Cloudflare DNS

Manage DNS records on Cloudflare-hosted domains via the Cloudflare API.

Setup

Set these environment variables:

• CLOUDFLARE_API_TOKEN — API token with DNS Write permission (create one)
• CLOUDFLARE_ZONE_ID — Zone ID of the domain (found on the domain overview page in Cloudflare dashboard)

API Basics

Base URL: https://api.cloudflare.com/client/v4

Auth header: Authorization: Bearer $CLOUDFLARE_API_TOKEN

All responses follow: {"success": true, "result": {...}, "errors": [], "messages": []}

Common Operations

List DNS records

curl -s "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq '.result[] | {id, type, name, content}'

Filter by type or name:

# TXT records only
curl -s "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records?type=TXT" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

# By name
curl -s "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records?name=example.com" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

Create a DNS record

curl -X POST "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "TXT",
    "name": "example.com",
    "content": "v=spf1 include:_spf.mailtarget.co ~all",
    "ttl": 3600
  }'

Update a DNS record

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/$RECORD_ID" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"content": "new-value"}'

Delete a DNS record

curl -X DELETE "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/$RECORD_ID" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

Email Authentication Setup

SPF record (TXT)

{"type": "TXT", "name": "example.com", "content": "v=spf1 include:_spf.mailtarget.co ~all", "ttl": 3600}

If an SPF record already exists, merge the include: directive into the existing value.

DKIM record (TXT)

Use the hostname and value from your email provider:

{"type": "TXT", "name": "selector._domainkey.example.com", "content": "v=DKIM1; k=rsa; p=MIGf...", "ttl": 3600}

DMARC record (TXT)

{"type": "TXT", "name": "_dmarc.example.com", "content": "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com", "ttl": 3600}

CNAME record (for tracking domains)

{"type": "CNAME", "name": "track.example.com", "content": "tracking.mailtarget.co", "ttl": 3600, "proxied": false}

Important: Set proxied: false for email-related CNAME records (DKIM, tracking) — Cloudflare proxy breaks email authentication.

Mailtarget Integration Workflow

When used together with mailtarget-email, the agent can do end-to-end domain setup:

1. Create sending domain in Mailtarget → POST /domain/sending
2. Read required DNS records → GET /domain/sending/{id} returns SPF, DKIM, CNAME values
3. Add DNS records in Cloudflare using this skill
4. Verify domain in Mailtarget → PUT /domain/sending/{id}/verify-txt
5. Confirm all records are verified

Zero manual DNS editing required.

Reference

See references/api.md for full endpoint documentation.