On 16 June 2026, Cloudflare made DMARC Management generally available — free for every Cloudflare customer. If your DNS is on Cloudflare, you should turn it on today. This is a genuinely good tool, and the price is right.
It reads your DMARC reports and turns them into something you can actually act on: every sending source, named and grouped, with its DMARC, SPF, DKIM and BIMI status laid out as pass, warning or fail. It audits your SPF record against the 10-lookup limit and tells you which includes are eating your budget. It gives you plain-language recommendations for what to fix next. A year ago you'd have paid for that. Now, on Cloudflare, you don't.
So if you're a Cloudflare customer reading this to decide whether you still need a paid tool, here's the honest starting point: for visibility, you may not. Go and use it.
This piece is about the one line the free tool stops at — and it's the same line every reporting tool stops at, ours included until you ask it to do more.
Visibility is not enforcement
A DMARC reporting tool tells you what's wrong. That's the easy half. The hard half is the part that actually protects your domain: someone has to make the DNS change, watch for legitimate mail breaking, and walk your policy from p=none up through p=quarantine to p=reject without losing real email along the way.
Cloudflare is candid about where it draws that line. Its own getting-started flow tells you to work toward quarantine or reject "at your own pace." That's the right advice — and it's also the whole point. The tool hands you the map. It does not walk the route, and it doesn't pretend to. It reports and recommends; you make the changes.
This matters because the route is exactly where domains stall. Publishing a p=none record is easy, and a reporting tool makes p=none feel productive — the dashboard fills with data, the charts look busy, you can see your mail flow. But p=none tells the world's mail servers to do nothing. A domain sitting at p=none is fully reported and fully spoofable at the same time. The reports are not the protection; the policy is. And the policy is the part nobody advances, because advancing it is the part that carries the risk of breaking real mail.
Two places the free tool was never built to reach
Set the enforcement gap aside for a moment, because there are two structural limits that decide whether the free tool fits you at all.
It only covers domains whose DNS is on Cloudflare. That's not a criticism — it's a free tool bundled with Cloudflare's DNS, and it does exactly what it says. But most Australian small businesses are not on Cloudflare. They're on cPanel/WHM through a local host, on Crazy Domains, on GoDaddy, on a reseller's nameservers. If that's you, Cloudflare DMARC Management isn't a tool you've been missing — it's a tool for a platform you're not on.
It's one domain at a time, inside the Cloudflare dashboard. If you run a single domain, that's fine. If you're an MSP or an IT provider looking after twenty, fifty, a hundred client domains — spread across whatever DNS each client happens to use — there's no single view, no client roll-up, no white-label surface to put your own brand on. The free tool was built for the operator of one Cloudflare account, not for someone managing email security as a service across many.
What "enforcing" DMARC actually takes
Here's the work that sits between a full reporting dashboard and a domain that's genuinely protected at p=reject. None of it shows up in a reporting view, because none of it is reporting.
- Identifying and approving every legitimate sender. Before you can safely tighten policy, you have to know that Microsoft 365, Google Workspace, your CRM, your invoicing tool, your marketing platform and that one app a department signed up for two years ago are all accounted for — and authorised — so enforcement doesn't bounce your own mail.
- Advancing the policy, with a way back. Moving
none → quarantine → rejectwhen the data justifies it, and automatically rolling back if pass rates drop or legitimate mail starts failing. The rollback is the part that makes advancing safe enough to do at all. - The records around DMARC. Keeping SPF under its 10-lookup limit as senders change, rotating DKIM keys without breaking outbound mail, and running the MTA-STS and TLS-RPT lifecycle that protects mail in transit.
That's the job. It's continuous, it's per-domain, and most of it is invisible — which is exactly why a reporting dashboard, however good, leaves it undone.
"But I'm not on Cloudflare" — this is the part that covers you
This is the question we get most, so here it is plainly: enforcement doesn't depend on who your DNS provider is.
For providers with a solid write API — Cloudflare, AWS Route 53, GoDaddy and others — the policy changes can be made directly through that API. For everywhere else, including cPanel/WHM and most Australian registrars, enforcement runs through delegation: you point one record at us, once, and from then on the policy lives on our side and advances there. You keep ownership of your domain; you can un-delegate at any time and your records come with you.
The mechanism differs by provider. The outcome does not. Whether your DNS is on Cloudflare or on a cPanel box at a local host, the destination is the same — a domain that actually reaches p=reject and stays there. Delegation isn't a lesser path; it's the path to the same enforcement, for the providers that don't expose a clean write API. If you're on cPanel or Crazy Domains and you'd assumed a tool like this couldn't cover you, it can.
The Australian picture
We scan a large fleet of Australian domains, and the gap shows up clearly in our own data. Of the Australian domains we've scanned, 7,436 publish a DMARC record. Of those, 44.9% are still sitting at p=none — fully reported, and still spoofable. These are organisations that did the first step — they turned reporting on — and then stopped at the exact line this piece is about.
That's the shape of the problem the free tools are about to make very visible to a lot of people at once. Visibility is going up. The question is whether enforcement follows it. The full sector-by-sector picture is in our Australian research.
See where Australian email security actually stands
The full dataset, by sector, ranked by email authentication.
View the research →The bottom line
Cloudflare DMARC Management is a real upgrade to the free toolkit, and if you're on Cloudflare you should be using it. It will show you, clearly and for nothing, exactly what's wrong with your email authentication.
Cloudflare gets you the map. The question is who walks the route — across whatever DNS your domains are actually on, all the way to p=reject, and keeping them there. That's the part we built.
If that's the half you'd rather not do by hand, see how Autopilot handles it.
