Remediation: cloudflare.com
Scan #491 · 10 Feb 2026, 03:05 UTC · Achievable posture: SECURE
Provider Quick Guide
- Log in to dash.cloudflare.com and select your domain
- Go to DNS → Records
- Click Add Record
- Select the Type shown below (TXT, CNAME, MX, etc.)
- Paste the Name (host) and Content (value) from each card below
- Set Proxy status to DNS only (grey cloud) for email records
- Click Save
- Log in to dcc.godaddy.com
- Select your domain, then click DNS (or Manage DNS)
- Scroll to DNS Records and click Add New Record
- Select the Type shown below
- In Name, enter the host (use
@for the root domain) - In Value, paste the record value from the card below
- Click Save
- Log in to your DNS hosting provider's control panel
- Navigate to DNS Management or Zone Editor
- Add a new record with the type, host, and value shown in each card below
- For the host field, use
@if your provider requires it for the root domain - Save and allow up to 24–48 hours for propagation (usually much faster)
DNS Records to Add or Update
Publish an MTA-STS DNS record and host a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. This tells senders to require TLS when delivering mail to your domain.
Publish a TLS-RPT DNS record to receive reports about TLS delivery failures to your domain.
Manual Configuration Steps
DKIM is only configured for third-party services, not your primary email platform (Google Workspace). Enable DKIM signing in Google Workspace settings to cover all outbound mail.
RFC 6376 §2.1Rotate your DKIM keys to use 2048-bit RSA. Most email providers support this in their admin console.
RFC 6376 §3.3.3Since DNSSEC is already active, you can add TLSA records for your MX hosts to enable DANE. This cryptographically pins TLS certificates for mail delivery.
RFC 6698Done making changes?
After updating your DNS records, run a new scan to verify everything is correct. DNS changes typically propagate within minutes, but can take up to 48 hours.
Re-Scan cloudflare.com