Using Hetzner Web Hosting for its rock-solid reliability but managing your DNS through an external provider like Cloudflare for speed and features? You’re not alone! The trickiest part is ensuring your external DNS records—especially the MX, SRV, and TXT records—are perfectly matched to what Hetzner requires.
This guide walks you through configuring your external DNS to keep your email running seamlessly through your Hetzner Webhosting package.
1. Important Note on Cloudflare Proxying
When setting up email records in Cloudflare, you must ensure the proxy status (the orange cloud icon) is set to DNS Only (Grey Cloud). Email traffic cannot be proxied through Cloudflare’s network, or it will fail.
2. Setting the Mail Exchange (MX Record)
The MX record tells the internet where to send mail destined for your domain (immanuelraj.dev in this example). You should only have this single MX record for Hetzner to ensure all mail is routed correctly.
| Type | Name | Content (Mail Server) | Priority | TTL | Proxy Status |
|---|---|---|---|---|---|
| MX | @ | www428.your-server.de | 10 | Automatic | DNS Only (Grey) |
3. Configuring Auto-Discovery (SRV Records)
SRV (Service) records allow modern email clients (like Outlook or Thunderbird) to automatically detect the necessary server settings (IMAP, POP3, SMTP ports) when you simply type in your email address
These records generally point to mail.your-server.de and must be entered precisely. When creating these records in Cloudflare, you will typically use the “SRV” type and fill out five separate fields: Service, Protocol, Name, Target, and Priority/Weight/Port.
| Service | Protocol | Name | Priority | Weight | Port | Target |
|---|---|---|---|---|---|---|
| _autodiscover | _tcp | @ | 0 | 100 | 443 | mail.your-server.de |
| _imaps | _tcp | @ | 0 | 100 | 993 | mail.your-server.de |
| _pop3s | _tcp | @ | 0 | 0 | 995 | mail.your-server.de |
| _submission | _tcp | @ | 0 | 100 | 587 | mail.your-server.de |
| _imap | _tcp | @ | 0 | 100 | 143 | mail.your-server.de |
4. Setting Up Email Security (TXT Records)
These three TXT records are critical for email deliverability. They prevent spam and domain spoofing by verifying that emails coming from your domain are legitimate.
4.1. Sender Policy Framework (SPF)
This record specifies which servers (Hetzner’s in this case) are allowed to send mail for your domain.
| Type | Name | Content (Value) |
|---|---|---|
| TXT | @ | “v=spf1 +a +mx ?all” |
4.2. DomainKeys Identified Mail (DKIM)
DKIM uses a cryptographic key to sign your emails, proving they haven’t been tampered with. This long key must be copied exactly as provided by Hetzner. Note that the long string may be displayed in quotes and concatenated (joined together) in your DNS manager.
| Type | Name | Content (Value) |
|---|---|---|
| TXT | default2504._domainkey | “v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx2OjmPDfajT3a+N1Wm6YM” “G3oeL0wpNhqMG4q7xMzxKtC9xmQp49yTVZ99T5bXn0DoUDYF1vyx2UI3fg5oCOB1bVMrrGB8VbXX” “phDohnKwPlxiB8ItFfdxUyLcGhMiw4IznpV2iJBGxZLb0lH6ClJyWRkElhz41rfcLCpykkuJ6mfa” “AtlcglfpJxxSr+Bw+T/nXc1/LGMMK6Ghg9SBSN6Vu20s9w7nL0/ncKxlCurPI8B9V9DzD+IAT+bn” “ztxm20wbkKrCWvVg3XMjWOMbPxVV76+xaEYA4edWhX/0E8ot/2cYXptd9l2ZPvy7zc/9hoSAoz/U” “zi+J2q214fK/p6ecQIDAQAB” |
4.3. Domain-based Message Authentication (DMARC)
DMARC tells receiving mail servers what to do if an email fails the SPF or DKIM checks. The p=reject policy in your record is a strong policy that tells servers to reject suspicious emails.
| Type | Name | Content (Value) |
|---|---|---|
| TXT | _dmarc | “v=DMARC1;p=reject;sp=none;pct=50;adkim=r;aspf=r;” |
5. Final Step: Propagation and Testing
Once you’ve entered all nine records (1 MX, 5 SRV, 3 TXT) into your Cloudflare DNS manager and ensured they are all set to DNS Only, you need to wait for DNS propagation. This usually takes minutes but can sometimes take up to an hour or two.
You can verify your setup using an online tool like mxtoolbox.com to check the MX and SPF records. Once those pass, your Hetzner email should be fully functional using your high-speed external DNS!