Cloudflare management

DNS and Cloudflare, set up right

Cloudflare sits in front of your domain and decides how the world reaches it. Configured well it is invisible. Configured badly it takes your website and your email down together.

Cloudflare is the layer that sits between your domain and everything that uses it: your website, your email, and anything else on the name. It answers DNS queries, provides the certificate that puts the padlock in the browser, caches your site closer to visitors, and filters out a good deal of malicious traffic before it reaches your host.

It is genuinely useful and it is also the single most dangerous place to click something you do not understand. DNS is the reason a website loads and the reason email arrives. One wrong record and both stop at once, with no error message to explain why.

What Cloudflare actually does for a small business

Four jobs worth understanding, because they explain most of what goes right and wrong.

DNS: the address book for your domain

Every time someone loads your site or sends you email, something has to look up where that traffic goes. That is DNS, and Cloudflare answering those queries is fast and reliable. More importantly, it puts every record for your domain on one screen, which matters enormously the day something breaks.

The commonest problem we meet is not a misconfiguration. It is that nobody knows who controls the DNS at all. The web person who set it up moved on, the login belongs to an agency that no longer answers, and the domain quietly renews to a card nobody recognises. Establishing control of your own DNS is a real piece of work and it is worth doing before you need it urgently.

SSL and TLS: the padlock, and what it really means

Cloudflare can issue the certificate that makes your site load over https. What people miss is that there are two halves to that connection: visitor to Cloudflare, and Cloudflare to your actual host. The encryption mode decides whether the second half is protected too. Set it wrong and you get a padlock that is lying, a redirect loop, or a warning page that scares off every visitor. This is the setting that causes the most confusion and it is worth getting right rather than guessing.

Caching: the speed part

Your images, stylesheets and often your pages get stored on Cloudflare's network and served from near your visitor rather than from your origin server every time. Real gain, especially for people far from your host. It is also the reason you can update a page and still see the old one: cached copies persist until they expire or are purged. Knowing that saves an hour of thinking you are losing your mind.

Protection

Bot filtering, rate limiting and mitigation of the flood attacks that would otherwise take a small host offline. There is also email address obfuscation, which hides the addresses printed on your pages from the scrapers that harvest them for spam lists. It is a small feature that quietly saves you a lot of junk, and it is on our own site.

Where this goes wrong: your email lives in DNS too

This deserves its own section because it is the failure we get called about most, and it is entirely avoidable.

People think of DNS as a website thing. It is not. Your MX records decide where your mail is delivered. Your SPF, DKIM and DMARC records decide whether anyone believes mail claiming to be from you. All of that lives in the same DNS zone as your website.

So when someone changes nameservers to point at Cloudflare, they are moving the whole zone. Cloudflare scans and imports what it can find, and it usually does a decent job. Usually is not a word you want anywhere near your mail delivery. Anything it misses simply stops existing at the moment the nameservers switch, and your email quietly stops arriving with nothing on screen to tell you.

Two rules that prevent nearly all of this:

  • Audit every existing record before the switch, not after. Compare the imported zone against the old one line by line, mail records first. This is dull and it takes minutes and it is the difference between a clean cutover and a bad day.
  • Never proxy a mail record. The orange cloud is for web traffic. Turn it on for a mail hostname and delivery breaks in ways that are genuinely hard to diagnose from the outside.

If the plan involves moving mailboxes as well, that is a bigger exercise with its own sequence: see business email migration. If you are standing up mail from scratch instead, start at Google Workspace setup.

How we approach it

  1. Find out who actually controls the domain

    Registrar, nameservers, and who holds the logins. Surprisingly often this step alone is the whole engagement, because nobody has known the answer for years.

  2. Record the existing zone before touching anything

    Every record as it stands today, so there is something to compare against and something to restore from. Nothing gets changed until this exists.

  3. Import and reconcile

    Bring the zone into Cloudflare, then check it against the original line by line. Mail records first, always. Cloudflare imports well but it does not import perfectly.

  4. Switch the nameservers and watch

    Make the change, then confirm the site loads and, separately, send test mail in both directions. A site that loads proves nothing about your email.

  5. Configure SSL, caching and protection deliberately

    Encryption mode set to genuinely encrypt both halves, caching that suits how your site is updated, and protection turned on at a level that stops bots without blocking your customers.

  6. Leave you with the keys

    The account is yours, in your name, with your billing. We work in it; we do not hold it hostage. That is not a favour, it is how it should always have been.

What we configure and check

  • DNS records. Every record audited, documented and reconciled against the original zone before the switch.
  • Nameserver migration. Planned so the cutover is boring, with the old zone recorded and reversible.
  • SSL and TLS. An encryption mode that actually protects both halves of the connection, no padlock that lies.
  • Redirects. One canonical hostname, everything else redirected to it once, with no loops or chains.
  • Caching. Set to suit how often the site changes, with purging understood so an edit shows up when you expect it.
  • Mail records. MX, SPF, DKIM and DMARC verified as still working after the move, not assumed.
  • Email obfuscation. Addresses on your pages hidden from the scrapers that feed spam lists.
  • Protection. Bot and attack mitigation set at a level that filters junk without blocking real customers.

What Cloudflare will not fix

It gets recommended as a cure for things it has nothing to do with.

  • A slow website. Caching moves your pages closer to visitors. If the page is heavy because of unoptimised images and bloated scripts, you now have a heavy page delivered promptly. See speed optimization for the actual cause.
  • A hacked site. Protection filters traffic at the door. It does not remove malicious code already living in your site, and it will happily serve a compromised page very efficiently. That is website security work.
  • Not appearing in Google. Different problem entirely. Start with Search Console to find out whether you are even indexed.
  • Email landing in spam. Cloudflare hosts the DNS records that authenticate your mail, so it is part of the fix, but the fix is SPF, DKIM and DMARC being correct rather than Cloudflare being present.
  • A site nobody wants to read. No amount of infrastructure rescues that. It is a design and content problem.

Who this is for

  • Businesses that do not know who controls their DNS, or cannot get into it
  • Anyone with a certificate warning, a redirect loop, or a site that loads on one address but not another
  • Owners who need a DNS record added for verification and have nowhere to add it
  • Sites getting hammered by bots, spam form submissions, or worse
  • Anyone moving hosts or email providers who wants the cutover to be uneventful

When this is not the right fit

  • Businesses whose real problem is a slow or bloated site. Cloudflare helps at the edges; it does not fix the page itself.
  • Anyone already on a well-configured setup that is working. If nothing is broken, moving it is risk without reward.
  • Sites that need the malicious code cleaned out first. Protection at the door does not help when the problem is already inside.
  • Anyone who wants us to hold their domain for them. We will not: the account should be yours, in your name.

What SolvenceHQ can help with

DNS is the one place where a careless change breaks your website and your email at the same time, with no warning. We treat it that way: audit first, change second, verify both.

  • Find out who controls your domain and get you back in control of it
  • Full DNS audit, documented, before any change is made
  • Nameserver migration to Cloudflare with mail records reconciled line by line
  • SSL and TLS configured so the padlock reflects reality
  • Caching, redirects and canonical hostname sorted out
  • Email obfuscation and bot protection turned on sensibly
  • DNS records added for Search Console verification or mail authentication
  • Ongoing changes handled as part of website maintenance

Common questions

Do I have to move my domain to Cloudflare to use it?

No. You keep your domain registered wherever it is now. What changes is the nameservers, which is the setting that decides who answers questions about your domain. Cloudflare becomes your DNS provider; your registrar stays your registrar.

You can move the registration to Cloudflare as well if you want everything in one place, but it is a separate decision and not required.

Will putting my site behind Cloudflare break my email?

It should not, and when it does the cause is nearly always the same mistake: the MX records were not carried across when the nameservers changed, or an MX hostname was proxied. Mail records must never be proxied, only your web traffic.

This is why we audit every existing record before changing nameservers rather than after. If mail is already unreliable, that is a separate problem: see business email going to spam.

Is the free plan enough for a small business site?

For a great many small business sites, honestly, yes. DNS, a certificate, caching and the baseline protection cover what most brochure and lead-generation sites actually need. We will tell you if your situation genuinely calls for more rather than assuming it does.

Note that Cloudflare is a service you hold in your own account, so whatever it costs is between you and them. We configure it; we do not resell it.

Why does my site show a certificate warning even though Cloudflare says SSL is on?

Usually because of the encryption mode between Cloudflare and your actual host. If it is set to a mode that does not encrypt that back half of the connection, or your host has no valid certificate of its own, you get warnings, redirect loops, or a padlock that lies about what is happening.

The other common cause is mixed content: the page loads over https but pulls an image or script over http. Both are fixable. See website security problems.

Does Cloudflare make my website faster?

It can, and it is not magic. Caching your pages and files closer to your visitors genuinely cuts the time spent waiting on the network, and that is real.

What it will not do is rescue a site that is slow because of oversized images, bloated plugins or heavy scripts. The cache will faithfully deliver your slow page quickly to the edge and it will still be slow. That is a speed optimization job.

Get a Quote

Not sure who controls your DNS?

Tell us your domain and what is misbehaving. We will find out where it actually points and what is in the way.