How do I sign up for Cloudflare and point my domain to it without breaking email?
Edge Security & CDN

How do I sign up for Cloudflare and point my domain to it without breaking email?

9 min read

Most teams worry that moving DNS to a new provider will accidentally break email. That can happen if MX and related DNS records don’t make the jump cleanly — but if you follow a simple checklist, you can sign up for Cloudflare, point your domain at it, and keep email flowing without interruption.

Quick Answer: Sign up for Cloudflare, add your site, and let Cloudflare scan your current DNS. Before you change nameservers, verify that MX, SPF, DKIM, DMARC, and any mail-related records match your current DNS exactly; then switch nameservers at your domain registrar and monitor mail delivery.

The Quick Overview

  • What It Is: Cloudflare is a connectivity cloud that sits in front of your websites, apps, and DNS to connect, protect, and accelerate them using a global anycast network — without changing your hosting or mail provider.
  • Who It Is For: Domain owners, admins, and IT teams who want faster, more secure websites and DNS, but need to avoid downtime for critical services like email.
  • Core Problem Solved: Safely moving DNS and web traffic to Cloudflare’s edge for security and performance, while keeping your existing email providers and configurations working as-is.

How It Works

The basic flow is:

  1. You create a Cloudflare account and add your domain.
  2. Cloudflare imports your existing DNS records (including MX and TXT records for email).
  3. You review and fix any missing or incorrect mail-related records.
  4. You point your domain’s nameservers to Cloudflare at your registrar.
  5. Cloudflare becomes the authoritative DNS for your domain, but your email keeps flowing to the same provider because the MX and related records are unchanged.

Think of Cloudflare as a smarter, faster, security-aware DNS layer in front of your domain: it answers DNS queries from its global network, accelerates and protects your HTTP(S) traffic, and simply passes through email-related DNS answers to your existing mail host.

Step 1: Sign up for Cloudflare (takes ~5 minutes)

  1. Go to https://www.cloudflare.com.
  2. Choose Get started and create an account with your email and password.
  3. Log in to the Cloudflare dashboard.

Cloudflare offers a free plan, small business plans, and enterprise options. For a basic website and standard email providers like Google Workspace or Microsoft 365, the free or Pro plan is often enough; larger organizations may want enterprise SASE and security add-ons.

Step 2: Add your domain to Cloudflare

  1. In the dashboard, click Add a site.
  2. Enter your domain name (e.g., example.com) — don’t include http:// or path segments.
  3. Select a plan (Free / Pro / Business / Enterprise).
  4. Cloudflare will scan your current DNS records from your existing DNS host.

This scan typically pulls in:

  • A / AAAA records: For your website and apps
  • CNAME records: For subdomains and SaaS services
  • MX records: Where your email is delivered
  • TXT records: SPF, DKIM, DMARC, verification records, etc.
  • Other records: SRV, NS (for subzones), etc.

Step 3: Carefully review mail-related DNS records

Before you touch nameservers, email safety depends on one thing: your mail records on Cloudflare must match your current DNS exactly.

Open your current DNS provider in one browser tab and the Cloudflare DNS tab in another, then review:

  1. MX records

    • Ensure the hostnames and priorities match exactly.
    • Example (Google Workspace):
      • ASPMX.L.GOOGLE.COM. priority 1
      • ALT1.ASPMX.L.GOOGLE.COM. priority 5
      • etc.
    • Example (Microsoft 365):
      • example-com.mail.protection.outlook.com. priority 0

  2. SPF record (TXT)

    • Look for a TXT record at the root (@) with v=spf1 ....
    • Copy it exactly as-is from your old DNS if it didn’t import correctly.
    • Ensure you don’t end up with multiple SPF TXT records for the same hostname; merge if needed.

  3. DKIM records (TXT or CNAME)

    • Usually look like: selector1._domainkey.example.com.
    • Some providers create CNAMEs pointing to their DKIM keys; others use TXT.
    • Ensure all DKIM selectors from your mail provider exist and match.

  4. DMARC record (TXT)

    • Usually at: _dmarc.example.com
    • Example: v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com;
    • Copy the full value over if missing or incorrect.

  5. Autodiscover / Autoconfig records (for Outlook/Exchange and some clients)

    • Common hostnames: autodiscover.example.com, autoconfig.example.com.
    • Confirm any A, CNAME, or SRV records used by your mail provider are present.

  6. Any other mail-related TXT or SRV records

    • CRM tools, marketing platforms, and transactional mail services (SendGrid, Mailgun, Mailchimp, etc.) often require:
      • TXT records for domain verification
      • CNAME or TXT for custom return-path or tracking
    • Search for records containing vendor names (sendgrid, mailgun, spf.protection, etc.) and ensure they’re replicated.

Don’t proxy mail-related hostnames

In Cloudflare DNS:

  • Orange-cloud (Proxied): HTTP/S traffic goes through Cloudflare’s edge (good for web).
  • Gray-cloud (DNS only): Cloudflare only answers DNS; traffic goes directly to the origin.

For mail, keep these hostnames DNS only (gray-cloud):

  • MX targets (e.g., ASPMX.L.GOOGLE.COM. — these are usually outside your zone and not proxied anyway)
  • Any mail.example.com host serving SMTP, IMAP, or POP
  • autodiscover.example.com and similar mail autodiscovery records
  • Any hostnames used for SMTP submission, inbound mail gateways, or relay servers

Only web endpoints that should be accelerated and protected by Cloudflare (e.g., www.example.com, app.example.com) should be proxied.

Step 4: Update nameservers at your domain registrar

Once you’ve validated all DNS (especially mail records) on Cloudflare:

  1. Cloudflare will show you two nameservers (e.g., abby.ns.cloudflare.com and mark.ns.cloudflare.com).
  2. Log in to your domain registrar (e.g., GoDaddy, Namecheap, Google Domains, etc.).
  3. Find the domain’s nameserver settings.
  4. Replace the current nameservers with the two Cloudflare nameservers.
  5. Save changes.

DNS changes can take anywhere from a few minutes to 24–48 hours to fully propagate, but most changes apply much faster.

Step 5: Monitor email delivery and DNS propagation

While DNS propagates:

  • Send test emails:
    • From your domain to an external address (e.g., you@gmail.com)
    • From an external address to your domain (you@example.com)
  • Check:
    • Messages arrive and send without delay.
    • SPF, DKIM, DMARC pass (most mail clients or tools like Gmail’s “Show original” will display this).

If something fails:

  • Compare the current Cloudflare DNS zone with your old DNS provider (if still accessible).
  • Look for missing MX/DKIM/DMARC/TXT records or typos in hostnames.
  • Fix in Cloudflare DNS; changes propagate quickly because Cloudflare is now authoritative.

Features & Benefits Breakdown

Core FeatureWhat It DoesPrimary Benefit
Managed DNS on a global networkMoves your domain’s DNS to Cloudflare’s anycast network, answering queries from nearby POPs.Faster, more reliable DNS responses without changing your mail provider.
Granular DNS control for mailLets you manage MX, SPF, DKIM, DMARC, and SRV/TXT records per hostname.Keep email fully functional while routing web traffic through Cloudflare’s edge.
Selective proxying (per host)Proxy web endpoints (orange-cloud) while keeping mail endpoints DNS-only (gray-cloud).Accelerate and protect websites and APIs without breaking SMTP, IMAP, POP, or mail autodiscovery.

Ideal Use Cases

  • Best for small businesses moving to Cloudflare for the first time: Because you can migrate DNS and start using Cloudflare’s CDN, DDoS protection, and WAF without reconfiguring Google Workspace, Microsoft 365, or other email services.
  • Best for enterprises consolidating DNS and Zero Trust: Because Cloudflare can become your authoritative DNS, protect your web and API traffic, and coexist cleanly with existing, often complex, mail routing and security stacks.

Limitations & Considerations

  • Cloudflare is not your mail provider: It does not host your inbox or send transactional mail by default. It simply publishes the DNS records that tell other mail servers where to deliver your email. You still need Gmail, Microsoft 365, or another provider for actual mailboxes.
  • Misconfigured DNS can still break email: Cloudflare doesn’t override bad MX or SPF records. If you introduce typos, duplicate conflicting SPF records, or mis-flag mail hosts as proxied, you can cause delivery issues. Always review and test after changes.

Pricing & Plans

Cloudflare DNS and basic protections are available on the Free plan, which is often sufficient for personal sites and small businesses that want to keep email working while they accelerate and secure their websites.

Higher tiers add things like advanced WAF, bot management, and more support:

  • Free / Pro / Business plans: Best for individuals and small to mid-sized teams that want fast global DNS, CDN, and core security while keeping their existing mail setup.
  • Enterprise plan: Best for larger organizations needing SLAs (including a 100% uptime SLA for enterprise), advanced security policies, dedicated support, and integration across Cloudflare One, Application Services, Network Services, and the Developer Platform.

For enterprise needs, including complex DNS, hybrid environments, and strict uptime requirements, you can Get Started with Cloudflare Enterprise to design a migration pattern that safeguards core services like email.

Frequently Asked Questions

Will moving my DNS to Cloudflare break my email?

Short Answer: No, as long as you correctly copy your MX and mail-related DNS records and don’t proxy mail endpoints, your email will continue to work as before.

Details: Email delivery relies on DNS records (MX, SPF, DKIM, DMARC, and sometimes SRV/TXT). When you move your domain to Cloudflare, Cloudflare becomes the authoritative DNS, but it doesn’t change where your mail is delivered. If the MX and related records on Cloudflare are identical to your old provider and mail endpoints are set to DNS-only, your email provider (e.g., Google Workspace, Microsoft 365, or another host) keeps handling your mail without interruption.

Should I proxy my mail server through Cloudflare?

Short Answer: No. Mail protocols should remain DNS-only; only web traffic should be proxied.

Details: Cloudflare’s HTTP/S proxy is built to protect and accelerate web traffic, not SMTP, IMAP, or POP. If you attempt to orange-cloud (Proxied) a hostname used for SMTP or IMAP, it can interfere with those protocols. Best practice is:

  • Keep mail-related hostnames like mail.example.com, smtp.example.com, imap.example.com, autodiscover.example.com as DNS only (gray-cloud).
  • Proxy only HTTP/S endpoints (e.g., www.example.com, portal.example.com) that you want running through Cloudflare’s CDN and security stack.

Summary

You can safely sign up for Cloudflare and point your domain to it without breaking email by treating the migration as a DNS change, not a mail change. Cloudflare becomes your authoritative DNS and edge for web traffic, but your MX, SPF, DKIM, and DMARC records still point to the same email providers. The key is to:

  1. Let Cloudflare import your DNS.
  2. Verify every mail-related record against your current provider.
  3. Keep mail endpoints DNS-only (no proxy).
  4. Update nameservers at the registrar and test email during propagation.

This way, you connect and protect your websites and apps through Cloudflare’s connectivity cloud while your email keeps working exactly as before.

Next Step

Get Started

Back to Edge Security & CDN

Keep Reading

More from Edge Security & CDN

Cloudflare Workers pricing: how do I estimate monthly cost from requests and CPU time?

Read more

How do I contact Cloudflare sales and what should I prepare for a Cloudflare One or Magic WAN proof of concept?

Read more

How do I set up Cloudflare Tunnel (cloudflared) to publish an internal app without opening inbound ports?

Read more