This record exposes the IP address used in the CNAME record
Mail records
It took me 10 times to post something here and how on earth can I describe my concern when it keeps on coming uop cannot post links.
This is an add on to my message above to help explain what is happening, thanks in advance for your help.
I have set my MX record with Cloudflare to what C panel wants using mail dot domain dot com ( cant post any links in this help chat ) and I get this message: This record exposes the IP address used in the CNAME record on mail dot domain dot com, which you have proxied through Cloudflare. It comes up as a triangle and when I hover over, it says that. If I use my main server hostname in the mx field, the message goes away and all works. I am just not sure I should be doing that as mail dot domain dot com is what I had set in my outlook and what c panel recommends to use for mail server.
If everything was set up and working, I have read several places that it should not have to be changed in your mail clients like Outlook ETC as Cloudflare should use same settings as what you have on your C Panel server. I cannot get the emails to work using this method and I really dont want to use the hostname as that means I would need to contact a lot of people to change their mail client server settings and this should not be the case.
Proxied (
) records will proxy HTTP (website) traffic through Cloudflare, it cannot proxy SMTP (email) traffic, or other non-HTTP traffic.
You will always be exposing the IP address(es) of your inbound mail servers (through the target of your MX records), just as you will with the outbound mail servers (typically through your SPF record, but also to the recipients of your emails, while sending messages).
The warning you is therefore to be expected, especially if you run your mail server and web server on the same machine.
Options are:
Ignore the warning, and do nothing.
Ignore the warning, and move things around, so that mail server and web server are on two separate machines (and IP addresses).
This one sounds like you have some incorrect DNS configuration, as you cannot point MX, or NS records towards DNS names that are a CNAME to another destination.
I would therefore suggest that you go through your DNS configuration, and verify that it is following the DNS specifications.
If your MX record point to mail.example.com, you have to make sure that the record for mail remain as Unproxied (
) / DNS-only.
This is normal if your mail server is on the same IP address as your webserver. By proxying your web server, the IP address is hidden, but since Cloudflare does not proxy for mail, the MX record will give away the IP address.
You can ignore the warning as there’s nothing you can do unless you move the mail server to another IP address.
So if I set to mail.mydomain.com for the mx portion, this will cause not concerns?
What dns needs to be proxied and what can be set just to dns only?
when I tranfer over the initial dns when setting up new domain name, the mx cord shows in C panel domain.com only, should I leave it what cloudflare extracts from c panel? or change it to mail dot domain dot come?
sorry spelling errors. I type fast and cannot seem to edit the last post 
Thank you for your reply. How accurate is the default transfer from server to cloudflare for all dns settings if the email works perfect and all is Ok before going over to Cloudflare? Is there anything I should change here from default import of dns records? The MX I noticed in C panel refers to domain.com ONLY and not mail dot domain dot com, however, when setting up outlook and other email clients, I use mail.domain.com as suggested by c panel. I guess what I am asking is do I just keep the setting Cloudflare imports from my c panel dns or should I change the MX portion to reflect what c panel suggest for email clients like outlook using the mail dot domain dot com? ( cannot post more than 4 links )
When I connect to outlook, I am using mail.domain.com and all works great! When I add my website to cloudflare, the outlook comes back with error we couldnt connect to your IMAP server settings. IN the DNS for cloudflare for my mx, I use the mail.domain.com for server settings.
Any help would be greatly appreciated.
Just a note that if I use the server hostname in the MX field, no warnings and all works great. The only issue is that all email addresses added to outlook needs the settings changed from mail.domain2.com to server.domain1.com ( address of main domain server hostname ).
Is this an OK settings without causing issues instead of using the mail.domain.com I previously had set up on outlook?
It seems like you’ve been mentioning multiple example domains, apparently in the order of:
example.com.mydomain.com and domain.com.domain1.com and domain2.com.Mixing between multiple arbitrary domains in your examples may add confusion to the debate.
Can you share the real domains, so it’s possible to see what you’re talking about, and how it’s currently set up?
It depends on the concerns you have.
Regardless of what you do, you cannot avoid exposing the IP address(es), of your mail server(s).
The DNS name(s) you point your MX record(s) to.
The DNS name(s) you use for the mail sever settings in your email client(s).
Sounds like your DNS record named “mail” (in the zone for “domain.com”) is set to Proxied (), and would need to be adjusted to Unproxied () / DNS-only.
You’re also mentioning two different domains (“zones”), which won’t carry the warning along.
In other words, when you’re looking in the zone for “example.COM”, you won’t see any warnings for DNS record(s) that are related to the “example.NET” domain, as a such warning would belong to a different zone.
You have changed some DNS names, so if your server is not configured to present a certificate matching that new DNS name, your email client(s) may refuse to connect to the IMAP server.
It’s tough to work with example domains, especially when multiple arbitrary, and different ones of them are being mentioned.
OK here is the scenario and thank you also for your help so far, I really appreciate it as I really would like to use Cloudflare. I am not going to use real domains here, but the below should give you exactly what is going on and what I am doing.
I use C panel, hostname for that server is server1971.canadawebservice.ca. In that server, I set up a website and email and used domain name steveswebsite.com. When I add the email to outook, c panel suggest I use mail.steveswebsite.com for incoming and outgoing and all works great. When I change over to Cloudflare, the mx records, I used the mail dot steveswebsite dot com and when I check email in outlook, it comes back with a smtp error. However, if I add the hostname above to the MX record in Cloudflare and then change this setting for incoming and outgoing on outlook to hostname as well, my email works.
I was hoping that if I switch over to Cloudflare that I would not have to change any email setting in outlook as this would kinda get my clients upset. I was hoping that I would be able to continue to use format mail dot domain dot com. and not have to change to the servers hostname.
Maybe I should ask this question:
If I switch to Cloudflare, should I have to change any email setting in Outlook if email was set up using c panel settings and working great before?
If you move canadawebservice.example to Cloudflare, keep the DNS record for “server1971” (equal to the fully-qualified domain name “server1971.canadawebservice.example”) set to Unproxied () / DNS-only.
That could be Outlook, - some email clients will try typical mail server names, such as e.g. mail.steveswebsite.example, imap.steveswebsite.example, pop.steveswebsite.example, pop3.steveswebsite.example, and so forth, if it is unable to determine it’s configuration automatically.
Outlook may therefore be stopping at mail.steveswebsite.example, because it sees that this specific server name works fine.
If you move steveswebsite.example to Cloudflare, keep the DNS record for “mail” (equal to the fully-qualified domain name “mail.steveswebsite.example”) set to Unproxied () / DNS-only.
I would recommend you to use a server name on the hosting provider’s domain name, and not one on each individual customer’s domain name.
Pointing all your customers towards something like “server1971.canadawebservice.example”, or “imap.canadawebservice.example” would mean that you would be able to change the IP address(es) for the given host name, when using one of your own organisation’s domain names.
You wouldn’t always have that operational benefit when using the individual customer’s domain name, such as e.g. “mail.steveswebsite.example”, which would mean that some customers, such as e.g. Steve, would get mad at you, when you perform changes to your infrastructure.
The best practice is to use the hosting provider’s domain name, for accessing services operated by that hosting provider.
If your customer is onboarding their domain to Google Workspace, they would be using imap.gmail.com for IMAP, or smtp.gmail.com for SMTP traffic.
If your customer is onboarding their domain to Microsoft’s Office 365, they would similarily be using outlook.office365.com for IMAP, or smtp.office365.com for SMTP traffic.
If “mail.steveswebsite.example” was to be used for Google Workspace or Microsoft Office 365, Steve would be seeing a certificate alert when connecting, because neither of those organisations would be able to maintain an individual certificate for each customer’s own domain name, on their servers, that easily.
They can however maintain encryption certificates easily, when the DNS name being used is below one of their own domain names.
Can you share that exact error?
Perhaps a screenshot?
I’m wondering if you’re maybe misinterpreting the error, as being a SMTP error, while in theory, it may be a certificate error, similarly to the example mentioned above?
That said, -
Note: In my response, you will see that I have changed your domains to be on the “.EXAMPLE” TLD, rather than the “.CA” or “.COM” you used, as these domains you mentioned already exist, and sound to be held by someone else.
Domains like e.g. example.com, example.net and example.org are standardized as example domains, such as for use in e.g. documentation, and, like in your case if you are not actually sharing a real domain name.
If you need another TLD to use in examples, arbitrary domains can be shared under “.test”, “.example”, “.invalid”, and/or “.localhost”.
I turned off all proxy except for cname www and main A record. Is this correct as the error in Outlook went away and I am using outlook incoming and outgoing server setting mail.example.com as what is set in Cloudflare MX records.
should WHM or anything else be proxy as I think its because I turned DNS only for CPanel. Not sure here as I am very new to Cloudflare and I knwo email works now. If I missed something, please let me know and thank you so much for all your help.
DNS records of the types MX and NS records cannot be pointed towards a CNAME, according to the DNS specifications.
You should therefore drop the first CNAME, for the mail record, and add a direct AAAA (IPv6) and/or A (IPv4) record instead.
If the individual record is relying solely on HTTP traffic, I can’t see why it wouldn’t work as Proxied ().
“autoconfig” is Mozilla Thunderbird’s way of automatically configuring the email client automatically, with the least amount of manual work needed. With a proper set up of both your own server and the Cloudflare configuration, I can’t see any reasons why that one shouldn’t work with Proxied () enabled.
“ftp” must however be kept on Unproxied () / DNS-only.
Thanks so much!
I removed the cname pointing to mail and I added an A record like so:
A mail (IP Address of Server).
Outlooks works great but I noticed when I changed the CName to A, the certificate acceptance came up. I accepted it and it has not come back up after closing outlook several times and sending and receiving email. Hopefully that is all I need to do, and everything will continue to work great.
This is also helpful for anyone else:
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.
