DNS, SPF, DKIM / Subdomain Proxy Issue

First off, thanks in advance to anyone who responds to this following challenge. Since setting up on Cloudflare, I’ve noticed deliverability issues for email meant to be sent from my origin server (on AWS EC2). The issue appears to be that my SPF and DKIM records aren’t passing DMARC tests. I’ve set my DMARC record to a relaxed setting to ensure that email coming from a subdomain (i.e. my AWS/EC2 server hostname) passes, but for some reason, when I do SPF/DKIM record tests (available from several websites) by typing in my domain, the SPF and DKIM records don’t get pulled up. When I run the same SPF/DKIM tests on my subdomain (i.e. the EC2 hostname), the SPF/DKIM records do get pulled up and they pass…Does this sound like a Cloudflare configuration issue where I’ve set this subdomain on Cloudflare to DNS only (as opposed to being proxied by Cloudflare)?

That’s completely DNS, regardless of the proxy status. What’s the complete subdomain?

For testing, I use dmarcian.com and https://www.mail-tester.com/


Most likely not. Unless you are using a CNAME that lets another host managed the domain key for you (like AWS SES does), your regular A records for your web server being proxied don’t matter in resolving DKIM, SPF, and DMARC, which are all just TXT records.

Make sure you do have an SPF record at the root of your domain. Having an SPF record at server1.example.com will apply it when sending an email with an address field of [email protected]. The record should be at the root so that it applies when sending email with an address at the root domain.


Tks for the quick response! The reason I had adjusted my SPF and DKIM records to the subdomain format (e.g. server1.example.com) is b/c of the suggestion within my WHM (Home > Email > Email Deliverability). Keep in mind that when I setup my WHM/Cpanel, I had to choose a hostname. The setup process indicated a hostname requirement to include a subdomain…I actually previously had just example.com as the “name” of my SPF record, but was still seeing email deliverability issues flagged within my Cpanel’s Delivery Report.

I’ve now changed my SPF/DKIM records back to the way they originally were - without the subdomain.

I think the original culprit was I didn’t have an MX record w/ my domain (e.g. example.com) as the name, and the content value including my subdomain (e.g. subdomain.example.com). I’ve since added this, and also have an A record w/ name equal to subdomain, and the content my origin server IP address. This A record is set to DNS only in Cloudflare. The SPF/DKIM tests (using just my root domain) now go through fine on 4 or 5 different test sites!

Cheers Sdayman. My subdomain is whmlogin.tradablepatterns.com.

I’ve just made a few updates to my DNS records as per my response to Judge.

Much appreciated on those SPF/DKIM test links. Yesterday, when running my subdomain through similar sites, the SPF/DKIM tests went through fine, as I had my SPF and DKIM records incorporate my subdomain (as opposed to my root domain). I’ve just made changes to the SPF/DKIM back to incorporating only my root domain, w/ a 2 min TTL, so the SPF/DKIM tests using just my domain now should pass fine.

One other note, you’ll probably want to drop the a clause from your SPF record, it will only return Cloudflare’s servers which do not send mail.

I would also recommend dropping mx, since you seem to be using protection.outlook.com which also does not send mail, instead I would just list the specific IPs that you use, or include records as supplied by your provider.

One other thought, your MX record is a bit weird. Are you intending mail to have a 50/50 shot at going to whmlogin and/or outlook.com? If so, that’s okay, but normally when using a hosted provider all mail goes through them (or it all goes to your filtering appliance or similar).


tks Dave!
I’ve just gotten rid of the a clause along w/ the mx.

The +include:spf.protection.outlook.com was something I was asked to add into my SPF when I purchased an Office 365 / email service from Godaddy. Godaddy still provides me 5 email addresses, and handles the emails for those email addresses.

Regarding whmlogin, that’s my server’s hostname that I created when setting up WHM/Cpanel (w/ AWS EC2 and not with Godaddy). As my website hosted on this server sends out emails to those who register on my website, I’ve created a MX record pointing to this subdomain. Am I missing something here?

Any ideas on what might be misconfigured are much appreciated,

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.