard.
Forgetting the ~all or -all at the end. Every SPF record needs an all mechanism that specifies what happens to unlisted senders.
Entering the wrong name. The Name field should be @ for your root domain. Entering your full domain name may create the record on a subdomain instead.
Verifying Your Setup
After adding your SPF record in Cloudflare:
1. Check the record with the tool above. Confirm it shows the correct value, passes syntax validation, and stays within the 10 DNS lookup limit.
2. Send a test email. Send an email from your domain to a Gmail address. Open the message, click the three dots, and select "Show original." Look for spf=pass in the authentication results.
3. Set up full authentication. SPF is one piece of the puzzle. Also add DKIM and DMARC as TXT records in Cloudflare following the same process. The Email Deliverability Suite can check all three protocols at once.
Using a different DNS provider? See our guides for GoDaddy, Namecheap, or Route 53.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- Cloudflare: Manage DNS records — Official Cloudflare DNS documentation
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring