If you remember a while ago, I moved to Cloudflare, I also extensively went into how I got a Blogger moved and to work because Cloudflare can require a very custom configuration, especially if you are using two separate CDN networks that conflict with each other.
Cloudflare Proxy/DNS Only
That particular mission took me quite a few turns of uncertainty where I found out that their Rocket Loader Technology was not compatible with blogger, you could also not at the time use "Full" SSL mode you required "flexible" mode, you also with Cloudflare as it proxies all the connections that have an "orange cloud" option when this is selected you do not get the actual data you enter to DNS, you get a Cloudflare public address, which is not good for certain type of records when you need to "publish" those records, this is the proxied entry and the "orange cloud"
When it is not proxied you get the entry displayed as "DNS Only" as this record is then published to the Internet normally, you if you need TXT and NAME records they need to be DNS only, you can only proxy A, AAA and NAME records, this is it then disabled:
Cloudflare email Routing - or not!
Wind of the clock forward five months, and my new issue is with Cloudflare email routing, this particular service that only actually offers email forwarding decided not to work with Google accounts due to an untrusted reputation of an IP coming from the Cloudflare network, however when you explain this to their support, down the rabbit hole of silly you go with responses like this, no where did I say that i was sending email on port 25:
Cloudflare does not proxy traffic on port 25 (SMTP) unless Cloudflare Spectrum is enabled and configured to proxy email traffic across Cloudflare.
If you do not have Spectrum enabled then no email traffic (SMTP) will actually pass through Cloudflare and we will simply resolve the DNS.
I there said this to the support teams:
Unfortunately, you did not actually answer the question. I asked, I am using your email forwarding service that’s built into your Cloudflare control panel for that domain
Nowhere in that ticket, does it say I’m running my own SMTP server?
The Issue with email routing
This is the error I was getting when any mail went to Gmail via email routing:
Unknown error: transient error (421): 4.7.0 [104.30.12.157 19] Gmail has detected that this message is4.7.0 suspicious due to the very low reputation of the sending domain. To4.7.0 best protect our users from spam, the message has been blocked. For4.7.0 more information, go to4.7.0 https://support.google.com/mail/answer/188131 k10-20020adff28a000000b0033e0ea6f1b7si5557235wro.281 - gsmtp
MX is falling and failing
During these issues I was pointing at the MX servers as this is required by Cloudflare to send emails using their email routing:
route1.mx.cloudflare.net.
route2.mx.cloudflare.net.
route3.mx.cloudflare.net.
Email Routing Woes and Moans
This is what I was seeing in the email routing control, which is a handy feature to be able to review when it actually delivers e-mails, at this stage I could mail myself but other people failed to mail me with the error above:
The Failure in FullThen it started for fail for me with the error above but this is a visual for people, remember in the previous image this worked fine, now it does not, notice that SPF and DMARC are passing, so this is a not a fail for SPF or DMARC that is setup well.......
Check "my" sender reputation
Then i thought I would lookup the sender domain reputation which is what the error says as its "low reputation" from the sender, so this is that chart from Google postmaster tools, all good here:
Assess the error, again
Howevver if you read this error again you will notice that the sender domain is not actually the sender domain but the IP of 104.30.12.73 which is at the time of the article "bc-hd.email.cloudflare.net"
Not on Blacklist, and messages failing
I checked the blacklist, but this is not that, the error would be different, but the charting shows that I am now only getting 38% of my messages forwarded to my actual inbox, which is awful for a email service that does not work:
Long Routing delays with CloudflareGoogle Mail error was saying blocked but this was also not the case, as when I did eventually get some blocked messages and soe I did not ever, though this is what the trace said, it would appear in this instance Exchange Online sent the messages to Cloudflare and there is say for 572 minutes before it got delivered to myself, like a very delayed email indeed, and the issue was the relay to Cloudflare see below:
Cloudflare fail to help and ignore the issue
These are my cases with Cloudflare, as you can see the original one from 12 days ago with no response still, and then another one from 3 days ago with zero response from anyone at Cloudflare, I could only do this as a pay £200 annually for a Pro plan, for what is zero support or cares given my Cloudflare:
Clouflare - Yes there is an issue
It must be a good 20 days after I initially reported the problem and got told by both Support and the community that I was doing something wrong, It would appear both the community and Support are wrong because Cloudflare has just admitted they have a problem with email routing, but apparently that only started yesterday:
It would appear that despite the advice I was given on the forum and the community and their own support teams, I was right all along.
They did have email routing issues and telling people in the community. Do not forward emails. When that is all they offer on their service is a horrible excuse, it just took Cloudflare 18 days to find the problem and take a look, at the time of this post, the problem is still not fixed - This is why I have relocated my domains to a different registrar and email service.
Preventative Action : Cloudflare Vists and DNS queries moved
This therefore means that there are more suitable options out there, so action needed to be taken, which will will get onto in a moment, but this required me to move off Cloudflare to another host, of which there are many other registrars out there for me to choose, so this even occured just after 15:00 on tht 25th March 2024 as below:
This was also obviously observed in the DNS requests as well at about the same time they funnelled of Cloudflare DNS and to the new registrar.
New Mail Fowarding : Forward MailThis is a service suggested by Cloudflare forums actually, the only good advice to come from the Cloudflare forums from my point of view, anyway I was advised by Cloudflare forums that mailbox fowarding is bad a idea and for the last 10 decades should not be used, well thats odd as Google Workspace, iCloud, Mailjet, MailGun and Sendgrid all offers this functionality and it works fine, not to mention the email routing in Cloudflare only has this option avaliable to customers.
Therefore when the service does wrong Cloudflare advise you not to use their services, so I didn't, the premise if very simple replace you MX records from where they are to these MX records below, plus a CNAME to verify you own the domain, simple.
mx1.forwardemail.net
mx2.forwardemail.net
You also get a nice and simple management interface to manage this service and I have opted for the enhanced protection which is a very reasonable price
Then to add a "alias" you simply add an alias give it a name and where the emails are send to as below:
It also has some neat security features, like for example stopping the e-mail from yourself to yourself saying "you have been recorded" - this is all stopped by their security controls:
However if you have the requirement for spam e-mails and potentially phishing like emails then you can you disable that from the management UI as well, not sure why you would want to do that, but hey, maybe some people like a bit of pointless spam and phishing:
New Registrar : PorkbunYes, the name is weird but their services and support are awesome and responsive and I like the management and the fact that you can preload the DNS zone and all the required values before you move you domain to then which is ideal if you are moving a .co.uk domain where it needs to be "pushed" with an IPS tag, rather than all other domains which are a pull with the authorisation code.
First you need to add the domain as an external domin in the portal, when you do this you will need to verify this domain with a TXT record call bun-verify as below, in the old Cloudflare registra:
Once you have added this it will appear as a external domain, with minimal options but you can then set your DNS ahead of time which means minimal outages on the switch over for your services.
Now I did the transfer as I know Cloudflare does not delete the old DNS zone, so I can move it over when ready, after the transfer you will you get more options as below:
Now we need to go to the DNS records option will be notified that your NS servers are set wrong and they will not be live, well correct we still point at Cloudflare NS servers:
If you scroll down you will notice that the current DNS records is empty:
You can import a CSV file, but for this example I will be doing them manually for this domain there are not many of them for this example, so once you have created the entry's that for me looked like this:
This will cover e-mail and SPF and DMAC and all the verification records, however for this example we need to add the web forward as there is not "full" website but only a redirection and for that we need two, the first for the root domain:
Note : The type here will be masked, however you should be using redirected with a 301 ore 302, but for this example that is not requiredThen for the WWW record we require a different endpoint as below:
Once you have done this confirm they are at the bottom as registered, but they are not active as the NS are still wrong:
If you navigate to your DNS records you will notice that you now have two records which are ALIAS records that will point to the Porkbun web forwarder:
If you scroll to the top of the DNS options you will notice as you have active records that are not being used you will then see this option, now you want to click "Yes, please update my domain" to move to the NS servers at Porkbun:
You redirects will require an SSL certificate, which can only be issues when you are using Porkbun DNS servers, so when you check the SSL certificate you will notice that that generate has failed as when added you were not in Porkbun NS servers:
Now you have switched to Porkbun DNS, you can wait of if you are like me, you can revoke that SSL certificate and the process will immediately start again, when it does you will notice you now have the "acme challenge" DNS TXT records required for this certificate:
This time after a short delay the certificate will be generated and then your redirects will work, when it is valid you will notice the SSL certificate looks like this:
Note : When this is active it will automatically renew if you keep the TXT records in place as they are required for updates to the certificates
You can also confirm that the correct NS is shown in the portal as below:
If you are interested in checking the replication status of your NS propagation then you can use a handy link
here - alternatively you can use the nslookup command like this:
nslookup -type=ns sharpbearclaws.comWhich should return the NS for that domain as below:
Then you need to confirm it works with this URL :
https://sharpbearclaws.comThat should then return the website which loads without an error:
Then when you check the certificate it should be the one you have just seen from earlier:
Then, finally, if we test the other link we created, which is this one:
You should notice route to a different website as per our web forwarding and that should look like this: