DNS provider
Add an SPF record in Cloudflare DNS
SPF must be a single TXT starting with v=spf1 at the domain that sends mail. Cloudflare DNS will let you break this with duplicate TXT — don’t.
Provider gotcha: Proxy (orange cloud) must be grey (DNS only) for MX records, mail A records, and anything that must resolve exactly for mail. TXT for DMARC/SPF/DKIM should also use DNS-only — orange cloud can interfere with how some tools read mail DNS.
Reference: SPF DNS.
Step by step
Step 1 Open the Cloudflare Dashboard → DNS → Records → Add record.
Step 2 TXT record. For root domain SPF: Use the subdomain only in the Name field — e.g.
_dmarc or @ for apex, not the full hostname..Step 3 Single SPF only — merge vendors into one string:
v=spf1 include:_spf.google.com ~all
Step 4 Save. Proxy (orange cloud) must be grey (DNS only) for MX records, mail A records, and anything that must resolve exactly for mail. TXT for DMARC/SPF/DKIM should also use DNS-only — orange cloud can interfere with how some tools read mail DNS.
Step 5 Propagation: Usually minutes — Cloudflare is authoritative quickly; global resolver caches still respect TTL.
Step 6 Use DNS Preflight — SPF tree shows lookup count. Link: SPF guide.
DNS Preflight — full auth check for your domain.
Propagation — compare resolvers.
FAQ
Can I add two SPF TXT records?
No — merge into one v=spf1 string or you get PermError.
How does Cloudflare DNS want SPF quoted?
Follow the code block on this page; Route 53 requires quotes around the full TXT.
Why PermError after saving?
Syntax error, duplicate SPF, or over 10 DNS lookups — use Preflight’s SPF tree.
Include SendGrid and Google?
Yes in one record: v=spf1 include:... include:... ~all — watch lookup count.
How long until live?
Usually <strong>minutes</strong> — Cloudflare is authoritative quickly; global resolver caches still respect TTL.