How do I sign up for Cloudflare and point my domain to it without breaking email?
Edge Security & CDN

How do I sign up for Cloudflare and point my domain to it without breaking email?

12 min read

Most teams want the performance and security benefits of Cloudflare’s connectivity cloud, but worry that “moving DNS” will break email. The good news: if you copy your existing DNS records carefully — especially MX and related records — you can sign up for Cloudflare, point your domain to it, and keep email working without interruption.

Quick Answer: Sign up for Cloudflare, add your domain, let Cloudflare scan your existing DNS records, then verify and/or add your MX, SPF, DKIM, and any mail-related A/AAAA records before you update nameservers at your registrar. Email keeps working as long as those DNS records match what your mail provider expects.

The Quick Overview

  • What It Is: A step‑by‑step way to onboard your domain to Cloudflare’s global network (as your DNS host and security/performance layer) without disrupting existing email services.
  • Who It Is For: Website owners, IT admins, and developers who want Cloudflare’s CDN, DDoS/WAF protection, and DNS performance, but use third‑party or self‑hosted email.
  • Core Problem Solved: Avoiding the classic “email stopped working after pointing my domain to Cloudflare” issue caused by misconfigured or missing DNS records.

How It Works

At a high level, you:

  1. Create a Cloudflare account and add your domain.
  2. Let Cloudflare import your current DNS records, then validate or manually add any missing mail‑related entries.
  3. Switch your domain’s nameservers at your registrar to the Cloudflare nameservers.

Once that’s done, Cloudflare sits in front of your website and other proxied services to connect and protect them using the global edge network, while acting as your authoritative DNS for everything — including email routing. Mail itself does not “pass through” Cloudflare’s proxies; email delivery is controlled entirely by the MX and related DNS records you maintain in Cloudflare DNS.

Here’s the process broken down.

Step 1: Prepare by Collecting Your Current DNS and Mail Settings

Before you touch anything, collect the “source of truth” for your existing DNS and email configuration. This is what you’ll replicate inside Cloudflare.

  1. Log in to your current DNS host or registrar

    • Look for the “DNS” or “DNS zone” section.
    • Export or screenshot all current records, especially:
      • MX records (who handles your mail)
      • A/AAAA records for:
        • your website (example.com, www.example.com)
        • any mail servers (often mail.example.com)
      • CNAME records (for web or mail, e.g., autodiscover, smtp, webmail)
      • TXT records for:
        • SPF (v=spf1 ...)
        • DKIM (selector._domainkey.example.com)
        • DMARC (_dmarc.example.com)
      • Any SRV records (commonly for SIP, XMPP, or some mail clients)

  2. Note your email provider’s official DNS instructions

    • If you use a service like Microsoft 365, Google Workspace, or another hosted email provider, find their current “DNS setup” guide.
    • This is your authoritative reference for what MX/TXT/CNAME records should look like.

  3. Confirm what needs to stay reachable by direct hostname

    • Self‑hosted mail server? Make sure you know which hostnames (mail.example.com, smtp.example.com, etc.) should point to your server’s IP.

You’ll use this information to double‑check Cloudflare’s automatic DNS import.

Step 2: Sign Up for Cloudflare and Add Your Domain

Creating a Cloudflare account takes only a few minutes.

  1. Sign up or log in

    • Visit cloudflare.com and create an account or sign in.
    • You can get started in less than 5 minutes.

  2. Add a website (your domain)

    • In the Cloudflare dashboard, click Add a site.
    • Enter your root domain (e.g., example.com, not https:// or a subdomain).
    • Click Continue.

  3. Choose a plan

    • Select the plan that fits your use case:
      • Free or lower‑tier plans for personal/small sites.
      • Business/Enterprise when you need advanced security (WAF, DDoS guarantees), custom SLAs, or Zero Trust access through Cloudflare One.
    • You can change plans later; choosing a plan doesn’t switch your DNS yet.

Cloudflare will now start scanning your current DNS records.

Step 3: Let Cloudflare Scan and Import Existing DNS

Cloudflare performs an automated scan of your domain’s public DNS to import as many records as possible.

  1. Review imported records

    • After the scan, Cloudflare shows a list of imported DNS records.
    • Carefully check for:
      • All MX records
      • All mail‑related TXT, CNAME, and SRV records
      • Web A/AAAA/CNAME records (e.g., example.com, www)

  2. Compare with your original DNS export

    • Make sure every record from your prior DNS host is present in Cloudflare.
    • Pay special attention to:
      • MX priority order (lower number = higher priority)
      • MX hostnames (exact spelling, trailing dots usually aren’t necessary in the UI)
      • SPF TXT records (copy the entire string)
      • DKIM TXT records (long values — paste carefully)

  3. Add any missing records manually

    • If anything is missing, click Add record and recreate it:
      • Record type: MX, TXT, CNAME, A, AAAA, or SRV as appropriate
      • Name: @ for the root domain, or specific subdomain (mail, selector._domainkey, _dmarc)
      • Content: hostnames, IPs, or text exactly as your provider documents
      • TTL: “Auto” is fine for most records
    • Save each added record.

Until you change nameservers at your registrar, your live DNS is still running on the old provider — so you can safely take your time to get this right.

Step 4: Decide Which Records Should Be Proxied vs. DNS‑Only

This is where the orange‑cloud (proxied) vs. grey‑cloud (DNS‑only) distinction matters. It’s also where people often accidentally break email.

Cloudflare proxy vs. DNS‑only

  • Proxied (orange cloud):
    • Traffic flows through Cloudflare’s connectivity cloud.
    • Used for websites, APIs, and some apps.
    • Cloudflare:
      • Provides CDN caching and acceleration.
      • Applies security features (WAF, DDoS protection, bot management) from the edge.
  • DNS‑only (grey cloud):
    • Cloudflare only answers DNS; traffic goes directly to the origin.
    • Required for most non‑HTTP services (SMTP, IMAP, POP3, many custom ports).
    • Appropriate for mail servers and some application protocols.

Email‑related records: what to proxy?

Never proxy MX records.
MX records must always be DNS‑only. In Cloudflare DNS, MX entries do not have an orange/grey toggle because they’re inherently DNS‑only by design — but the hostnames they reference need attention.

Follow these rules:

  1. MX records

    • Ensure MX records exist and point to the mail servers your provider specifies (e.g., ASPMX.L.GOOGLE.COM, example-com.mail.protection.outlook.com).
    • These are always DNS‑only; Cloudflare does not proxy MX records.

  2. Mail server hostnames referenced by MX

    • If your MX records reference:
      • Third‑party provider hostnames (e.g., gmail-smtp-in.l.google.com): you don’t control those; nothing to configure.
      • A hostname under your domain (e.g., mail.example.com):
        • Create an A or AAAA record for mail.example.com pointing to your mail server’s IP.
        • Set this record to DNS‑only (grey cloud).
        • Do not proxy mail.example.com if it’s used for SMTP, IMAP, or POP3.

  3. Autodiscover and other mail client helpers

    • Many email systems use:
      • autodiscover.example.com (often CNAME to provider)
      • smtp.example.com, imap.example.com, or pop.example.com
    • For these:
      • Match your provider’s recommended DNS records.
      • Leave them DNS‑only if they’re for non‑HTTP mail protocols.
      • Only proxy them if they serve HTTP(S) webmail or admin interfaces and your provider supports it (check provider docs).

  4. SPF, DKIM, DMARC (TXT records)

    • TXT records do not carry a proxy toggle; they’re always DNS‑only.
    • Ensure:
      • TXT @ with SPF policy (v=spf1 ...) is present.
      • One or more selector._domainkey.example.com TXT records for DKIM are present.
      • _dmarc.example.com TXT record is present with your DMARC policy.

Following this pattern ensures Cloudflare connects and protects your web properties, while mail flows directly to and from your email provider.

Step 5: Change Nameservers at Your Registrar

Once you’re confident Cloudflare’s DNS matches your current settings, you’ll switch your domain to use Cloudflare as the authoritative DNS host.

  1. Get your Cloudflare nameservers

    • Cloudflare will provide two nameservers, e.g.:
      • name1.ns.cloudflare.com
      • name2.ns.cloudflare.com
    • These are unique to your account/domain; copy them exactly.

  2. Log in to your domain registrar

    • Go to your registrar (e.g., GoDaddy, Namecheap, Google Domains, etc.).
    • Open the domain management page and locate Nameservers.

  3. Update nameservers

    • Choose “Use custom nameservers” (wording varies by registrar).
    • Replace the old nameservers with the two Cloudflare nameservers.
    • Save changes.

  4. Wait for DNS propagation

    • Nameserver changes can take from minutes up to 24–48 hours to propagate globally.
    • During this period, some users will still resolve via your old DNS provider, and some via Cloudflare.
    • Because you copied the same DNS records into Cloudflare, behavior (including email) should remain consistent.

  5. Verify activation in Cloudflare

    • Cloudflare will periodically check your nameserver delegation.
    • When it detects the change, your domain status will update to Active.
    • From this point, Cloudflare is now serving DNS for your domain.

Step 6: Test Web and Email After Cutover

Once Cloudflare shows your domain as active:

  1. Test website access

    • Visit your website:
      • https://example.com
      • https://www.example.com
    • Confirm pages load correctly and performance is normal or improved.
    • Use your browser’s developer tools or a tool like curl to confirm you’re reaching Cloudflare (you’ll often see Cloudflare headers like cf-ray).

  2. Test incoming email

    • Send test emails:
      • From an external address (e.g., Gmail) to you@example.com.
      • From you@example.com to another external address.
    • Confirm messages arrive and are not delayed.

  3. Test all mail clients and hostnames

    • Desktop mail clients (Outlook, Apple Mail, Thunderbird).
    • Mobile mail apps.
    • Webmail URLs (e.g., https://outlook.office.com, https://mail.yourdomain.com if applicable).
    • If any clients fail:
      • Check the hostname they’re configured to use.
      • Confirm that hostname exists in Cloudflare DNS and:
        • Points to the correct IP/target.
        • Is set to DNS‑only for non‑HTTP mail protocols.

  4. Use DNS tools to verify

    • Tools like dig, nslookup, or online DNS checkers can confirm:
      • MX records for your domain.
      • A/AAAA records for mail hostnames.
      • SPF/DKIM/DMARC TXT records.

Once these tests pass, you’ve successfully pointed your domain to Cloudflare without breaking email.

Features & Benefits Breakdown

Core FeatureWhat It DoesPrimary Benefit
Authoritative DNS on CloudflareHosts all your domain’s DNS records (web, mail, apps) on Cloudflare’s global network.Faster, more reliable DNS resolution with Cloudflare’s 100% uptime SLA on Enterprise plans.
Application Security & PerformanceProxies HTTP/S traffic through Cloudflare’s edge for caching, WAF, and DDoS mitigation.Protects and accelerates websites and APIs without changing your mail flow.
Separation of Web Proxy and Mail RoutingKeeps email traffic unproxied while still managing DNS for MX and mail records.Safely adopt Cloudflare without disrupting existing email services.

Ideal Use Cases

  • Best for website owners with third‑party email (e.g., Google Workspace, Microsoft 365): Because Cloudflare can take over DNS and protect your site while you simply mirror your provider’s MX/TXT records, keeping email untouched.
  • Best for self‑hosted mail servers with public websites: Because you can route HTTP/S traffic through Cloudflare’s edge for security and performance while keeping SMTP/IMAP/POP hostnames DNS‑only, preserving direct mail connectivity.

Limitations & Considerations

  • Cloudflare does not “proxy SMTP” for standard email delivery:
    Cloudflare’s orange‑cloud proxy is designed for HTTP/S and some other protocols, not generic SMTP mail traffic. Keep mail hostnames DNS‑only unless you know the service is HTTP‑based and supported behind a proxy.

  • Misconfigured DNS can still break email:
    Cloudflare won’t magically fix incorrect MX, SPF, DKIM, or DMARC settings. Always follow your email provider’s DNS instructions and validate records after migration.

Pricing & Plans

Using Cloudflare as your DNS provider is available across all plans, including Free. The choice of plan depends on what you want beyond DNS:

  • Self‑Service Plans (Free / Pro / Business): Best for individuals and small to mid‑size teams that need fast, resilient DNS plus WAF, CDN, and basic security for public websites and APIs. Email remains with your existing provider; you manage MX/TXT in Cloudflare DNS.
  • Enterprise Plan: Best for organizations that need a unified connectivity cloud — combining advanced WAF, bot management, DDoS mitigation, Cloudflare One (SASE/Zero Trust), Magic Transit, and Enterprise SLAs — while centrally managing DNS for web, apps, APIs, AI workloads, and mail routing.

For enterprise‑grade support, you can contact Cloudflare to tailor an Enterprise plan to your environment.

Frequently Asked Questions

Will my email go through Cloudflare after I change nameservers?

Short Answer: No. Your email still goes directly between your mail servers and the Internet; Cloudflare only hosts the DNS records that tell mail servers where to deliver messages.

Details:
When you move DNS to Cloudflare, you change who answers DNS queries for your domain, not how SMTP connections are handled. MX records in Cloudflare DNS point to your mail provider or mail server exactly as before. As long as those MX and related records are correct and the mail hostnames are DNS‑only, mail flows normally. Cloudflare’s proxy sits in front of HTTP/S services (websites, APIs, some apps), not in front of standard SMTP/IMAP/POP mail traffic.

What’s the most common mistake that breaks email when moving to Cloudflare?

Short Answer: Missing or incorrect MX and TXT records — or accidentally proxying a hostname used for mail services.

Details:
The typical failure pattern looks like this:

  • MX records weren’t imported or were mis‑typed when manually added.
  • SPF, DKIM, or DMARC TXT records were left behind at the old DNS provider.
  • A hostname like mail.example.com was set to proxied (orange cloud) in Cloudflare while still being used for SMTP, IMAP, or POP.

The fix is straightforward: double‑check all MX and TXT records against your email provider’s documentation, ensure mail / smtp / imap hostnames point to the correct IPs, and set those A/AAAA records to DNS‑only (grey cloud). Once corrected and propagated, email resumes normal operation.

Summary

You can safely sign up for Cloudflare, point your domain to it, and keep email working by treating DNS migration as a precise copy‑and‑verify exercise:

  • Sign up and add your domain to Cloudflare.
  • Let Cloudflare import your existing DNS, then verify every MX, A/AAAA, TXT, and mail‑related CNAME/SRV record against your current configuration.
  • Keep MX and mail‑protocol hostnames DNS‑only, and proxy only the HTTP/S services you want Cloudflare to connect and protect.
  • Change nameservers at your registrar once you’re confident DNS is correct, then test both web and email thoroughly.

Do that, and you get Cloudflare’s global DNS performance and application security benefits without the “we broke email” surprise.

Next Step

Get Started

Back to Edge Security & CDN

Keep Reading

More from Edge Security & CDN

Cloudflare Workers pricing: how do I estimate monthly cost from requests and CPU time?

Read more

How do I contact Cloudflare sales and what should I prepare for a Cloudflare One or Magic WAN proof of concept?

Read more

How do I set up Cloudflare Tunnel (cloudflared) to publish an internal app without opening inbound ports?

Read more