Cloudflare's Mail Servers?
Hi all π,
So I was reading the Cloudflare website here: https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/ and it said that SPF records should follow this format:
How can I include Cloudflare's mail servers though? What should I write for that? I couldn't find any documentation specifying what should be typed. ChatGPT said:
include:spf.cloudflare.com but I'm not sure if that's correct?111 Replies
Additional info:
The reason I believe Cloudflare's mail servers has something to do with this is due to the above whenever I send mail ^
Cloudflare's mail servers would only be involved if you were using Cloudflare's Email Routing
What email service are you using? You should have them in your spf record
It seems like
35.89.44.37 is one of Cloudflare's mail servers. I actually whitelisted that IP address by adding it to my SPF record, however, new IP addresses kept showing up thereafter, and I can't keep whitelisting IP addresses
Hmm, I see
I'm using HostGatorno 35.89.44.37 is an AWS IP, looks like for proofpoint?
Proofpoint
Messaging security for evolving threats | Cloudmark EN
Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the worldβs inboxes from wide-scale and targeted email threats.
they should tell you what SPF and DKIM records to add then
Oh, I see. How could you tell which IP address is associated with which company? Here is another one:
The IP address is
44.202.169.37 this time.
What is proofpoint btw?there's various IP lookup tools and such: https://www.ip-tracker.org/lookup.php?ip=44.202.169.37
44.202.169.37 IP, Location: Ashburn, United States US
IP: 44.202.169.37 / AS14618, Type: IPv4, Hostname: omta038.useast.a.cloudfilter.net, IP Location Information: Ashburn, Virginia, United States US
Yeah, the message shows:
cloudfilter.net and when I go to that site, it redirects me to this page you linked hereon linux you can just do
whois <ip> and get a more authoritive answer to who the ip block was assigned to
but regardless you should look in or ask Hostgator what SPF and DKIM records you need for their email service, would be the fastest way
there is going to be some simple list you can just includeI see
Yeah, I got it:
it's not going to be Cloudflare's spf list
CF doesn't do email proxying or anything, at most email forwarding and that's largely receive only, if you're sending out mail manually it's via some other avenue
But when I added
include:spf.cloudflare.com, mail started going to my inbox instead of spam. It doesn't go to spam anymore. How come this worked?
This time it says: neither permitted nor denied
Before it said it's not permitted period?spf is only a factor in rejecting email. If you have both dkim/spf it only needs to pass one (And whatever arbitrary spam stuff the provider uses)
sounds like you might have broken your spf record
permerror (Permanent error): Inability to correctly interpret the domainβs published records.
Yeah, I do indeed have DKIM set up
Oh damn
Dang, so did my SPF record actually have a better configuration before? π
well it was actually parsable before and knew that ip wasn't in the list
it looks like the actual spf record for cf email routing is
_spf.mx.cloudflare.net , there's nothing on spf.cloudflare.com, probably why the permerrordkim=pass
SPF FailureBtw, you said it only needs to pass one, how come here it passed 1 but still went to spam?
well I did also say
(And whatever arbitrary spam stuff the provider uses)
Oh, I see
for dmarc to pass you just need dkim/spf
but there's no hard rules on what exactly each provider does
iirc just recently google and outlook said they were going to hard require dkim
email is a messy game
I do have DMARC set up too, yes. Is that DKIM and SPF or DKIM or SPF btw?
or
Right, true π
I see.. is there a way to check the rules the email provider specifies?
Probably on their website?
I don't think any of that is public and I believe for a lot of them spf/etc failures are just scores that get calculated
your problem is the same though, still need to find the right spf list for your email provider
Right
you said you use hostgator yea?>
https://www.hostgator.com/help/article/using-dkim-with-third-party-dns
Right, yep
Crazy thing is, it says valid: π
can you click manage and get it to spit out the spf anyway?
or maybe I should ask, how exactly are you sending emails, directly from hostgator's provided stuff?
No, using Thunderbird/Outlook
And yeah, I'll try that
hooked up via imap/pop3 with their email offering?
Yeah, using IMAP/POP3
Thunderbird detected the config automatically
This is the next page it shows, same thing:
yea it looks like the single ip they provide is where all mail coming out of their service should originate
And when I click customize on the SPF value, this is the next page that shows up:
I would question what your thunderbird/outlook config is like. imap/pop3 is only a protocol to get mail, not send it
Where's the single IP they provide?
I see, 1 sec
the one you blurred
192.254.25 something
Here is the config:
Is that important to blur btw? Or not really?
not really since its the outgoing mailserver anyone you email would get it
Ah, mb then
yea that looks fine and as per their setup guide
it's just curious then if you send an email out, it comes from a different IP then they say it will
It seems breaking the SPF record actually fixed it π
Oh yeah
Well.. put a bandage on it perhaps we could say..
Interesting..
Oh, I forgot to mention I'm using Cloudflare, here are my email stuff in case that's helpful?
And yeah, you're totally right
Amazon is sending email on my behalf
I would have expected HostGater to do the work (of sending the email) right?
well it's perfectly reasonable for them to use some third party for the email sending
IP reputation is hard
but you'd expect that to be properly whitelisted and included in the provided spf record
Right, yes
So I'm thinking.. is it worth it to manually add all of Amazon's IP addresses? π
Or is that not gonna work? Is there a way to add all of Amazon's mail server IP addresses in 1 command? (like a wildcard or something like that)
Wdym by this btw? How are IP addresses hard?
I think this might be a feasible solution?
it's not AWS, it's proofpoints or specifically that service
aws has 47 million ip addresses that wouldn't work
IP Addresses aren't, IP Reputation is. You get one bad neighbor in your block /24 (i.e from 192.255.125.0 - 192.255.125.255) and all other IPs in that range are effected. Additionally if you send out too much spam, your /24 or specific IP will get a bad reputation. So for shared services you have a battle that a single user could poison it all and you need to build up good IP Reputation/sending speeds over time
I would just ask hostgator about it tbh, or try sending it from their web ui and see what IP it comes out of, and then ask them "how come.."
I see.. interesting
I see, fair enough, I'll be contacting them for sure, thanks
Oh one last thing if I may ask, what's a proofpoint?
And "or specifically that service"? I didn't fully understand those 2 points
I searched proofpoint up, it's a company?
Ah I see. So it's Proofpoint's (the company) mail servers
company which offers specific email services
yea
Why does it say Amazon though?
Instead of Proofpoint
it's an AWS block assigned to proofpoint
idk how dmarc management gets the name
I see. And when you say "block", that would mean: "a range of IP addresses"?
yea it's 44.202.169.32/27
AWS owns the wider block of 44.192.0.0/11 and assigned 44.202.169.32/27 to Proofpoint
Ahh, I see
Interesting..
Well, I've got to say, thanks a lot for the valuable info! I woulda thought the issue was fixed (and not broken) otherwise.
I'll be sure to contact them and ask them about it in a bit.
Hey, @Chaika! Sorry for the ping, but I just wanted to give an update that I did indeed contact HostGator and a representative from their support team gave me this snippet:
And it works now. SPF is showing up as
PASS now.
So I just came back here to ask what was wrong with my old record though? This was my old one:
How did the +a +mx and +ip4:192.185.224.78 +include:websitewelcome.com additions help resolve the issue if you don't mind me asking?
Just trying to understand it here, that's all
Oh also, literally nowhere in their documentation didn't they mention anything remotely close to websitewelcome.com lol, so I would've never guessed if I didn't contact themthey're including IPs and other lists
+a says the A record of this site (on the root) should be allowed to send. +mx says the IP the MX record pointing at should be allowed, and websitewelcome.com says include everything from their list
if you look up websitewelcome, you'll find what it's now another list
dig websitewelcome.com txt +short "MS=ms38583564" "v=spf1 ip4:209.17.115.0/24 ip4:64.69.218.0/24 include:eig.spf.a.cloudfilter.net include:spf.websitewelcome.com include:spf1.websitewelcome.com include:spfgwp.websitewelcome.com include:_spf.google.com include:spf.protection.outlook.com -all"and that list includes one of particular interest:
dig eig.spf.a.cloudfilter.net txt +short "v=spf1 ip4:35.89.44.32/29 ip4:44.202.169.32/29 ~all"which contain the IPs you mentioned originally like "35.89.44.37"
Woahh, that is effectively a huge number of IP's allowed to send on my behalf isn't it?
I wouldn't be worried about the number of IPs, but the number of parties involved
which is including outlook, gmail, and a few others
Ohh interesting...
that is really not typical though, usually you just have one list per email service and they just have a few IP Blocks, their setup is def not the most secure/non-typical
Oh wow, is this bad?
Oh wow, I see
ehh I mean in order to even use those services they do validate you have control over the domain first
I'm definitely open to move. Is there another hosting service you'd recommend? Can I move to Cloudflare or no?
Do you have issues with their hosting, or just with their email service?
Ngl, their site seems a bit scammy in general
They're always throwing offers in my face before right when I login
Cloudflare doesn't have an email service (for sending/storing), I use and love Fastmail personally, it's paid though and separate. There are other options such as ProtonMail, Google Workspace (or whatever they call it now,)
Oh, hosting and email are 2 separate things?
yep completely
I see
Your MX Record is where your mail goes to. Your spf/dkim/dmarc configure outbound sending. Web Traffic goes A/AAAA record
ex. I use fastmail on all of my domains, and mostly Cloudflare/Cloudflare Pages/etc for hosting
Perfect setup. I'm defo gonna read up on their docs when I get back home. Thanks a bunch!
Oh and 1 last thing, does Cloudflare support hosting a backend?
Since IIRC, Pages is for frontends only right
Strictly speaking yes. But it's restricted/not exactly normal. No php or anything like that, they have Workers for serverless code, which are primarily in Javascript in a web worker/web like environment. Pages can use Functions which are essentially Workers are well
Oh so no C# or Rust backends permitted?
They don't offer typical hosting or vps's or containers, just Workers. It's for a reason - because they force a specific environment onto you they run on every single Cloudflare edge (some 250 cities) and every datacenter (some 500), right there, on the machine your request first hits. Nothing inbetween, no need to worry about scaling, etc
Right. There is #π¦rust-on-workers but it's all non-typical, Workers don't run a web server or anything, they just get handed the request and have to return a response. Thus rust on workers is a lot of JS interop to get it all to flow
Maybe it helps to explain: Workers run using the V8 Javascript Engine, same as Chrome, and they run as Isolates, a lightweight isolation, much lighter then something like a container. Rust on Workers thus is just Web Assembly like you would run in a browser
Oh wow, okay, I see. I'll defo be reading up on those docs too then.
When you say "non-typical", I assume you mean Cloudflare handles hosting backends differently than how other hosting services host them?
Are there any other solid hosting services you recommend which hosts in a more "typical" way in case the Rust on Cloudflare doesn't work out?
Ah, okay, I see
So I wonder if a WASM backend would be more performant than a normal backend? Or what metrics should we be looking at here?
When you say "non-typical", I assume you mean Cloudflare handles hosting backends differently than what other hosting services host them?Well usually when you use something, let's say Azure App Services which you can just upload a c# asp.net core api to, it's just a container under the hood, and connections go pretty directly to it. You might put a CDN/Front door in front of it, but if you don't you're pretty much just hitting your web server. Workers are part of CF's stack. To reach a worker, you have to go through the normal CF Proxy (nginx with a bunch of customization). You'll always have the full cdn/waf/etc in front of your Worker. Then on that exact same machine that received the request/would normally proxy it, it runs your worker code. Every machine in every CF data center can run your worker, and there's no particular affinity to one besides keepalive. They call it their homogeneous deployment because of it, there's no LBs routing requests to specific Workers, nothing in the middle. But you pay for it in size (must be very small, paid workers can only be 10 MB), needing fast startups, and such WASM/Rust would be less performant then normal JS on a simple test. If you were doing a ton of allocations and extensive stuff then maybe not, but the key bit is it's still all Javascript at the start and finish, it's just doing a lot of interop to give Rust the request and provide all the normal methods, etc
Are there any other solid hosting services you recommend which hosts in a more "typical" way in case the Rust on Cloudflare doesn't work out?Hetzner Cloud is great for VPS's/simple hosting. If you wanted something more managed, maybe fly.io? I don't have that much experience with fly, but can say I've heard nothing but good things about Hetzner's reliability and have a few VPS's with them, never any issues. Super cheap too, espec their ARM instances in Germany if the location works and the architecture works for your app.
Ah, understood
Awesome, thanks a bunch! Your info has been invaluable
Pretty much my preferred stack is C# ASP.Net Core on Hetzner Cloud & Postgres, throw Cloudflare in front of it, and then use CF Pages for the front end/glue things together with Workers. Works well
I'll be sure to check Hetzner too
Some people go all in with backend logic in workers/functions, and you totally can, CF has products like D1/KV/R2 for storage/database/etc, but I like to have more control and familiar stuff lol
Just searched Hetzner up, defo the first time I might be using a non-American company, that's cool too though lol
They have Cloud locations in the US, not ARM though
Oh you mean backend could be on Hetzner and database on CF?
I guess at that point, everything's gonna get kinda "separated" though? Or na, it's still cool?
I wouldn't do that, latency would be an issue. I was saying you could go with your backend in Workers and using D1 as a Database. I do that for a few projects
Ah right right
That makes sense
Wdym by "ARM" here btw?
D1 is CF's SQLite offering, I like it and use it for some things but it's a single-threaded isolate at the end of the day, it'll melt with a few hundred requests/second, which you may never meet but still eh. I just like the more traditional approach of postgres and an api on the same vps, really low latency, postgres can scale like crazy and hetzner cloud always lets you rescale your instance
ARM Architecture
Traditionally all servers/PCs are x64
Oh okay, gotchu gotchu
However there's some really efficient and cheap ARM processors like Ampere coming out lately, lots of memory capacity too. Allows hosts like Hetzner to offer good discounts on resources. Just need to be able to run/compile your app in that architecture
for example ARM Hetzner
vs x64
pretty much twice the resources across the board. ARM (and their Ampere processors/cores) can be a bit slower at some things but not slow enough to make up that difference
For some apps like stuff in c# it's super simple to compile/make for ARM. For some things it's more difficult, depends. If you can take advantage of it though, worth it
Wait isn't this cheaper though? I thought it was said that ARM was cheaper?
Ah I see
look at the resources. 8 euros with Ampere/ARM gets you 4 vcores/8gb ram/80gb disk, you pay nearly 9 euros for 3 AMD vcores/4gb of ram/80gb disk
ehh that's closer to the same, if you look at the cheapest option though it's double
Oh~ my bad
Jeez, conversing on phone sucks and is so slow to type π
those are prices with VAT on as well, a bit cheaper without
Oh btw, I read an article on Cloudflare regarding serverless. Are those cool or do you prefer traditional servers?
They're cool regardless and can be super useful for gluing things together/simple applications and such
Yeah, Hetzner honestly looks absolutely solid
for bigger applications (a lot more logic/requests processed/etc) I prefer traditional servers, just my preference, I like more control/visibility, and it tends to be cheaper if you have any meaningful volume of requests
Workers themselves are super cheap though, and can scale from 0 to a million requests/instantly
That's just for my personal stuff at least. For work stuff, I work at a small company and I serverless everything, like Azure App Services/Functions/Managhed SQL and such, because I do not want to be responsible for maintaining infrastructure for them/outages/etc. Worth paying the extra cost for piece of mind and ability to blame someone else. Always another side to it.
I see, really great points being made here..
I appreciate you taking the time, I'll be learning more and reading docs on these in a bit.
I'll be sticking around this Discord for sure
Hehe, that's a really good point there π, I would defo do the same
yea and at some point to a company it's just worth it
Azure SQL S3 tier is like $150/month for specs/performance I could get out of maybe a $10/month Hetzner vps
but for a company (at least in my view) absolutely not worth it to switch anyway, Azure handles backups, scaling, outages, performance/configs, etc, so much piece of mind (should still do backups elsewhere too)
the good old "no one ever got fired for picking aws"
Woahhh, that's incredible
well Azure SQL is maybe a bad pick for pricing comparsion, their sql db has really limited iops
need to really go up there in tier to get decent disk performance
So it seems like a tradeoff, if we could manage the things that Azure/AWS/GCP does manually, then going with Hetzner would be much cheaper
lol pretty much describes serverless all around
sometimes you just can't though, or it's just not worth it. Imagine an ad agency who only gets a few really popular commercials a year
Right yes, budget constraints
That's understandable
well my point in that example was that businesses with spikey traffic can really benefit from serverless rather then deploying a bunch of machines to sit idle or having to manually scale up/down
pretty typical serverless benefit