Cloudflare is one of the most popular DNS and security providers, protecting millions of websites with speed, DDoS protection, CDN services, and advanced DNS management. However, like any powerful tool, it’s not immune to occasional DNS issues — and when they happen, they can bring your website down or cause email and connectivity problems.

In this blog, we break down common Cloudflare DNS issues, why they happen, and most importantly, how to fix them.

Domain not resolving or showing “DNS_PROBE_FINISHED_NXDOMAIN”

Problem:
Your website shows an error like DNS_PROBE_FINISHED_NXDOMAIN or “Site not found.”

Possible Causes:

• Missing or incorrect DNS A or CNAME records in Cloudflare

• Wrong Cloudflare nameservers at your domain registrar

• Domain expired or suspended

Solution:
Check your Cloudflare DNS dashboard and ensure:

• A record points to your server IP (e.g., @ → 123.123.123.123)

• CNAME (like www) points to @

Go to your domain registrar (like GoDaddy, Namecheap) and ensure the Cloudflare nameservers are correctly set.

Confirm your domain is active, paid, and not on hold.

 Email not working after enabling Cloudflare

Problem:
After setting Cloudflare, email services like Gmail, Outlook, Zoho, or cPanel stop working.

Why?

• MX records were not added or are missing

• A records for mail server (like mail.yourdomain.com) are set to orange cloud (proxied), which blocks direct SMTP/IMAP connections

Solution:
In Cloudflare DNS:

• Add correct MX records pointing to your mail server.

• Make sure A record for mail is set to gray cloud (DNS only), not proxied.

Check with your email provider for the exact records.

SSL certificate or HTTPS issues

Problem:
Your site shows SSL errors like:

• ERR_SSL_VERSION_OR_CIPHER_MISMATCH

• Too many redirects

• “Invalid certificate” warnings

Why?

• SSL mode mismatch between Cloudflare and your origin server

• No SSL certificate on origin server (if using Full mode)

Solution:
In Cloudflare → SSL/TLS settings:

• Use Flexible mode if you have no SSL at the server

• Use Full (strict) mode only if you have a valid SSL certificate installed at the origin

To fix redirect loops, make sure your server doesn’t force HTTPS when Cloudflare is already doing it.

403 Forbidden or 520/521 errors

Problem:
Your website shows:

• 403 Forbidden

• 520 Web server is returning an unknown error

• 521 Web server is down

Why?

• Firewall or security settings block Cloudflare’s IP addresses

• Web server configuration (.htaccess, Nginx rules) denies Cloudflare requests

Solution:
Whitelist Cloudflare IP ranges in your firewall and server
(Cloudflare publishes them here: https://www.cloudflare.com/ips)

Check .htaccess or Nginx rules for any IP-based blocks.

Disable local firewall (like CSF or fail2ban) temporarily to test.

DNS changes not propagating

Problem:
You updated DNS records in Cloudflare, but they don’t seem to work.

Why?

• DNS propagation takes time (usually up to 24–48 hours globally)

• Browser, device, or ISP caching old records

Solution:
Flush DNS cache on your local computer:

• On Windows: ipconfig /flushdns

• On Mac: sudo killall -HUP mDNSResponder

Use online tools like dnschecker.org to monitor propagation.

Check Cloudflare → Overview → Purge Cache if you made page rule or CDN-related changes.

Final Tips for Managing Cloudflare DNS Smoothly

• Always keep a backup of your original DNS records before switching to Cloudflare.

• Understand the difference between proxied (orange cloud) and DNS-only (gray cloud) — emails, cPanel, and certain apps need gray cloud.

• Monitor your site after DNS changes, and use Cloudflare analytics to catch issues early.

• Subscribe to Cloudflare’s status page to get notified of any service-wide disruptions.

Common DNS and Email Issues for Websites

If you run a website like https://abc.com, you might encounter technical issues that affect email delivery, website access, or DNS settings. These problems can hurt your reputation, SEO, and user trust if left unresolved.

Here’s a practical guide to the 12 most common DNS, email, and server issues, what they mean, and how you can fix them.

DMARC Quarantine/Reject policy not enabled

What it means:
The DMARC policy on abc.com is set to none, so even if spoofed emails fail SPF/DKIM, they won’t be blocked.

How to fix:
Update your DNS DMARC record:

or stronger:

HTTP 403 Forbidden (http://abc.com)

What it means:
When visiting http://abc.com, the server blocks access, showing a 403 error.

How to fix:

• Check server firewall or Web Application Firewall (WAF)

• Review .htaccess or Nginx configs for any deny rules

• Review Cloudflare or CDN rules that may block traffic

No SPF Record found

What it means:
No SPF (Sender Policy Framework) record is defined, so mail servers don’t know who’s allowed to send emails from @abc.com.

How to fix:
Add this DNS TXT record (adjust for your provider, e.g., Google Workspace):

MX record DMARC policy not enforced

What it means:
Your domain’s MX records are not protected by an enforced DMARC policy.

How to fix:
Update the DMARC policy as shown in #1.

External Domains in DMARC not authorized

What it means:
Your DMARC record has reporting emails (rua/ruf) from other domains, but they haven’t authorized receiving reports.

How to fix:

• Remove unauthorized external emails from DMARC rua/ruf

• Or ask those domain owners to publish permission records in their DNS

SOA Serial Number Format is Invalid

What it means:
The SOA (Start of Authority) serial number in DNS doesn’t follow the correct format, like YYYYMMDDnn.

How to fix:
Update the SOA serial number at your DNS provider to the correct format.

SOA Expire Value Out of Recommended Range

What it means:
The SOA expire time is too high or too low, potentially causing cache or zone issues.

How to fix:
Adjust it to a standard value, such as 3600000 seconds.

SMTP Reverse DNS Does Not Match SMTP Banner (aspmx.l.google.com and others)

What it means:
For Google mail servers, the reverse DNS (PTR) does not exactly match the SMTP banner name.

How to fix:
✅ If using Google Workspace, no action needed — this is normal.
✅ If using your own mail server, ensure:

• PTR record matches your mail server hostname

• SMTP banner announces the same hostname

Wrapping Up

Cloudflare offers powerful DNS management and protection, but misconfigurations can create frustrating problems. With careful setup and the solutions we’ve shared above, you can resolve most Cloudflare DNS issues quickly and keep your website and email running smoothly.

If you need hands-on help fixing DNS issues or optimizing your Cloudflare setup, feel free to reach out to a professional or contact your web host — or drop your questions in the comments below!