Learn about Centmin Mod LEMP Stack today
Become a Member

Amazon AWS SSL Email DNS Cloudflare PTR in DNS settings?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by tonmo, Mar 25, 2021.

  1. tonmo

    tonmo Member

    50
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:55 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    Website is hosted at AWS, and Cloudflare is enabled with "Strict" SSL settings, and SSL Labs gives my domain straight A's.

    When conducting a PTR validation at whatsmydns.net using the static IP of my domain, the result shows the AWS server where m domain is hosted.

    Since I'm using Cloudflare, I have assumed that the DNS settings / Route53 settings at AWS don't mean anything / won't do anything.

    Note, I'm using PHP for sending email from the server, for a xenforo website (i.e., system-generated emails). I also use Zoho for email to/from the domain (not system-generated).

    Questions:
    1) Do Route 53 settings matter, or is everything controlled by Cloudflare DNS?
    2) Should PTR show AWS as the result?
    3) Side question: when looking up CNAME for my domain at whatsmydns.net, I get red x's globally, but all other settings seem to be green checks (A, AAAA, SOA, etc.). It seems like my CNAME records are correct at Cloudflare, and my site works fine, but not sure why I'd get these results. Any thoughts?
     
    Last edited: Mar 25, 2021
  2. tonmo

    tonmo Member

    50
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:55 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    this is actually set to "Full"
     
  3. eva2000

    eva2000 Administrator Staff Member

    46,427
    10,551
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,371
    Local Time:
    7:55 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  4. tonmo

    tonmo Member

    50
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:55 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    Got it. does dkim also need to be set up on web host side, or only cloudflare, or both?
     
  5. eva2000

    eva2000 Administrator Staff Member

    46,427
    10,551
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,371
    Local Time:
    7:55 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  6. tonmo

    tonmo Member

    50
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:55 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    Thanks eva - I know you don't provide support for specific integrations, but posting here for your help or that of anyone else's in the community.

    I've read and re-read all these resources but I find it all very confusing given my specific configuration:

    • Zoho for "human email"
    • PHP for server-based system emails for Xenforo.
    • Xenforo hosted at AWS.
    • Cloudflare for traffic management.
    • Registrar of domains is a separate entity as well.
    Everything works fine on the surface, but I'm not getting the proper responses on mxtoolbox (or I may not be using the right query!).

    Up until now, I assumed Cloudflare is the only entity that needs to carry my DNS info.

    I have two A records:
    hostname.domain.com
    domain.com

    So what I really want to know is, what does Cloudflare need to support in the DNS, and what does Route53 need to support. Let's assume Zoho is already configured properly, because I believe it is.

    Is this correct?:

    Cloudflare:
    - needs the 2 A records mentioned above
    - needs CNAME records
    - needs MX records
    - for email from domain.com only, needs SPF, DKIM, DMARC and PTR DNS records

    Route53 (AWS):
    - needs the same 2 A records mentioned above
    - needs the same CNAME records as above?
    - needs the same MX records as above
    - for email from hostname.domain.com only, needs SPF, DKIM, DMARC and PTR DNS records
    - also has an NS record
    - also has a SOA record

    Basically, trying to sort what is required vs. what is redundant vs. what is causing conflict.
     
  7. tonmo

    tonmo Member

    50
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:55 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    When I send command line test email per instructions here, and I check the header, I get:
    dkim: pass
    spf: none (says IP is neither approved or denied)
    dmarc: (I can't find any reference to a dmarc result in the header)

    When I send from xenforo interface, I get:
    dkim: (I can't find any reference to a dkim result in the header)
    spf: pass
    dmarc: pass

    When I send from POP (zoho), I get:
    dkim: pass
    spf: pass
    dmarc: pass