I’ve steadily moving my domains from Squarespace over to Cloudflare in order to take advantage of the lower fees and freebies such as their web application firewall (WAF). So far I’ve moved one website that wasn’t set up for SSL and documented the quirks around the Cloudflare setup, and then another website with SSL and a gotcha that I encountered. This time I moved a website that was also set up as an email server and had some associated DNS records. Initially Cloudflare’s DNS proxying tripped me me up and affected email deliverability.
Read on to find out why, and how to fix it!
DNS records when sending emails
This particular website doesn’t receive emails so there was no MX record to set up. However, it does send emails, and the domain in question is the one used by the server’s mail server software. This necessitates a few specific DNS records that wouldn’t ordinarily be needed. One of those it a PTR record, also referred to as a reverse DNS record.
What is a PTR record?
A DNS pointer record (abbreviated to PTR) is the opposite of the “A” record (which provides the IP address associated with a domain name) and provides the domain name associated with an IP address.
e.g. mail => xxx.xxx.xxx.xxx.in-addr.arpa
What does a PTR record do?
In my case I’m using it for email deliverability. Email providers such as Gmail consider a valid PTR record essential for a sender. This particular email server is set up with mail.<domain> as its hostname, and therefore a valid PTR record for mail.<domain> needs to be set up pointing to the server’s IP address alongside the A record pointing mail.<domain> to the server’s IP address.
What’s that got to do with Cloudflare?
One of the things that Cloudflare offers by default is DNS proxying. This has the advantage of allowing Cloudflare to “optimize, cache, and protect all requests to your application, as well as protect your origin server from DDoS attacks.” But it also means that “DNS queries for these will resolve to Cloudflare anycast IPs instead of their original DNS target”.
Therefore if you set up an A record or a PTR record and use the default proxy setting, the IP address will resolve to Cloudflare’s anycast IP instead of your IP. Gmail (for example) receives an email purportedly delivered by mail.<domain> and originating from <your IP>. Gmail performs a reverse lookup on <your IP> and expects it to return mail.<domain>. Anything else is a red flag.
If you have left Cloudflare DNS proxying turned on, then one of their IPs will be returned instead of yours.
Conclusion
If you have an A record that is linked to a PTR record remember to turn off DNS proxying with Cloudflare! Otherwise the reverse DNS lookup will return the wrong IP address.