Warning about exposing your origin IP address

Hello,
I receive the following message " This record exposes the IP address used in the A record on mail.mydomain.com, which you have proxied through Cloudflare" on the DNS records interface (MX type).
According to the documentation that I was able to consult, this indicates that my sending emails could reveal my IP to cyberattackers. The proposed resolution does not provide, from my point of view, a satisfactory answer, because it is advisable to ignore this problem if you have a modest site. And if this is not the case, what should we do? Thank you for your help.

Cloudflare can proxy HTTP traffic which allows it to publish A or AAAA records for your website as their own, and then forward that traffic to your IP address. This keeps the IP address of your origin “secret”.

But Cloudflare cannot proxy other protocols(*) such as SMTP for email so you can’t proxy the records for email. If your mail server is on the same origin as your webserver, then you will get this warning when you unproxy the mail subdomain.

By making your origin IP address public via the mail records you give the ability for people to avoid Cloudflare by connecting directly to your origin. You can mitigate this by allowing only Cloudflare IP addresses to connect to your origin webserver with your firewall, or using authenticated origin pulls, but your mail server IP will still be open and your internet connection could still be swamped by a DDoS.

The only solution is to have your incoming email pass through someone else (Cloudflare’s mail forwarding service is useful for this) and publish those IPs, but outbound email from your origin, even if through another mail provider, will always show your host and IP in the headers so having the web and mail servers on separate IP addresses helps.

But if you are a small company or individual (a “modest site”), what’s the chance you do anything interesting enough to be DDoSed off the internet?

(*) Spectrum is the exception, costs $$$

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.