SPF and DKIM records get dissappeared automatically

I’ve setup wpforms SMTP on my website and since i’m using cloudflare for DNS records, i had to add SPF and DKIM reocrds manually. After adding the records, everything starts working properly and forms start working. But after some time the records automatically get dissappeared and the same issue occur. I’ve done the same thing multiple times and everytime records get removed automatically without me doing anything. Please help me with this.

Have you by any chance given a third party like e.g. Ezoic access to your Cloudflare account?

Anyway, we can conclude that someone (or something) have access to control your settings.

Check the Audit Log page, to figure out who/what is making the changes:


Check the "Members page, to see if you’re letting others access your account:


Check the “API Tokens” page, to see if there are any tokens you don’t use or otherwise know about:


To stop such things from happening, I would follow ALL the steps here, as if your account has been compromised:

1 Like

Yes, Ezoic has access to my cloudflare account. I checked the audit log, attatching ss. Can you tell is it ezoic that’s deleting record??

I would say that this is the culprit of the issue.

The advice given in the past for Ezoic has been to coordinate the changes of DNS records through their platform, that be, if you still wish to use Ezoic.

Otherwise, follow ALL the steps of the “Secure compromised account” guide.

From the screenshot you attached, it loops through either “Cloudflare” (which cloud be Universal SSL generating a new SSL certificate for your domain), and apparently, your Gmail address, which suggests that it was a change made by you.

I would expand and look especially at “Rec del” ones, they should show you when exactly e.g. your _domainkey TXT records or SPF TXT records are being deleted.

If you didn’t do anything yourself around the timestamps where the “Rec del” happened for the record(s) in question, - there would only be two options left:

  1. Ezoic

  2. Someone (or something) else with access to your account.

In #2, I would definitely follow the advice above with “Secure compromised account” guide mentioned above ASAP.

For the Audit Log entries where your Gmail is being listed, when you’re expanding them, you will (generally) also see a row titled “User IP address”, this one can eventually help you diagnose whether or not someone else is having direct access to your account.

You can use that IP address to look up what Internet Service Provider (ISP) is currently behind that address, and for example check whether that matches your home ISP, your cell phone provider, or wherever you have been accessing Cloudflare from one of your own devices.

That would be one way, to dig further in to the situation in to it, if you still feel the need for that now.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.