Cloudflare Proxy vs SFP Records

Hello all,

Currently I have a couple of SPF records, one for our internal mail server(O365) and then a couple others for our application that sends mail out automatically. Each SPF record is pointing to the corresponding A record. Presently my A records point back to the real IPs but I am proxying them through Cloudflare. If I turn off the proxy does this impact my full strict setup TLS setup for application access?


You can only have one SPF record per label. This means that you can have one at and you have another at If you add more than one SPF record at a specific name, it invalidates all SPF at that label.

You cannot use the Cloudflare proxy with email services by default. Proxying arbitrary TCP requires an Enterprise agreement. This means that your email hostnames must be :grey: DNS Only.

I now understand that but if i change some A tecords to DNS only will it also invalidate the full strict TLS setting for those same A records?

Full (strict) means the connections from the Cloudflare proxy to your origin server require either a valid public certificate or a Cloudflare Origin CA certificate.

When set to :grey: DNS Only, your traffic does not pass through the Cloudflare proxy, so there is no traffic between the Cloudflare proxy and your origin server to be effected.

If you were using a Cloudflare Origin CA certificate, you will need to replace it with a valid public certificate.

We are using a public cert already, so this might be ok. Gotta check on that definitively. I guess i would turn off the TLS stuff if i go this way.

That is not advisable. Just leave it set to Full (strict). There really should be no other settings than Off and Full (strict). The others break encryption and are often the source of problems loading sites. As I already mentioned, :grey: DNS Only hostnames are unaffected by Cloudflare proxy settings as the do not route through the proxy.

Ahh yes…so once i change to DNS only i need a public cert for that A record. Got it!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.