"Some of your DNS only records are exposing IPs that are proxied through Cloudflare." message during e-mail configuration

I have to start by saying I am not very technical into all this.
Basically I bought a e-mail via Namecheap and followed their manual on how to set it up properly via Cloudflare. Why Cloudflare? Because initially I bought my domain at GoDaddy for the web I am building and since I needed a SSL certificate I set it up here. Which is working fine.

Now in addition I wanted to configure an e-mail I bought but I have faced several issues which prevents me from completing the DNS set-up:

  1. Message “Some of your DNS only records are exposing IPs that are proxied through Cloudflare. Make sure to proxy all A, AAAA, and CNAME records pointing to proxied records to avoid exposing your origin IP.”

  2. Messgage “Having multiple SPF records is invalid.” (Should I make a separate thread about this? Please let me know if I need)

And I don’t know if this helps and is needed, but this is how my whole table looks like:

Any help would be very appreciated! Thanks!

  1. Any hostnames related to email delivery should be set to :grey: DNS Only. It’s not necessary to proxy anything to privateemail.com
  2. Cloudflare doesn’t determine your SPF records. That’s up to your mail host or mail administrator to make sure you have that correct. My general recommendation would be to merge the two records. v=spf1 followed by every source specified in both records.
1 Like

Thanks, @sdayman for your input!

  1. I have just followed Namecheap step-by-step instructions on how to set up needed records. This is a screenshot of their document. If I read it correctly, they actually require those entries to be proxied.

  1. This is a bit above my level of understanding. Again, I have just followed the instructions. You can see the required result for spf records also in the picture above.
    Their requirements to be specific:
    Type : SRV | Service name : _autodiscover | Protocol : TCP | Name : yourdomain.com | Priority : 0 | Weight : 0 | Port : 443 | Target : privateemail.com | Automatic TTL

Just to comment a bit more on point No.1. Now i realized my pasted picture above, indeed, shows that mail related hostnames would be DNS only. Bet then I am confused on what they actually have requested me to do:
Type :CNAME | Name : mail | Domain name : privateemail.com | Automatic TTL
Type : CNAME | Name : autoconfig | Domain name : privateemail.com | Automatic TTL
:CNAME | Name : autodiscover | Domain name : privateemail.com | Automatic TTL

As you can see in their picture those records are proxied, aren’t they?

I’m not familiar with how autodiscover and autoconfig are used. If the client is using HTTP/S over standard ports to use those hostnames, then it’s ok to proxy them. I know they’ll work just find in DNS Only mode, and those hostnames aren’t yours to manage, so it really doesn’t matter if they’re :grey: DNS Only. Nobody is going to notice a difference regardless of how those two are set.

1 Like

Before you click on “Add Record” you have to click on the “cloud” symbol to change it from orange (proxied via cloudflare) to grey (direct, DNS only).

The CNAMEs related to mail should not be proxied, i.e. “DNS only”.

As for SPF… delete one and edit the other (or delete both and add a new one) having: “v=spf1 a mx ip4: include:_spf.mailspamprotection.com include:spf.privateemail.com ~all”

Note that in “+a”, “+mx”, etc. you don’t need the “+” (it’s the default).

1 Like

Hi @bernardo.reino and thanks for comment!
I followed your suggested steps. Removing proxy from CNAMEs solved the first part!

In regards to SPF - I created new entry as per your suggestion, but received a new message:
“The number of lookups on your SPF record exceed the allowed limit of 10. This will result in emails failing SPF authentication.”

Any suggestions?

Your included SPF records (spf.privateemail.com and _spf.mailspamprotection.com) have lots of addresses and include additional records… which is a bit absurd and not the idea behind SPF.

You could just use “v=spf1 a mx ~all” and it will be OK. I mean, you have “~all” in the end, so it doesn’t really matter which addresses you include.

If you ever change to “-all” then you need to be careful which addresses you include, but I’d recommend against it. (you only want “-all” if you really really know what you’re doing :slight_smile:

1 Like

Thanks! Seems this solved the issue! Now all works! Great help, thanks!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.