Set up SPF, DKIM & DMARC for Loops.so

Loops.so shows your domain as unverified, or your product emails fail DKIM — and you added the records on Cloudflare.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

Two Loops-specific gotchas trip most people. First, Loops issues three DKIM records that are added as CNAMEs (not TXT) — you add all three, one by one. Second, on Cloudflare each of those CNAMEs must be set to “DNS only” (grey cloud, proxy OFF); if the orange proxy is on, Cloudflare rewrites the record and DKIM validation fails. Note too that Loops lets you publish a DMARC policy but has no built-in DMARC reporting — you still need your own rua= destination to actually see who's sending as you. Source: Loops Docs — Setting up your domain · verified 2026-07-18.

What to do about it

Step 1. Add all three Loops DKIM records as CNAME entries exactly as shown.
Step 2. On Cloudflare, click each DKIM CNAME to “DNS only” (grey cloud) — proxied (orange) records break DKIM.
Step 3. Publish your own DMARC record with a real rua= address — Loops won't collect reports for you.
Step 4. Run the free check below; it flags a proxied/rewritten DKIM record as a missing selector.

Frequently asked

Will adding these records break the email I already send?

No. Adding SPF includes and DKIM records (whether TXT or CNAME) only adds authentication — it never blocks mail. The only step that can affect delivery is tightening your DMARC policy to quarantine or reject, and that comes later, once reports confirm every legitimate sender passes.

The platform says it “handles DMARC” — do I still need my own record?

Yes. Most platforms handle DKIM (and sometimes SPF) so their mail can pass, but the DMARC record is published on your own domain and controlled by you — it's what tells receivers to act on failures. Providers rarely publish it for you, and you want your own rua= address to see the reports.

How do I confirm it actually worked?

Send yourself a test message and check the headers for dkim=pass and dmarc=pass — or run the free check below on your domain to see SPF, DKIM and DMARC state, and which sending services currently align, in one place.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →