Configuring Cloudflare DNS for MailShield

To allow MailShield to protect your organisation, you need to tell the internet to route your emails through our security filters. If Cloudflare manages your domain's DNS, you will update your routing records directly in the Cloudflare dashboard.

(Note: Cloudflare manages your DNS, but it does not host your actual mailboxes. You will still need to configure your email host—such as Microsoft 365 or Google Workspace—to route outgoing mail through MailShield).

Finding your DNS settings

1. Log into your Cloudflare Dashboard.
2. Click on the domain you are setting up with MailShield.
3. In the left-hand sidebar, click on DNS, then select Records.
4. You will now see a table listing all your current DNS records.

Setting up inbound protection (MX Records)

Mail Exchange (MX) records dictate where your incoming mail is delivered. We need to point them to MailShield so we can intercept threats before they reach your inbox.

1. Delete existing records: Look through your list of records for any where the Type is MX. Click Edit next to each one, then click Delete. This step is crucial; if you leave your old records active alongside MailShield's, spammers will bypass our security filters.
2. Add the new record: Click the Add record button.
3. Change the Type dropdown to MX.
4. In the Name field, type @ (which represents your root domain).
5. In the Mail server field, paste the incoming server address provided in your MailShield dashboard (typically seg-in.cadmuscyber.com).
6. In the Priority field, type 10.
7. Click Save.
8. Return to the Fix MX Records page in your MailShield dashboard and click Run DNS Verification.

Securing outbound emails (SPF & DKIM)

To protect your outgoing emails and ensure high deliverability, you must authorise MailShield to send mail on your behalf. This is done by adding two text (TXT) records to Cloudflare.

Updating your SPF record Sender Policy Framework (SPF) lists your approved senders.

1. Scan your Cloudflare records for an existing TXT record where the content begins with v=spf1.
2. If you already have one, click Edit. You need to add include:_spf.cadmuscyber.com into the middle of the text, just before the ~all or -all at the end. (e.g., v=spf1 include:spf.protection.outlook.com include:_spf.cadmuscyber.com -all).
3. If you do not have an existing SPF record, click Add record, choose TXT as the type, type @ for the Name, and paste the exact SPF value provided in your MailShield dashboard into the Content field. Click Save.

Adding your DKIM record DomainKeys Identified Mail (DKIM) attaches a cryptographic signature to your outgoing mail, proving it genuinely came from your organisation.

1. Click Add record in Cloudflare.
2. Choose TXT as the Type.
3. In the Name field, type cadmus._domainkey.
4. In the Content field, paste the long cryptographic key provided on your MailShield Outbound Setup page.
5. Click Save.

Next Steps: Smart Host Configuration

You have now successfully updated your DNS routing! However, because Cloudflare only manages DNS, you must still log into your actual email provider (e.g., Microsoft 365, Google Workspace, or Exchange) to configure your outbound Smart Host or Send Connector.

Please refer to the MailShield Outbound Setup page to generate your SMTP credentials and find the guide specific to your email provider.