Configuring Cloudflare DNS Records

Mon Mar 30 2026

Problem: Mapping the exact DNS records required to prevent bounces without breaking client connections.

Fix:

Route the @ MX record to the NAS (incoming) and the mail MX record to AWS (bounce handling).
Dual SPF Configuration: Deploy two identical SPF records (root and subdomain) to authorize both the Header From and Envelope From.
Add the three DKIM CNAMEs provided by AWS and a basic p=none DMARC record.
Proxy Trap: Set all mail-related A and CNAME records to “DNS Only” (Grey Cloud). The proxy blocks non-HTTP traffic, breaking mail connections.