Email Configuration for Domain that Only Receives Email

I get DMARC reports for my domain – I use Cloudflare email to ONLY receive emails and never send. I am wondering if I should enable DNSSEC. I think I should create email record and txt entries for spf1, DKIM and DMARC1.


TXT _dmarc v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:[email protected] DNS only
TXT _dmarc v=DMARC1; p=none; rua=mailto:[email protected] DNS only
TXT *._domainkey v=DKIM1; p= DNS only Auto
TXT v=spf1 -all DNS only
TXT v=spf1 ~all DNS only
TXT google-site-verification=FMDz1VbsJ4HGOAPXTjUp84c4jPjMW4C00XontF7Pw1s DNS

Here is sample DMARC report I got this morning and not sure how to read this but I do see the “FAIL” condition showing up. Again, I only receive mail at [email protected] and never send anything.

<?xml version="1.0" encoding="UTF-8" ?> [email protected] 1666562400 1666648800 r r


none 100 1 none fail fail local_policy arc=fail pass 1 none fail fail local_policy arc=fail pass

If you publish more than one SPF record, you will cause SPF validation to fail. Only one SPF record is permitted. That limit is per name, meaning that you could have a different SPF records for,, and, but not more than one SPF for

DMARC reports aren’t meant to be read by humans. They are normally parsed by software at a DMARC monitoring service. You can run the XML report through dmarcian’s XML to Human Converter to get some better detail, but sending your reports to a dedicated monitoring service will likely prove more usable.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.