Issues with emails not being received

I set up a domain through cloudflare for my business and then set it up to use in Microsoft 365 business…this was my first time doing so and there was a lot of copying/pasting random things to get it set up, so I may have done something wrong- but not all of my emails are being received. Some are successfully sent while others show as sent on my end, however the intended recipient doesn’t get it-not even in their spam. Is this an issue with how I have settings in cloudflare, or with 365 Business? Or could it be because my logo image is in my signature even?

Can you provide your domain name so we can check the DNS records to see if all the Microsoft 365-related records are set up correctly?

ClientFirstCS.com thank you!

We are new to this- I followed instructions as best I could to get our Microsoft 365 business account linked to our custom domain…to some degree it is correct bc some people are receiving emails, but many are not…what is wrong? clientfirstcs.com

Since you’re using the far superior Microsoft 365 Business email, you don’t need the half-baked Cloudflare Email Routing service at all.

  1. Disable Cloudflare’s Email Routing completely. This should remove the Cloudflare MX records and the bogus (second) SPF record. Leave the M365 SPF record intact.

  2. Add the necessary MX record for Microsoft 365 mail. Without this, you won’t be able to RECEIVE emails into your M365 mailboxes. You can obtain this from your M365 dashboard.

  3. Add the CNAME record for Outlook autodiscover. This is usually the subdomain autodiscover CNAMEd to autodiscover.outlook.com, but check your M365 dashboard to be sure. Make sure this record is unproxied (ie DNS-Only) in Cloudflare.

Let us know when you’ve made these changes so we can check again for you.

1 Like

The mentioned domain name has MX records set up for Cloudflare Email Routing, not for Microsoft Office 365.

$ dig +noall +answer MX clientfirstcs.com
clientfirstcs.com.      300     IN      MX      73 route2.mx.cloudflare.net.
clientfirstcs.com.      300     IN      MX      87 route1.mx.cloudflare.net.
clientfirstcs.com.      300     IN      MX      59 route3.mx.cloudflare.net.

You need to delete them, and add the appropriate MX record, that Microsoft Office 365 have provided to you.

Based on your domain name, it will likely be one pointing to something like “clientfirstcs-com.mail.protection.outlook.com”.

In addition, you also have two SPF records:

$ dig +noall +answer TXT clientfirstcs.com | grep spf
clientfirstcs.com.      300     IN      TXT     "v=spf1 include:_spf.mx.cloudflare.net ~all"
clientfirstcs.com.      300     IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"

Delete the one with “include:_spf.mx.cloudflare.net”.

okay, I went into Microsoft 365 and had it “fix” the DNS errors. Can you please check to see if that fixed things? thank you!

I have merged your two threads together, - in the future, please avoid creating duplicate threads for the exact same issue.

According to the suggestions both @GeorgeAppiah and I provided above, it seems like they have all been successfully made.

Are you still seeing issues?

I believe it is improved, however when my husband runs a test to check deliverability of emails, it is telling him “your DMARC record is not set up/ has errors”…and says this is important to avoid issues with messages getting caught in SPAM? Is this accurate? thank you again.

it also says something about DKIM? we are not familiar with all of this DNS lingo. :slight_smile:

Microsoft doesn’t offer DMARC monitoring, so you can use Cloudflare for this. Go to the Email section in your Cloudflare dashboard and enable DMARC Management (Beta). The basic policy (“none” for monitoring) should be fine for now. Cloudflare will add the DMARC TXT record automatically after enabling the feature.

Be careful to NOT enable Email Routing, or else you’ll break your email setup again.

You need to get the appropriate DNS information from your M365 dashboard. Where exactly to go and the exact records to use will depend on your account type. This is Microsoft, after all :smiley:

Here’s Microsoft’s full documentation: https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dkim-configure

Most of the time, this will be two CNAME records that you’ll need to add to your Cloudflare DNS app.

Begin from here: https://security.microsoft.com/authentication?viewid=DKIM

If you see your domain here (after logging in), click on the domain to open a pop-up and follow the on-screen instructions to retrieve your DKIM record.

1 Like

thank you. I enabled DMARC management. it says “fail” for SPF- is this correct? And it also shows yes for DKIM use…does this mean I don’t need to take the steps you provided to get info from M365 dashboard, or do I still need to do that? thank you SO much for all of your help!!

hello, just following up on this and have another question- if I want to add an email user using our domain, where do I do so? the place where I thought I did this was actually the “email routing” section which is now not enabled. thank you

You will manage your email users using your email service provider’s interface.

Thank you. I still need a response for the DKIM question. I appreciate your assistance

It was already provided.

I had a follow up question to that but I suppose this answers the follow up and I still need to do this even though it said yes for DKIM. Thank you

1 Like

There are some additional details in that reply from @GeorgeAppiah that may help make shorter work out of creating your 2 DKIM records.

Okay, I finally was able to work on this and did my best to add the correct CNAME records provided by Microsoft. Is there a way you can take a look to see if what I added looks correct? I also picked DNS only instead of proxied- hope that is correct. thank you!

It is looking better. selector1 is working.

You may need to take an extra step to generate the record used by selector2. Your CNAME is configured, but the target record does not exist in the clientfirstcs.onmicrosoft.com. zone. The specifics on how to get Microsoft 365 to generate that record should be covered in the Microsoft documentation that @GeorgeAppiah linked.