Every DNS record in Cloudflare has a small cloud icon next to it. Orange means proxied. Grey means DNS only. This tiny toggle controls whether Cloudflare sits between your visitors and your server — or just handles DNS resolution. Getting it wrong can break email, expose your server IP, or disable critical services.
This guide explains exactly what each mode does, when to use which, and the common mistakes that break things silently.
Proxied vs DNS Only
What Proxied (Orange Cloud) Actually Does
When a DNS record is proxied, Cloudflare inserts itself between visitors and your server. Instead of returning your server's real IP address in DNS responses, Cloudflare returns one of its own edge IPs. All traffic then flows through Cloudflare's global network before reaching your server.
Types your domain
CDN + WAF + DDoS
Origin server
This gives you a significant set of features, all happening at Cloudflare's edge before traffic ever touches your server:
CDN & Caching
Static assets (images, CSS, JS) are cached at 300+ edge locations worldwide. Visitors load your site from the nearest Cloudflare data center, dramatically reducing latency. Your server handles fewer requests.
DDoS Protection
Cloudflare absorbs volumetric attacks at the edge. Your server never sees the malicious traffic. This includes Layer 3/4 (network) and Layer 7 (application) attacks. Always-on, no configuration needed.
Web Application Firewall
Cloudflare's WAF inspects every HTTP request for SQL injection, XSS, directory traversal, and other OWASP Top 10 threats. Malicious requests are blocked before reaching your application.
SSL/TLS Termination
Cloudflare handles SSL negotiation at the edge, offloading cryptographic work from your server. You can also enable features like automatic HTTPS rewrites and HTTP/2 or HTTP/3.
IP Hiding
Your server's real IP address is hidden from DNS lookups. Attackers can't find your origin server through dig or nslookup. This is one of the most valuable security benefits.
Analytics & Bot Management
Cloudflare provides traffic analytics, bot detection, and rate limiting — all based on traffic passing through its proxy. None of this works for DNS-only records.
What DNS Only (Grey Cloud) Does
When a DNS record is set to DNS only, Cloudflare acts as a plain DNS server. It responds to DNS queries with your actual server IP address. No proxy, no caching, no protection, no analytics. Traffic goes directly from the visitor to your server.
Types your domain
Returns your real IP
Direct connection
This means:
- Your real server IP is visible to anyone who runs
dig - No CDN caching — all requests hit your server directly
- No DDoS protection from Cloudflare
- No WAF filtering
- No Cloudflare analytics for that subdomain
- Any protocol works — SMTP, FTP, SSH, game servers, etc.
When to Use Orange Cloud (Proxy ON)
Use the orange cloud for any record that serves HTTP/HTTPS traffic — websites, web applications, APIs, and static content.
| DNS Record | Proxy | Why |
|---|---|---|
Root domain A record (example.com) |
ON | CDN caching, DDoS protection, IP hiding for your main website |
| www CNAME record | ON | Same protection as root domain — most visitors use www |
App subdomains (app, blog, shop) |
ON | Web applications benefit from caching and WAF protection |
API subdomain (api.example.com) |
ON (usually) | WAF protection for API endpoints; disable if latency-sensitive |
CDN subdomain (cdn, static, assets) |
ON | Maximum caching benefit for static assets |
| Staging/preview sites | ON | Still web traffic — benefits from SSL and IP hiding |
When to Use Grey Cloud (Proxy OFF)
Use DNS only for any record that serves non-HTTP traffic, or where the Cloudflare proxy would interfere with the protocol.
| DNS Record | Proxy | Why |
|---|---|---|
Mail server (mail.example.com) |
OFF | SMTP uses ports 25/465/587 — cannot pass through HTTP proxy |
| MX records | N/A | MX records cannot be proxied (not A/AAAA/CNAME) |
FTP server (ftp.example.com) |
OFF | FTP uses port 21 + dynamic data ports — not HTTP |
SSH access (ssh.example.com) |
OFF | SSH uses port 22 — Cloudflare does not proxy it |
| TXT records (SPF, DKIM, DMARC) | N/A | TXT records are never proxied — they're informational DNS entries |
| Game servers | OFF | Custom UDP/TCP ports not in Cloudflare's supported list |
Database connections (db.example.com) |
OFF | MySQL (3306), PostgreSQL (5432) — non-HTTP protocols |
| VPN endpoints | OFF | OpenVPN, WireGuard use UDP — cannot be proxied |
mail.yourdomain.com is proxied (orange cloud), ALL email will break — incoming and outgoing. Cloudflare only proxies HTTP/HTTPS traffic on specific ports. SMTP, IMAP, and POP3 traffic is silently dropped. This is the single most common DNS mistake we see, and it results in total email failure with no obvious error message for the sender.
Common Mistakes
Proxying the Mail Subdomain
Enabling the orange cloud on mail.yourdomain.com immediately breaks all email. SMTP connections on ports 25, 465, and 587 cannot pass through Cloudflare's HTTP proxy. Both sending and receiving stop working. Other servers trying to deliver email to you get connection timeouts.
Impact: Total email failure
Grey Cloud on Root A Record
Setting your main domain to DNS only exposes your origin server IP to the public. Anyone can run dig example.com and find your real IP. This bypasses all DDoS protection and WAF rules. Attackers can target your server directly, making Cloudflare useless for that domain.
Impact: Origin IP exposed
Proxy ON for FTP/SSH Subdomains
FTP (port 21) and SSH (port 22) are not HTTP protocols. If you proxy the A record for ftp.example.com or ssh.example.com, clients will get connection refused or timeouts. These protocols need a direct path to your server.
Impact: Service unreachable
Inconsistent Proxy Modes
Some subdomains proxied, others not — without a clear reason. The DNS-only subdomains leak your origin IP, which can then be used to attack proxied subdomains directly. If you expose the IP on any record, the protection on other records is weakened.
Impact: Partial IP exposure
How to Check and Change Proxy Status
Cloudflare Dashboard
Log into Cloudflare → select your domain → click DNS in the left sidebar → Records. Each A, AAAA, and CNAME record has a cloud icon. Click the icon to toggle between proxied (orange) and DNS only (grey).
Verify from Command Line
You can check the current state from any terminal:
dig +short A example.com
# If response shows Cloudflare IPs (104.x.x.x, 172.x.x.x) = Proxied
# If response shows your server IP (e.g., 203.0.113.10) = DNS Only
Cloudflare edge IPs are typically in these ranges:
104.16.0.0/12172.64.0.0/13173.245.48.0/20103.21.244.0/22
If you see any of these in the dig response, the record is proxied.
Cloudflare API
For automation, you can query and update proxy status via the Cloudflare API:
curl -X GET "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" \
-H "Authorization: Bearer {api_token}" \
-H "Content-Type: application/json"
# Each record has "proxied": true or "proxied": false
Cloudflare's Supported Ports
This is the crucial detail most people miss: Cloudflare's proxy only works on a specific set of ports. If your service runs on an unsupported port, proxying the record means no traffic gets through.
| Protocol | Supported Ports |
|---|---|
| HTTP | 80, 8080, 8880, 2052, 2082, 2086, 2095 |
| HTTPS | 443, 2053, 2083, 2087, 2096, 8443 |
What About Non-Standard HTTP Ports?
If your web application runs on a non-standard port that's in Cloudflare's list (like 8443 or 2083), proxying works fine — Cloudflare forwards traffic on that port. But if your app runs on, say, port 3000 or 5000, those are not in the supported list. Proxied traffic on those ports will fail. You'll need to either:
- Run your app on a supported port (80, 443, 8443, etc.)
- Use a reverse proxy (like nginx) on a supported port that forwards to your app
- Set the record to DNS only and lose Cloudflare's proxy benefits
The IP Exposure Problem
One subtle but important point: proxy protection is only as strong as your weakest record. If your root domain is proxied (hiding your IP) but mail.example.com is DNS only (which it must be for email), your server IP is still discoverable via the mail subdomain.
- Use a separate IP for email if possible (different server or secondary IP)
- Configure your server's firewall to only accept HTTP traffic from Cloudflare's IP ranges on the proxied ports
- Use Cloudflare's Authenticated Origin Pulls (mTLS) to ensure only Cloudflare can connect to your web server
- Accept the tradeoff — for most sites, the mail IP exposure is an acceptable risk
Quick Reference: Record Type vs Proxy Capability
| Record Type | Can Be Proxied? | Notes |
|---|---|---|
| A | Yes | IPv4 address records — most common proxied record |
| AAAA | Yes | IPv6 address records — same behavior as A records |
| CNAME | Yes | Alias records — proxied at Cloudflare's edge |
| MX | No | Mail exchange — never proxied, always returns target hostname |
| TXT | No | Text records (SPF, DKIM, DMARC) — informational only |
| SRV | No | Service records — used by XMPP, SIP, etc. |
| NS | No | Nameserver records — managed by Cloudflare automatically |
| CAA | No | Certificate authority authorization — informational |
Real-World Configuration Example
Here's a typical DNS setup for a website with email, FTP, and an API — all on the same server:
| Type | Name | Value | Proxy |
|---|---|---|---|
| A | example.com | 203.0.113.10 | Proxied |
| CNAME | www | example.com | Proxied |
| A | api | 203.0.113.10 | Proxied |
| A | 203.0.113.10 | DNS Only | |
| A | ftp | 203.0.113.10 | DNS Only |
| MX | @ | mail.example.com (pri 10) | N/A |
| TXT | @ | v=spf1 ip4:203.0.113.10 -all | N/A |
| TXT | _dmarc | v=DMARC1; p=quarantine; ... | N/A |
Cloudflare Spectrum: Proxying Non-HTTP Ports
Cloudflare does offer a product called Spectrum that can proxy arbitrary TCP and UDP ports — including SSH, email, and game servers. However, Spectrum is a paid Enterprise feature (or limited on Pro/Business plans). It's not the default behavior of the orange cloud toggle.
Panelica + Cloudflare Integration
Decision Flowchart
When adding a new DNS record in Cloudflare, ask yourself these questions:
No → Proxy doesn't apply (MX, TXT, SRV, etc. are never proxied)
Yes → Continue to question 2
No → Set to DNS Only
Yes → Continue to question 3
Yes → Set to Proxied
No → Set to DNS Only (rare — most web traffic benefits from proxy)
Summary
The orange cloud vs grey cloud decision comes down to one simple rule: HTTP traffic gets the orange cloud, everything else gets grey. Websites, APIs, and web apps benefit from Cloudflare's proxy. Email, FTP, SSH, databases, and game servers need a direct connection.
- Root domain and www: always proxied (orange cloud)
- Web app subdomains: proxied for CDN and protection
- Mail subdomain: always DNS only (grey cloud) — SMTP needs direct access
- FTP and SSH subdomains: DNS only — non-HTTP protocols
- TXT, MX, SRV records: cannot be proxied (automatic)
- Check with
dig +short A yourdomain.com— Cloudflare IPs mean proxied - Only ports 80, 443, 8080, 8443, and a few others are supported by the proxy
- IP exposure from DNS-only records can be mitigated with firewall rules