Cloudflare DNS Setup (Recommended)

For cold email, Cloudflare is the DNS host we recommend to every user setting up a new sending domain. The reason isn't deliverability magic. It's the operational footprint - what the rest of the internet can learn about your domain when it asks DNS questions about you.

This guide covers two things:

1. Why Cloudflare - the privacy and footprint reasons that matter specifically for cold outreach.

2. How to set up SPF, DKIM, DMARC, and tracking domain CNAMEs on Cloudflare, including the one Cloudflare-specific gotcha (proxy mode) that breaks DKIM if you don't know about it.

If you're not sure what SPF, DKIM, and DMARC do, start with How to Set Up SPF, DKIM, and DMARC and come back here for the Cloudflare-specific steps.

Why Cloudflare for Cold Email

Cold email reputation is built on the assumption that your domain looks like a "normal" mailbox owner. Anything that makes your domain stand out - a rare nameserver, a tiny WHOIS-leaking registrar, an A record pointing at a single VPS - is one more correlation point that anti-spam systems and inbox providers can pick up on.

Cloudflare flattens those correlations. Here's how.

Shared anycast nameservers, zero fingerprint

When a receiving server resolves your domain, the first thing it sees is your NS records. On Cloudflare, those nameservers (<name>.ns.cloudflare.com) are shared with over 20% of all websites on the internet and answered from Cloudflare's anycast network. They look identical for a Fortune 500 site and a one-week-old cold email domain.

Compare that to a dedicated VPS or a smaller registrar's DNS - those nameservers are tied to a specific provider, often a specific IP block, and sometimes specifically associated with bulk-mail use. Cloudflare's nameservers carry none of those signals.

Origin IP doesn't leak through web traffic

If your sending domain also hosts a website (which it should - see Why DNS Records Matter on the A record requirement), the orange-cloud proxy for your A record is the simplest way to keep the origin IP private. Anyone running dig or visiting your site sees a Cloudflare anycast IP, not the actual server you host on. That decouples your sending domain from any other infrastructure you operate.

The proxy applies only to the website's A record. DKIM and tracking-domain CNAMEs must stay grey-cloud (DNS Only). See the proxy section below.

WHOIS privacy is on by default

If you transfer your domain to Cloudflare Registrar, WHOIS lookups return redacted contact details automatically - no add-on, no extra fee. Most other registrars charge $5-15/year per domain for the same thing or leak full contact data by default. For cold email, your real name and address showing up in public WHOIS is exactly the kind of correlation point you don't want.

Cloudflare Registrar also charges domains at cost with no markup (you pay the registry's wholesale price), which usually makes it cheaper than where you bought the domain in the first place.

Free plan covers everything cold email needs

The DNS hosting, the proxy, the WHOIS redaction, the Email Routing (useful as a catch-all for the [email protected] mailbox you'll need for rua reports) - all on the free plan. There is no operational reason to pay Cloudflare for a cold-email-only domain.

TL;DR

Switching DNS to Cloudflare

Two ways to put a domain behind Cloudflare. Pick whichever is least disruptive.

Option A: Change nameservers only (most common). Add the domain to a free Cloudflare account, copy the two nameservers Cloudflare assigns, and update them at your existing registrar. The registration stays where it is, only DNS moves. Full guide: Add site to Cloudflare.

Option B: Transfer the whole domain to Cloudflare Registrar. You also become Cloudflare's registrar customer, get WHOIS privacy and at-cost renewals, and stop dealing with two vendors. Full guide: Transfer your domain to Cloudflare. This takes 5-7 days due to ICANN's transfer lock.

For a brand-new cold email domain, Option B from day one is the cleanest. For existing domains, Option A is faster.

Accessing DNS Management

1. Log in to the Cloudflare Dashboard at dash.cloudflare.com.

2. Select your domain from the list.

3. Click DNS > Records in the left sidebar.

You'll see your existing DNS records with proxy status indicators (orange or grey cloud) on each row. Cloudflare's full reference for this screen is Manage DNS records.

Adding the SPF Record

1. Click Add Record.

2. Type: TXT

3. Name: @ (root)

4. Content: v=spf1 include:_spf.google.com ~all (replace the include with your ESP's value - see How to Set Up SPF, DKIM, and DMARC)

5. Click Save.

TXT records can't be proxied on Cloudflare (no proxy toggle for TXT/MX), so there's nothing else to configure.

Adding the DKIM Record

1. Click Add Record.

2. Type: CNAME

3. Name: your DKIM selector

   • Google Workspace: google._domainkey

   • Microsoft 365: selector1._domainkey and selector2._domainkey (two records)

4. Target: the DKIM value from your email provider's admin panel.

5. Proxy status: grey cloud (DNS Only). This is non-negotiable - see the proxy section below.

6. Click Save.

If your DKIM target value contains a long string and Cloudflare warns about CNAME flattening, disable flattening for that record. Cloudflare's official guidance: "Disable CNAME flattening when email providers require CNAME records".

Adding the DMARC Record

1. Click Add Record.

2. Type: TXT

3. Name: _dmarc

4. Content: v=DMARC1; p=none; rua=mailto:[email protected];

   • Replace [email protected] with the address that should receive aggregate reports. Cloudflare's free Email Routing is a quick way to spin up that mailbox without setting up a real inbox.

5. Click Save.

Proxy Status: the One Thing You Must Get Right

Cloudflare gives every A and CNAME record a proxy status toggle:

• Orange cloud (Proxied) - traffic passes through Cloudflare's network. Origin IP is hidden, DDoS protection and CDN caching kick in. Right for your website's A record. Wrong for email-related DNS.

• Grey cloud (DNS Only) - Cloudflare returns the record verbatim. The querier resolves directly to your target. Right for everything email-related.

Cloudflare's own reference: Proxy status.

Why proxy mode breaks email DNS

When a receiving mail server verifies your DKIM signature, it follows your selector._domainkey CNAME to your provider's DKIM key. If that CNAME is proxied, Cloudflare returns its IP instead of resolving the chain - and DKIM verification fails. The receiving server sees no DKIM key. From Cloudflare's troubleshooting guide: "DNS records used for email should be set to DNS only to ensure mail traffic is not affected by the proxy."

The same logic applies to your custom tracking domain CNAME. MailBeast detects orange-cloud tracking CNAMEs and surfaces a specific "Cloudflare Proxy Detected" warning, but it's faster to get it right the first time.

Records that must be DNS Only

How to switch a record from orange to grey

1. DNS > Records in the Cloudflare dashboard.

2. Find the DKIM CNAME (or tracking domain CNAME).

3. Click the orange cloud icon in the Proxy status column.

4. It flips to grey cloud (DNS Only).

5. Save.

Verifying in MailBeast

After publishing the records:

1. Cloudflare DNS changes are usually visible within a few minutes, sometimes seconds. This is one of the practical wins of using Cloudflare - other registrars often take an hour or more.

2. Open the email account detail view in MailBeast.

3. SPF, DKIM, and DMARC are checked automatically on a schedule. To force an immediate check, click Run DNS Check in the DNS section.

4. All records should flip to Verified with green badges.

If DKIM stays red after propagation, the most likely cause is the proxy toggle still being orange. Double-check it.

Quick Reference

Next Steps

• How to Set Up SPF, DKIM, and DMARC - the actual record values, by ESP.

• Custom Tracking Domain Setup - keep the CNAME grey-cloud, same gotcha.

• Understanding Your DNS Health Score - what to check after Cloudflare reports the records as live.

• Cloudflare's own docs, if you want to go deeper: Manage DNS records, Proxy status, Email troubleshooting.