Your email edge case that breaks functionality

This has happened to me five times, so I’ll assume it’s a real bug that you can easily reproduce.

Do this:

  1. Create a brand new domain
  2. Create a gsuite account for that domain
  3. Create a cloudflare account WITHOUT first activating your email
  4. Add MX records to the cloudflare account
  5. Try to validate your email.

You’ll never be able to validate your email. And support will take 2-3 weeks to fix it.

The solution is of course to set up MX records and have a working email first, but that’s beside the point. I’m sure other people are experiencing this bug.

If an email signs up and their email bounces, maybe give them a grace period instead of just blacklisting that email.

Are you saying that the email address you use for your account is also on the domain you’re adding to Cloudflare?

I can certainly see why this is a problem for activation, as well as later on, such as having your domain hosting crash and burn.

I use a completely separate email account for domain-related services, so no matter what happens to my own stuff, this email account will continue to be accessible.

You are right about my use case.

I personally couldn’t use a personal email because this was a joint venture with a partner so I didn’t want to do anything outside of our shared domain.

1 Like

I suggest you reconsider. You can set up a joint email account at a third party (I use ProtonMail), and use that as your account email here, your domain host, and at your domain registrar. That way if something happens to the domain in any of those places, you still have a working contact address for that service.

It’s like leaving a set of keys inside your car. Someone who breaks a window into your car can take it…and probably get into your house as well. And anything else those keys open.

1 Like

Speaking from experience, this will eventually cause you problems – You really want to have some sort of recovery addresses that are outside your primary domain, and accessible if all of your hosting infrastructure is offline.

This isn’t necessary in normal day-to-day operations, but imagine your next steps if an attacker performs a SIM-swap to steal your mobile phone number, and then uses that to start changing your credentials at your domain registrar, DNS provider, or other hosting companies. Best case, they catch what is going on and lock out you and the attacker since neither can prove who is the actual owner, but more likely the attacker will maintain control for a decent amount of time since they can intercept nearly any attempt you make to prove your identity.

I get the inclination to keep everything at one domain, and if trust is an issue then things get a bit more complex, but if this is the situation you might want to consider getting a second domain for administrative purposes and hosting it completely independently from your main domain. The expense is minimal vs the hassle and cost of losing everything in one single shot.

I’ve never been there myself, but I’ve had clients who were, and finding that personal or whatever account that was used as a sign-up/recovery address was a lifesaver.

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.