CF Proxy vs Non-Proxy for Mail

Hello all,

Is there a way to use Cloudflare proxy with websites that send smtp mail to clients. We found that these automated smtp mail msgs were either coming in as spam or were being rejected by client mail systems. In researching this l found i needed to expose my web site’s real public IP, turn off CF proxy, and secure the site with a SSL cert.

I would prefer to use Cloudflare proxy but need to ensure mail send is successful.

Thanks,
Steve

Using your webserver as a mailserver has always been a less than ideal configuration. Best practices would employ a transactional email service such as Mailgun, Postmark, or Sendgrid, etc. in order to avoid the risk and complication caused by using your webserver as a mailserver.

The proxy settings that you indicate are required to send email are actually those necessary to receive email. Outbound email will always originate from your mailserver IP regardless of proxy status unless you are using Cloudflare Spectrum on an Enterprise subscription to proxy your SMTP. traffic

You should be doing this for all hostnames regardless of proxy status. Failure to do so will result in unencrypted traffic being exposed between Cloudflare and your server.

I strongly recommend using a transactional ESP to send email from your webserver.

Agreed on the securing with certs. Prior to exposing the public IP I was using CF to handle my certs, via edge certs and origin certs. I abandoned that and began using cert directly on my URLs.

Yes we looked at Mailgun but its a cost thing. We use Plesk and it leverages Postfix as a simple SMTP server, which then goes outbound. The other thing we found is that SPF and DKIM had to be tweaked also, which is also where I think having the real public IP is important.

Mailgun is not the only transactional ESP, although they are who I prefer. Depending on the volume you need, you can find free options as well as ones that are priced less than the lowest Mailgun subscription tier.

Your SPF record always needs to contain the IP of the relay host, so yes, it will expose your webserver IP if you are using your webserver as your mailserver. I see that as another reason not to use your webserver as your mailserver. :man_shrugging: