Which orange clouds to use on Free plan?

Okay, I’m finding mixed information all over the place so can anyone please confirm once and for all… which grey clouds can I turn orange on the Free plan? I’ve found everything from “only the main domain and the www CNAME can be proxied on the free plan” to “everything except the mail CNAME” to “everything that has a grey cloud.”

Can I assume that if it gives me the option of choosing the orange cloud that it will work if I do, or is there some restriction on the Free plan that isn’t being clearly communicated?


If you know your protocol acronyms, :orange: is for HTTP/S traffic. All else needs to be :grey:.

There may be some CNAME records that need to stay :grey: if they’re used for verification by the CNAME endpoint (some services check to see that the CNAME returns their actual endpoint name).

Thanks for the reply. I think I understand but not entirely. As an example in the attached image, I only have the orange cloud active for the primary A record and the www CNAME, because after everything I read while searching around, that’s what I landed on as far as what the free Cloudflare plan supports. Is that correct or should I activate the orange cloud for all the A and CNAME records?

I don’t use cPanel, but I believe only FTP and Mail should be left :grey: and the others will probably function as :orange:. But you’ll figure out pretty fast if they don’t (and it won’t interfere with your website traffic).

You blocked out the Content of the MX entry, but if it’s a hostname that’s set to :orange:, mail probably won’t get to you. Sometimes Cloudflare will auto-substitute a special hostname that’s set to :grey: when an MX record points to an :orange: hostname.

I see, thanks. The MX record hostname is just the main domain. It works fine on a another domain with the same setup but on the domain in the example image I do know that email constantly ends up in spam with a notice that it couldn’t be authenticated, even though the DKIM record is correct and valid. That’s a separate battle I’ve been fighting, but if it could be part of the problem that the MX host shouldn’t be proxied, then what’s the correct way to set up the MX record? The current record is the one Cloudflare auto-detected when I added the domain, so I assumed it was correct.

Leave as :grey: all the relevant Office 365 configs (even though it doesn’t seem the correct config given the MX record), as in the autoconfig, autodiscover, etc.

I would turn :orange: webmail, webdisk, probably cpanel, cpcalendars and cpcontacts.

The MX host is not really important is it’s proxied or not, Cloudflare will fix the MX record for you, but if that is also the host you put in the IMAP/POP settings as receiving/sending server then it must stay not proxied given that those ports won’t work with Cloudflare.

edit note that not all of these may work with the TLS config, I hope you already have valid (or at least Cloudflare Origin Certs) on all origins so that the setting can be Full (Strict) or that, if it’s set to Flexible, you can switch over and don’t have any redirects to HTTPS on the origins. Check all of them to be safe.


Thanks, @matteo. Honestly, I have no idea what autoconfig and autodiscover are for, but I left them since they were automatically included when I added the domain to Cloudflare. Would it be more secure to remove them entirely or does it matter?

What are the actual values of the records? They are usually there for Office 365, but they work for autoconfiguring the mail clients, in theory at least and not on all clients.

It’s just the main IP address.

Would you mind sharing the actual record in full? Censor the IP address if you want.

Sorry, I’m not sure I’m understanding. In the graphic I attached above, it’s the main IP address in the “Content” column - is that what you’re after? In other words, the same IP address is in that column for all of the A records.

Sorry, usually those records are not As and I went by that assumption. I would delete them. Maybe, if you want to save them in case something fails afterwards, simply change their name (.old)?

Ah, okay, well thanks for all your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.