Every project I deploy involves DNS configuration. After setting up dozens of domains through Cloudflare, here are the patterns and gotchas I've internalized.
SSL Modes Matter
Cloudflare offers four SSL modes. Using the wrong one causes redirect loops or insecure connections:
| Mode | Behavior | When to Use |
|---|---|---|
| Off | No encryption | Never |
| Flexible | CF→Browser encrypted, CF→Origin unencrypted | Avoid — false sense of security |
| Full | CF→Origin encrypted (self-signed OK) | If you can't get a real cert |
| Full (Strict) | CF→Origin encrypted (valid cert required) | Always use this |
Always use Full (Strict) with a real certificate from Let's Encrypt on your origin server.
Essential DNS Records
For a typical site with email:
A @ → YOUR_SERVER_IP (proxied)
A www → YOUR_SERVER_IP (proxied)
MX @ → mail.provider.com (DNS only)
TXT @ → v=spf1 include:_spf.provider.com ~all
TXT default._domainkey → DKIM record from provider
TXT _dmarc → v=DMARC1; p=quarantine; rua=mailto:you@domain.com
Common Pitfalls
1. Proxied vs DNS Only
The orange cloud (proxied) routes traffic through Cloudflare's CDN. This is what you want for web traffic. But MX records and mail-related records should always be DNS Only (gray cloud) — Cloudflare can't proxy email.
2. Too Many Redirects
This almost always means your SSL mode is set to "Flexible" while your origin has HTTPS enforced. The loop: Browser → CF (HTTPS) → Origin (HTTP) → Redirect to HTTPS → CF → Origin (HTTP) → ...
Fix: Set SSL mode to Full (Strict).
3. Email Going to Spam
Missing SPF, DKIM, or DMARC records. All three are needed for reliable deliverability. Check with MXToolbox after setup.
Page Rules I Always Set
*domain.com/.well-known/*→ SSL: Off (for Let's Encrypt renewal)domain.com/*→ Always Use HTTPSwww.domain.com/*→ Forwarding URL 301 tohttps://domain.com/$1
These three rules handle HTTPS enforcement and www-to-apex redirects cleanly.