Cloudflare spf & email not working issue

Hi, so my website’s email system isn’t working which was working fine before I added my website on Cloudflare. Now I’m not sure why this is happening is there any settings that I configured incorrectly?

also, there’s a new notification that says “The number of lookups on your SPF record exceeds the allowed limit of 10. This will result in emails failing SPF authentication.” & then there’s a review option but the problem is I don’t even understand what is SPF, how it reached its limit how to fix it, or anything. I’ve tried to read some posts on this problem but couldn’t understand anything.

please help me to fix this as my website is a forum site it is necessary for me that my mail system starts working as soon as possible.

  1. Server log says it’s trying to connect to the apex domain instead of the ‘mail’ subdomain. If you can tell it to use the correct hostname for sending, that should fix it.
  2. SPF: I’m sure that’s an accurate assessment. I use this tool to help with my SPF records:

The SPF has two includes that are not needed, as well as being essentially a no-op.

v=spf1 ip4: +all

The first include essentially creates a loop. The second include does not contain a txt record, so there is nothing to include.

The +all essentially says “everywhere is allowed to send email from this domain”. That is not generally what people want.


My website is built on xenforo & which was the default system to sent mails & receive mails, it didn’t create any problem with any SSL I was using before & mainly what I’m trying to say is that I understand you are an expert but I’m not so I don’t know or understand how I’m suppose to change it & tell it to use subdomain.

I found this option do I have to change to ?

I used your link to check SPF but as I’m just a beginner I didn’t understand anything sorry but can you tell me what to do?

so should I just remove it?
actually, I didn’t even create it, it was an auto suggestion from Cloudflare & I just did what I was told to do.

Yes, you’ll have to change that…even though it says “Do not change”. Yours currently points to a :orange: Proxied hostname, and that won’t work.

I’m going to ask @eva2000 about this, as maybe he knows why Xenforo says to not change it.

1 Like

i did what you’ve asked me to do but problem is still there

That’s a mail server issue. Try Port 587 instead.

here’s the result of port 587

This really is something you need to address with your host.

There’s a mail server at that hostname:

# telnet 587
Connected to
Escape character is '^]'. ESMTP Exim 4.94.2 #2 Sun, 13 Mar 2022 02:55:00 +0600 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.

But it doesn’t have an SSL certificate for your hostname:

# openssl s_client -tls1_2 -crlf -connect -starttls smtp
depth=0 emailAddress = [email protected], CN =
verify error:num=18:self signed certificate
verify return:1
depth=0 emailAddress = [email protected], CN =
verify return:1
Certificate chain
 0 s:emailAddress = [email protected], CN =
   i:emailAddress = [email protected], CN =
Server certificate
subject=emailAddress = [email protected], CN =

issuer=emailAddress = [email protected], CN =

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 1929 bytes and written 381 bytes
Verification error: self signed certificate
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 25DD59CDDBD5146B496BCAA8325930B066D0B86CD297FA727FAE84EA9B818C6F
    Master-Key: 475A65DA224184D4DE31CC987A30118E8858FF90D87B2B172E1EA7AD53D60A6114AB90FB582E6F91F09BF65822359C45
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1647118375
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no

Maybe you should just try Port 25 with SSL disabled. Not a great solution, but that’s all you can do until your host fixes SSL on that server for your ‘mail’ hostname.

1 Like

tried port 25 with ssl disabled

If you’re wanting to hide your real server IP behind Cloudflare, I wouldn’t use your own mail server to send via SMTP as you’d leak your real server IP in mail headers and expose your real server IP even when behind Cloudflare Orange cloud proxy. Instead sign up for a 3rd party transactional SMTP provider like Amazon SES, ElasticEmail or Pepipost/Netcore Email as these 3 providers strip your origins server IP from mail headers to prevent you leaking your real origin IP.


I don’t have cards & even if i had i don’t want to use any paid email service right now, is there any other way i can fix this problem?

ok port 25 with ssl disabled is working fine right now.

what changes should i make to fix this?

Problems are mainly server/web host side so nothing to do with Cloudflare side as @sdayman outlined in post at Cloudflare spf & email not working issue - #10 by sdayman


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.