Set up email records
There are three reasons to set up email records for your domain:
- To make sure your domain can receive email.
- To make sure your domain can send and receive email.
- To prevent other email senders from spoofing your domain.
The exact values for your DNS mail records depend on your email provider. If you have issues, review the Troubleshooting and contact your email service provider to confirm your DNS records are correct.
If you only need to receive emails, Cloudflare offers Email Routing for free email forwarding to custom email addresses.
To send and receive emails from your domain, you need an SMTP provider. Then, create two DNS records within Cloudflare, following the steps below:
-
Get the IP address and MX record details from your SMTP provider (vendor-specific guidelines).
-
Add an
AorAAAArecord for your mail subdomain that points to the IP address of your mail server.Type Name IPv4 address Proxy status A mail192.0.2.1DNS only API example
At least one of the following token permissions is required:Required API token permissions
DNS Write
Create DNS Record curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \--request POST \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"type": "A","name": "mail.example.com","content": "192.0.2.1","ttl": 3600,"proxied": false}'Response {"result": {"id": "<ID>","zone_id": "<ZONE_ID>","zone_name": "example.com","name": "mail.example.com","type": "A","content": "192.0.2.1","proxiable": true,"proxied": false,"ttl": 3600,"locked": false,"meta": {"source": "primary"},"comment": null,"tags": [],"created_on": "2023-01-17T20:37:05.368097Z","modified_on": "2023-01-17T20:37:05.368097Z"},"success": true,"errors": [],"messages": []} -
Add an
MXrecord that points to that subdomain.Type Name Mail server TTL Priority MX @mail.example.comAuto 5 API example
At least one of the following token permissions is required:Required API token permissions
DNS Write
Create DNS Record curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \--request POST \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--json '{"type": "MX","name": "example.com","content": "mail.example.com","priority": 5,"ttl": 3600}'Response {"result": {"id": "<ID>","zone_id": "<ZONE_ID>","zone_name": "example.com","name": "example.com","type": "MX","content": "mail.example.com","priority": 5,"proxiable": false,"proxied": false,"ttl": 3600,"locked": false,"meta": {"source": "primary"},"comment": null,"tags": [],"created_on": "2023-01-17T20:54:23.660869Z","modified_on": "2023-01-17T20:54:23.660869Z"},"success": true,"errors": [],"messages": []}
Without email authentication records, anyone can send email that appears to come from your domain — a technique known as domain spoofing. To prevent this, you add DNS TXT records (text-based entries in your domain's DNS settings) that allow receiving mail servers to verify whether an email actually came from you:
- Sender Policy Framework (SPF) ↗: Lists the IP addresses and domains authorized to send email on behalf of your domain.
- DomainKeys Identified Mail (DKIM) ↗: Authenticates the sender's domain and verifies that email content was not altered in transit, using a cryptographic signature.
- Domain-based Message Authentication Reporting and Conformance (DMARC) ↗: Tells receiving servers what to do when SPF or DKIM checks fail (for example, reject or quarantine the email), and sends you aggregate reports about your email traffic.
Refer to Security records to learn how to set up your email security records.
By default, Cloudflare does not proxy email traffic on port 25 (SMTP). You can only proxy outgoing email if you have Spectrum configured for SMTP.