DNS for DMARC the SPF and DKIM still point to ip address

My email currently works but since google will require DMARC I used Cloudflare to set that up. I noticed my TXT files show my ip address to my host.

Will this be a security issue and should I fix it?

The SPF record needs to give the IP address of any server that sends email for your domain. You can’t hide it directly.

The only way to “hide” it if it’s an IP address of your server is to use another service that can forward email on for you, and publish their SPF data instead. The IP address may also be exposed in MX records, in which case you’ll need a service to receive mail for you.

If the IP address of your mail server is the same as your web server, it will expose an IP address that you may want to keep proxied behind Cloudflare. Again, other than moving the mail server to another Ip address, nothing can be done to hide it. Publishing a proxied IP address can allow direct access to your server, bypassing the Cloudflare proxy. Set your firewall to allow only Cloudflare IP addresses access to your web server.

1 Like

Thank you for your reply. I’m not sure I totally comprehend it, sorry.

I am also not sure I was clear so I’ll write again.

I had email on my hosting but then Cloudflare said my MX record exposed my IP address.

So I set up Google Workspace to send my email through there instead.

I updated my MX record so it shows only as google now.

Now I set up DMARC because Google wants me to but I see my SPF record still shows the hosting IP address, and I don’t fully understand what the DKIM record says.

My question is do I update the SPF and DKIM records to reflect only the Google Workspace, because now I have the third party app and not the hosting account sending the emails.

DMARC was showing errors for the set up, and Google Workspace showed my DKIM needs work.

I’m very new to all this.

I do plan on sending a newsletter through my email and possibly using converter kit to do that. Will converter kit need to be added to the records?

Also I’m on the free version so I don’t think I have a firewall…

An SPF record is a list of all the email services that you want to use, and you can only have one SPF record. So if you want to use both Google Workspace and Coverter Kit, both of them need to be in your SPF record.

DKIM is different. Every service you use has its own DKIM record, and you can add as many as you need.
So you need to add the DKIM record that Google Workspace (and Converter Kit) is giving you during their setup process.

DMARC is like SPF in that you can only have one. But unlike SPF, you don’t need to have every email service you use represented in it. Just use the DMARC record that Google Workspace tells you to use.

1 Like

Hello,

Thank you that clarifies the process a lot. So in this case I should remove the SPF record for the old IP address since the email is being handled by a third party now which is Google Workspace and not by RoundCube at my hosting site.

So in this case I should remove the SPF record for the old IP address since the email is being handled by […] Google […] not RoundCube.

If you have multiple SPF records, only one can be used. If RoundCube’s record is separate from Google’s, then remove it.

If you have only one SPF record which has everything else, including RoundCube’s IP, then simply remove RoundCube’s include: entry.

If Google is your only email service that you send mail from, then your SPF record should be,
v=spf1 include:_spf.google.com ~all

(per Add your SPF record at your domain provider - Google Workspace Admin Help)

If you are sending mail from Google and another provider, you need to also add that provider into the SPF record. For example, Google and Microsoft:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

If you delete the SPF record entirely, all mail you send will be blocked or sent to Junk by every person’s email provider you send to.

3 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.