Cloudflare spf & email not working issue

Hi, so my website’s email system isn’t working which was working fine before I added my website on Cloudflare. Now I’m not sure why this is happening is there any settings that I configured incorrectly?

also, there’s a new notification that says “The number of lookups on your SPF record exceeds the allowed limit of 10. This will result in emails failing SPF authentication.” & then there’s a review option but the problem is I don’t even understand what is SPF, how it reached its limit how to fix it, or anything. I’ve tried to read some posts on this problem but couldn’t understand anything.

please help me to fix this as my website is a forum site it is necessary for me that my mail system starts working as soon as possible.


  1. Server log says it’s trying to connect to the apex domain instead of the ‘mail’ subdomain. If you can tell it to use the correct hostname for sending, that should fix it.
  2. SPF: I’m sure that’s an accurate assessment. I use this tool to help with my SPF records:
    https://dmarcian.com/spf-survey/?domain=coinfactos.com
2 Likes

The SPF has two includes that are not needed, as well as being essentially a no-op.

v=spf1 ip4:194.233.91.205 include:coinfactos.com include:www.coinfactos.com +all

The first include essentially creates a loop. The second include does not contain a txt record, so there is nothing to include.

The +all essentially says “everywhere is allowed to send email from this domain”. That is not generally what people want.

3 Likes

My website is built on xenforo & which was the default system to sent mails & receive mails, it didn’t create any problem with any SSL I was using before & mainly what I’m trying to say is that I understand you are an expert but I’m not so I don’t know or understand how I’m suppose to change it & tell it to use subdomain.


I found this option do I have to change coinfactos.com:465 to mail.coinfactos.com:465 ?

I used your link to check SPF but as I’m just a beginner I didn’t understand anything sorry but can you tell me what to do?

so should I just remove it?
actually, I didn’t even create it, it was an auto suggestion from Cloudflare & I just did what I was told to do.

Yes, you’ll have to change that…even though it says “Do not change”. Yours currently points to a :orange: Proxied hostname, and that won’t work.

I’m going to ask @eva2000 about this, as maybe he knows why Xenforo says to not change it.

1 Like

i did what you’ve asked me to do but problem is still there

That’s a mail server issue. Try Port 587 instead.

here’s the result of port 587

This really is something you need to address with your host.

There’s a mail server at that hostname:

# telnet mail.coinfactos.com 587
Trying 194.233.91.205...
Connected to mail.coinfactos.com.
Escape character is '^]'.
220-server1.powerfulserver.xyz ESMTP Exim 4.94.2 #2 Sun, 13 Mar 2022 02:55:00 +0600 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.

But it doesn’t have an SSL certificate for your hostname:

# openssl s_client -tls1_2 -crlf -connect mail.coinfactos.com:587 -starttls smtp
CONNECTED(00000005)
depth=0 emailAddress = [email protected], CN = server1.powerfulserver.xyz
verify error:num=18:self signed certificate
verify return:1
depth=0 emailAddress = [email protected], CN = server1.powerfulserver.xyz
verify return:1
---
Certificate chain
 0 s:emailAddress = [email protected], CN = server1.powerfulserver.xyz
   i:emailAddress = [email protected], CN = server1.powerfulserver.xyz
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEHjCCAwagAwIBAgIFAPL8fMgwDQYJKoZIhvcNAQELBQAwVDEtMCsGCSqGSIb3
DQEJARYec3NsQHNlcnZlcjEucG93ZXJmdWxzZXJ2ZXIueHl6MSMwIQYDVQQDDBpz
ZXJ2ZXIxLnBvd2VyZnVsc2VydmVyLnh5ejAeFw0yMjAzMTIyMDA1MDRaFw0yMzAz
MTIyMDA1MDRaMFQxLTArBgkqhkiG9w0BCQEWHnNzbEBzZXJ2ZXIxLnBvd2VyZnVs
c2VydmVyLnh5ejEjMCEGA1UEAwwac2VydmVyMS5wb3dlcmZ1bHNlcnZlci54eXow
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN4QD37fKCGYLSOKXJMT6W
dTDLQHMV5X33bZi+51WkwzHTaaiHeE29RWuMFgnv0KmwzKVfjAYE8rrtoLrjiKfK
8tOzuQeHy+nSW5yFvX7A2FWiJcnG/CPyPjhdAkq9uMaGHr1EL3jYKfSGGvG95Rl3
FeQIxqmQDjCRgmSpywRlTZEMUbp7oQBAdHmOSLDL/5XRSWjmdoc8qdiJpc/LVWm/
SYlmKNQP04JOe2WA+0fgNNbSGLqJGvLHrFtE6R+HmR3FZlrcVNEye3Xrzagbzdyx
9NK2cWsn+JFt8pz+/P+40U5/Uai8dd1zoXZh+7nzzAXTlnxklusjGd0VdBi1Jjzb
AgMBAAGjgfYwgfMwHQYDVR0OBBYEFArLXx+6II611sRZoSSO7PVuzaqDMAkGA1Ud
EwQCMAAwgYAGA1UdIwR5MHeAFArLXx+6II611sRZoSSO7PVuzaqDoVikVjBUMS0w
KwYJKoZIhvcNAQkBFh5zc2xAc2VydmVyMS5wb3dlcmZ1bHNlcnZlci54eXoxIzAh
BgNVBAMMGnNlcnZlcjEucG93ZXJmdWxzZXJ2ZXIueHl6ggUA8vx8yDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJQYDVR0RBB4wHIIac2VydmVyMS5wb3dl
cmZ1bHNlcnZlci54eXowDQYJKoZIhvcNAQELBQADggEBAIV4Qxcq/O9mL2SsKiHA
Xyrv6XvV2vxCxK0+XovYiyKJS2hwDSdJvI6Ol5aamX4QwEVPeUSYxrDPkpeI1MYw
rLez05489Tu7YaZv5+yCUmfh/7kddCq7JuiBJec29xd99yXqFmcEdwZeojuTWCnw
/QT8AhY9rcrplGpaGPFHV+wsNd/JyabJllo946E9Tw+unLelzfr9GDmB2Llk9Gdx
9r5ItoynRhjb7sOR8mRnSRT/Ub72GCztaoe4kFrNU25LKhZetO3WmbG670HEUAMa
5pfhvfaxeiwU7Hhaw0tU3uTXo2YxfPQkxX/enZeSaYsNTmwX/oNPLLQjbl+weI8Y
sjU=
-----END CERTIFICATE-----
subject=emailAddress = [email protected], CN = server1.powerfulserver.xyz

issuer=emailAddress = [email protected], CN = server1.powerfulserver.xyz

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1929 bytes and written 381 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 25DD59CDDBD5146B496BCAA8325930B066D0B86CD297FA727FAE84EA9B818C6F
    Session-ID-ctx: 
    Master-Key: 475A65DA224184D4DE31CC987A30118E8858FF90D87B2B172E1EA7AD53D60A6114AB90FB582E6F91F09BF65822359C45
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1647118375
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---

Maybe you should just try Port 25 with SSL disabled. Not a great solution, but that’s all you can do until your host fixes SSL on that server for your ‘mail’ hostname.

1 Like

tried port 25 with ssl disabled

If you’re wanting to hide your real server IP behind Cloudflare, I wouldn’t use your own mail server to send via SMTP as you’d leak your real server IP in mail headers and expose your real server IP even when behind Cloudflare Orange cloud proxy. Instead sign up for a 3rd party transactional SMTP provider like Amazon SES, ElasticEmail or Pepipost/Netcore Email as these 3 providers strip your origins server IP from mail headers to prevent you leaking your real origin IP.

2 Likes

I don’t have cards & even if i had i don’t want to use any paid email service right now, is there any other way i can fix this problem?

ok port 25 with ssl disabled is working fine right now.


what changes should i make to fix this?

Problems are mainly server/web host side so nothing to do with Cloudflare side as @sdayman outlined in post at Cloudflare spf & email not working issue - #10 by sdayman

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.