Cloudflare DMARC: Set it up to be compatible with GOOGLE!

DMARC is a completely unecessary time consuming monster full of all sorts of ridiculous traps. Cloudflare has an automatic DMARC configurator, but its not compatible with Gmail. SET THIS UP SO IT IS CLOUDFLARE, noone has time to be bothered clicking buttons and checking and testing nonsense things like this for no reason. Just make it work from the outset!

Could you post your DMARC record, and explain why it is “not compatible with Gmail”.

Nothing prevents you from /not/ using DMARC, or from configuring your own DMARC record as you want.

It is very well compatible with everything, … that is compatible with DMARC:

That may not actually be possible, for you, due to Gmail limitations.

The way you explain your stuff, it sounds like you’re working with a free address, and trying the “Send as” trick that is widely shared around.

That “Send as” thing from Gmail is supposed to have an external SMTP server, not to use the address as the workaround tries to do.

On 2022-02-15 14:51 CET, I shared this on the Cloudflare Developers Discord:


I also provided a similar explanation to the situation, on the Cloudflare Community, over here:

Some people say assumptions is the mother of all … mistakes, -

Mind if I ask: Did you by any chance assume that the widely shared Gmail “Send as” trick, … would be working flawlessly for you?

The FREE Gmail does not provide the proper domain authentication for custom domains with that trick, which is mandatory for DMARC. You will need the paid Google Workspace for that.


I’m talking about sending to Gmail from my server using Cloudflare. I’m NOT talking about sending from Gmail to Gmail. And if I click CloudFlares auto dmarc config it does NOT work for sending to Gmail, Google replies saying Dmarc is not configured properly. The way this right now, I have absolutely no way to send email to Gmail despite setting spf, dmarc dkim up “properly (Cloudflare auto config)”.

When I use Cpanel to check for problems it seems to says that Cloudflare is acting as the server lookup instead of my IP.

CPANEL MESSAGE (contains actual names not the ones I put here)
"The system uses an alternate HELO of “my server name” when sending mail from the “domain” domain.

The system sends the domain “server name” in the SMTP handshake for this domain’s email. “my server name” resolves to “Cloudflare IP 1” and “Cloudflare IP 2”, not “my server IP address”.

To fix this problem, contact your system administrator and request that they create a DNS “A” record for “my server name” whose value is “my server IP address”.

Now, Under the servers name on Cloudflare I already have an A record for the the server name pointing to my IP address so it should NOT be happening that cloudflare is acting as my reverse DNS lookup

Don’t see any indication in the error message that Cloudflare is providing a reverse lookup. But it does appear that you have this record set to be proxied and it should not be.



The one that you say you have an A record for and Cloudflare is returning the ‘wrong’ IP address.


Ok well that permitted delivery to gmail thank you. However, now the server access is not secured by cloudflare and server IP is exposed.

Right. Cloudflare doesn’t provide outbound mail service. Receiving MTAs want to validate that the server connecting to send mail is who it says it is and is authorized so it needs to know the name / IP of the server matches when it connects.


yep understood. It seems I have to make a choice between having the server be email compliant since the server will bypass Cloudflare and handle everything to do with email… OR I have to expose the server IP/ insecure access. I seems I cant do both unless the server has its own cert.? Am I right?

That’s really a question for a different forum. But there is no way to obfuscate the IP address of a sending MTA, even if Google did accept the email while proxied, the sending MTA would have its IP address in the mail headers.

If you run mail on the same server as a website that server’s IP address will leak, even if you are using a specific unique hostname for the sending MTA while proxying other hostnames to the same origin.


OK so I guess the only possible two solutions ( if I did not want to expose the IP) would be to either send email via an API or that cloudflare handled the mail, which it doesnt.

Anyway, thanks, that helped, not an ideal solution, but the only one the technology currently provides for. Probably I will send via an API but for now im doing it this way. Thanks man.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.