How to Update DNS Records in Cloudflare

Cloudflare is a DNS hosting and CDN provider used by millions of domains worldwide. Its DNS management interface is fast, clean, and designed for both basic and advanced record management. This guide walks you through adding and editing SPF, DMARC, MTA-STS, and DKIM DNS records for your domain in Cloudflare. Each section includes the exact steps, correct field values, and Cloudflare-specific details to get your email authentication records configured correctly.

Cloudflare's DNS propagation is among the fastest available — changes typically take effect within seconds to a few minutes thanks to its global Anycast network. This makes Cloudflare an ideal DNS host for email authentication records that may need frequent updates.

Accessing Your DNS Zone

1. Sign in to your Cloudflare dashboard at dash.cloudflare.com.
2. Select the domain (zone) you want to manage from the dashboard home page.
3. Click DNS in the left sidebar, then click Records.
4. You are now in the DNS Records management page. This is where you add, edit, and delete all DNS records for your domain.

Cloudflare displays records in a table showing type, name, content, proxy status, and TTL. To add a new record, click the Add record button. To edit an existing record, click the Edit button on the right side of the record row.

Important: Cloudflare's proxy feature (the orange cloud icon) only applies to A, AAAA, and CNAME records that serve HTTP traffic. TXT records and NS records are always "DNS Only" — the proxy toggle does not apply to them. For CNAME records used in email authentication (like MTA-STS), set the proxy status to DNS Only (gray cloud) to avoid interference with record resolution.

TXT Records

SPF Record

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and services are authorized to send email for your domain. Your SPF record is published as a TXT record at the root of your domain.

1. In the DNS Records page, click Add record.
2. Select TXT from the Type dropdown.
3. In the Name field, enter @. Cloudflare uses @ to represent the root of your domain.
4. In the Content field, enter your SPF record. If you are using mxio's Managed SPF, enter: v=spf1 include:_spf.mxio.io ~all
5. Set the TTL to Auto. Cloudflare's Auto TTL is optimized for their network and generally provides the fastest propagation.
6. Click Save.

If you already have an SPF record, do not create a second one. Multiple SPF records cause a PermError and break email authentication entirely. Instead, click Edit on the existing TXT record that begins with v=spf1 and add include:_spf.mxio.io before the ~all or -all mechanism.

Cloudflare does not impose restrictive character limits on TXT records, so long SPF records are generally not a problem in Cloudflare's interface. However, the DNS protocol itself limits TXT records to 255 characters per string, and Cloudflare handles the string splitting automatically and transparently.

DMARC Record

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers how to handle email that fails SPF and DKIM checks. It also enables aggregate reporting so you can see who is sending email as your domain.

1. Click Add record to create a new TXT record.
2. Select TXT from the Type dropdown.
3. In the Name field, enter _dmarc. Cloudflare will automatically append your domain, resulting in _dmarc.yourdomain.com.
4. In the Content field, enter your DMARC policy. A starting policy for monitoring is: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
5. Set the TTL to Auto.
6. Click Save.

Replace dmarc@yourdomain.com with the address where you want to receive DMARC aggregate reports. Start with p=none to collect data before enforcing. See the DMARC Deployment Guide for the full progression from none to quarantine to reject.

Note: mxio will support DMARC policy management in a future release.

CNAME Records

MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending servers that your domain supports TLS encryption for inbound email and that they should refuse to deliver over an unencrypted connection. The MTA-STS policy is published via HTTPS, and a CNAME record points to the policy host.

1. Click Add record to create a new record.
2. Select CNAME from the Type dropdown.
3. In the Name field, enter _mta-sts. Cloudflare will append your domain automatically.
4. In the Target field, enter the CNAME target provided by your MTA-STS hosting service.
5. Set the Proxy status to DNS Only (gray cloud). MTA-STS CNAME records must not be proxied through Cloudflare, as the receiving mail server needs to resolve the actual target, not Cloudflare's proxy IP.
6. Set the TTL to Auto.
7. Click Save.

You also need a TXT record at _smtp._tls to publish the MTA-STS policy version identifier. Follow the same TXT record process described above, using _smtp._tls as the Name and the policy string as the Content.

Note: mxio will support MTA-STS hosting in a future release.

NS Delegation

DKIM Key Hosting

DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that an email was sent by an authorized server and that the message body was not altered in transit. DKIM keys are published as DNS records under the _domainkey subdomain.

For centralized DKIM key management, you can delegate the _domainkey subdomain to a dedicated DNS host via NS records. This lets the key hosting service manage DKIM records without requiring changes in Cloudflare every time a key rotates.

1. Click Add record to create a new record.
2. Select NS from the Type dropdown.
3. In the Name field, enter _domainkey. Cloudflare will append your domain, resulting in _domainkey.yourdomain.com.
4. In the Nameserver field, enter the first nameserver provided by your DKIM hosting service.
5. Click Save.
6. Repeat for each additional nameserver (typically 2-4 NS records are required for redundancy).

Cloudflare fully supports NS delegation for subdomains. Once the NS records are in place, Cloudflare will defer to the delegated nameservers for all queries under _domainkey.yourdomain.com.

Note: mxio will support DKIM key hosting via NS delegation in a future release.

Verifying Your Changes

After adding or editing DNS records in Cloudflare, verify that your changes are live and correct.

1. Use the mxio SPF Checker to validate your SPF record. Enter your domain and confirm that the record resolves correctly, the lookup count is within the 10-lookup limit, and all your sending services are included.
2. Use the mxio DMARC Checker to verify your DMARC record is published and syntactically correct.
3. Use the mxio Domain Health tool for a full overview of your domain's email authentication status, including SPF, DKIM, DMARC, and MX configuration.
4. If you created NS delegation records for DKIM, use the Delegation Health tool to verify that the NS records are resolving correctly and the delegated zone is responding.

Cloudflare's DNS changes propagate extremely fast — often within 30 seconds globally. If your changes are not appearing immediately, clear your local DNS resolver cache. On macOS, run sudo dscacheutil -flushcache. On Windows, run ipconfig /flushdns.

Cloudflare also provides a built-in DNS record lookup in the dashboard. You can use this alongside mxio's tools to cross-reference your records.

Troubleshooting

Proxy status on CNAME records

If you create a CNAME record for MTA-STS and leave the proxy status set to Proxied (orange cloud), the record will resolve to Cloudflare's IP addresses instead of the actual CNAME target. This breaks MTA-STS validation. Always set email authentication CNAME records to DNS Only (gray cloud).

Duplicate SPF records

Your domain must have exactly one SPF TXT record at the root. If you see two TXT records starting with v=spf1, delete one and merge the include mechanisms into a single record. Use the SPF Checker to confirm you have only one record after merging.

Name field format

Cloudflare uses @ to represent the root domain. For subdomains, enter only the subdomain portion — Cloudflare appends the domain automatically. For example, to create a record at _dmarc.yourdomain.com, enter _dmarc in the Name field, not the full _dmarc.yourdomain.com.

TTL Auto vs. custom values

Cloudflare's Auto TTL is set to 300 seconds (5 minutes) for DNS Only records. This is a good default for email authentication records. If you need a longer TTL (for example, 3600 seconds for records that rarely change), you can set it manually, but Auto works well for most configurations.

API-managed records

If your Cloudflare DNS records are managed via the Cloudflare API or Terraform, changes made in the dashboard may be overwritten on the next API sync. Coordinate with your infrastructure team to ensure manual DNS changes are reflected in your infrastructure-as-code configuration.