Cloudflare DMARC Management is now generally available

When we first launched DMARC Management, it was driven by a simple belief: every domain on the Internet deserves strong email authentication, and cost should never be the reason it doesn't happen. As part of our mission to help build a better Internet, we made DMARC Management available for free to every Cloudflare customer. We wanted to give everyone the tools to understand and improve their DMARC posture without needing to hire an email security consultant or parse XML report files by hand. Today, we are taking that commitment further. Cloudflare DMARC Management is now generally available, with a redesigned experience built to help you reach full DMARC enforcement as easily as possible. The DMARC Management dashboard offers a unified view of your email authentication posture. What email authentication actually does for you Every time someone receives an email "from" your domain, their email provider asks a simple question: did the real owner of this domain actually send this? Without a way to answer that question, anyone can send an email pretending to be you and your recipients will have no way to tell the difference. Email authentication is the set of DNS records that answers that question. There are four protocols that protect your domain: SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and services are allowed to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every email you send, so receiving servers can verify the message hasn't been tampered with in transit. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do when an email fails authentication: let it through, quarantine it, or reject it outright. It also sends you reports on who is sending email as your domain. BIMI (Brand Indicators for Message Identification) lets you display your brand logo next to your emails in supported inboxes, but only if your DMARC policy is strong enough. When all four are configured correctly, spoofed emails get blocked before they reach anyone's inbox and your legitimate emails are far more likely to be delivered. When they're missing or misconfigured, you're exposed to brand impersonation and deliverability penalties from the large email mailbox providers. DMARC is no longer optional DMARC has always been important. But over the past two years, the stakes have gotten significantly higher. Google, Microsoft, and Yahoo have all announced or implemented stricter email authentication enforcement. Domains that do not have proper DMARC, SPF, and DKIM records configured (or worse, have them configured incorrectly) are increasingly seeing their legitimate emails land in spam folders or get rejected outright. What was once a best practice is now a requirement. Poor email hygiene directly translates to poor deliverability, and for many businesses, that means lost revenue and missed communications. The message from the industry is clear: if you send email from your domain, you need these records configured correctly. The grace period is over. The problem: DMARC is confusing, and mistakes are costly Here is the challenge. The journey from p=none (monitor only, no emails are blocked) to p=quarantine (suspicious emails are sent to spam) to p=reject (unauthenticated emails are blocked outright) is filled with uncertainty. Enable enforcement too early, and you risk breaking legitimate email flows from third-party services you forgot were sending on your behalf. Move too slowly, and you leave your domain exposed to spoofing, and now, to deliverability penalties from the very providers your customers use. Most organizations know they need DMARC enforcement. But actually getting there requires understanding aggregate XML reports, identifying every legitimate sending source across your infrastructure, and building enough confidence that tightening your policy will not break anything. We built Cloudflare DMARC Management so that any customer can navigate this journey on their own. No need for professional services engagement. No spreadsheet analysis of aggregate reports. No guessing which IP address belongs to which vendor. The goal is to make the path to full DMARC enforcement as self-service as possible, giving you the visibility and confidence to tighten your policy without breaking anything. DMARC reports show sending source alignment across your domain. Deeper report visibility with source investigation We redesigned the reporting experience to make it easier to understand what is happening with your email traffic. You can now see at a glance which sending sources are passing or failing DMARC, SPF, and DKIM alignment and drill deeper than ever before. Every report now surfaces the source IP address alongside the sending service, giving you the granularity to distinguish between legitimate infrastructure and unauthorized senders. You can now open any IP address directly in our Investigate tab, which surfaces all the threat intelligence Cloudflare has on that address — reputation data, geolocation, autonomous system number (ASN) details, and any known associations with malicious activity. This turns your DMARC reports from a passive data feed into an active investigation tool. Drilling into a sending source reveals IP-level detail and Cloudflare threat intelligence in the Investigate tab. What you see | What it tells you | Source IP address | The specific infrastructure sending email on behalf of your domain | Sending service name | The organization or provider behind the IP | DMARC / SPF / DKIM alignment | Whether each authentication check passed or failed for that source | Investigate tab | Cloudflare threat intelligence: reputation, geolocation, ASN, and known threat associations | Email authentication record status One of the most common questions customers ask is: "Are my records set up correctly?" Until now, answering that question required manually inspecting DNS TXT records and understanding what each tag and value means across multiple specifications. With this release, you can see the status of every email authentication record you need: DMARC, DKIM, SPF, and BIMI, in a single view. Each record type gets a clear pass, warning, or fail status based on automated analysis. You can drill into any record to see specific findings about what we detected and recommendations for how to fix it. If your DKIM key is malformed, we flag it. If you are missing a BIMI record and your DMARC policy is strong enough to support one, we let you know that too. Record analysis cards show pass, warning, or fail status for each email authentication record, with actionable recommendations. The recommendations are written in plain language, not RFC jargon. The goal is to make it obvious what action to take next, regardless of your email security expertise. Record | What we check | SPF | Multiple records, lookup limits, permissive +all, missing mechanisms | DKIM | Key formatting, missing or malformed public keys | DMARC | Policy strength, monitoring vs. enforcement, reporting configuration | BIMI | Logo URL format, Verified Mark Certificate (VMC) presence | This one addresses a problem that silently breaks email for more organizations than you would expect. The SPF specification (RFC 7208) imposes a hard limit of 10 DNS lookups per SPF evaluation. Every include:, a, mx, redirect, and exists mechanism in your SPF record counts toward that limit, and so do the nested lookups inside each include: . Exceed 10 and receiving mail servers return a permerror, which means your SPF check fails entirely. Most people have no idea they are over the limit until their email starts getting rejected. DMARC Management now lets you audit your SPF record and see exactly how many lookups it incurs. You can drill into every mechanism in the record, see which include:chains are the most expensive, and identify where to consolidate or flatten your record to get back under the limit. The SPF lookup audit traces every DNS lookup in your SPF record, showing exactly where you are against the 10-lookup limit. To use DMARC Management, you need to have your domain's DNS on Cloudflare. Then you can turn on DMARC Management under the Email tab for that domain in the Cloudflare dashboard. 1. Navigate to your domain in the Cloudflare dashboard. 2. Go to Email > DMARC Management. 3. Follow the setup wizard to start receiving DMARC reports. 4. Review your record analysis and recommendations. 5. Work toward p=quarantine (suspicious emails go to spam) or p=reject (unauthenticated emails are blocked entirely) at your own pace. We are going to continue building on top of DMARC Management, and our goal is to keep it accessible. We have several things planned that we are excited to ship: deeper forensic reporting, smarter recommendations, and tighter integration with the rest of the Cloudflare platform. If you are not yet using Cloudflare for your DNS, you can get started here. Once your domain is on Cloudflare, DMARC Management is available immediately with no additional configuration or cost required. Your domain is either protected or it isn't. Head to Email > DMARC Management in your Cloudflare dashboard to get started.