ISSUE: Your site (site.com) is behind cloudflare, but you are using e-mail account [email protected] , it is likely that you are leaking your real web server IP.

EXPLANATION, SOLUTIONS: When having site protected by cloudflare, still real IP (where we host website) can leak thanks to a MX record. MX record is responsible for routing incoming e-mails. Hostname (and IP under it) which is part of the MX record can not be protected by cloudflare and this means record leaking real web server IP to public. MX record is required to receive e-mail. So we can either delete our mailbox and MX record + use gmail (or other service) OR we need to use different mail server which IP we are OK to leak (probably better than leak IP of web hosting server)? In this article i attempt to write for noobs like me how to reconfigure DNS records. For experienced people, there is still some catch to take note of, it is mentioned in last paragraph "OTHER IMPORTANT THINGS TO DO".

EXPLANATION HOW TO SEPARATE MAILSERVER FROM WEBSERVER AND RECONFIGURE DNS TO PREVENT WEBSERVER IP LEAK:

OPTION A) buy private server/VPS used for bigger mailing

instruct php scripts to send e-mails thru this external new SMTP mail server instead of using local server mail() function. Google: php send e-mail via SMTP

Steps to create new external mail server can be these:

1. get/order new Linux server with Ubuntu 14.04 x64 and at least 1GB RAM
2. go to cloudflare or your hosting control panel and go into DNS section of your domain name, there add or modify A record of the mail. Example my A record is named mail and points to IP address where is my website hosted. So i change the IP address to be the IP of my new mail server.
3. install Mail-in-a-box on your mail server: https://mailinabox.email/guide.html
4. setup new e-mail account with SMTP
5. tweak SMTP mail server configuration file not to leak source web hosting server IP ("Received: from") in headers, it was described above.
5. set your website to send e-mail via this new SMTP
6. send test e-mail

OPTION B)
buy cheap shared hosting which IP will be exposed and used for e-mailing

downside of this method is that there is possibility that your e-mails will reveal your webserver IP (IP of server which hosts your cloudflare protected website) in headers(source code) of e-mails sent by you and admin of shared hosting server may not be willing to adjust server config. to hide it. (more about htis issue is mentioned in paragraph below "OTHER THINGS TO DO"

1. ordering shared hosting and using it either for sending mail thru its SMTP or just for receiving e-mails. This enable us to replace webserver real IP in publicly visible MX type record by IP of the mailserver which downtime is not so critical. Next 4 steps is to setup/modify DNS records so it is presenting IP of mail server not a webserver.

2. in Cloudflare / Site / DNS section, change/create A type record for mail from the IP of the webserver to the IP of the new mail server setup in step 1. Hosting provider usually mention what is the domain/hostname/server name that user need to use in their mail client). This way attacker may only discover IP of the mail server, not IP of the hosting server which we want to hide. So probably mail server being attacked is better than web server IP leaked and webserver down because of an attack. Example "A" type DNS record i set in my cloudflare:
type: A, name: mail, value: 1.2.3.4
(1.2.3.4 is the IP of the server where are your mailboxes/mailserver, not IP of a webserver)

3. in Cloudflare / Site / DNS section set MX record to point to hostname of the SMTP mail server or shared hosting ordered for e-mailing purpose only. Example, my MX entries are two:
type: MX, name: mydomain.com, value: mail.mydomain.com
type: MX, name: mydomain.com, value: hostname.mydomain.com
So that way all e-mail sent to me is properly redirected to e-mail server, not web server which would reveal webserver real IP. Currently defined domain DNS records (MX,TXT,A) can be checked by various tools like: intodns.com, dnsinspect.com or google: mx record check

4. in Cloudflare / Site / DNS section set TXT type DNS record where you define PTR as provided by your e-mail hosting provider. In my case i have this in cloudflare:
type: TXT, name: yourdomainhere.com, type: v=spf1 ip4:1.2.3.4 a mx include:yourdomainhere.com ~all
(1.2.3.4 is the IP of the server where are your mailboxes/mailserver, not IP of a webserver)

5. in Cloudflare / Site / DNS section set TXT type DNS record where you define DKIM as provided by your e-mail hosting provider. In my case i have this in cloudflare:
type: TXT, name: default._domainkey, value: v=DKIM1;k=rsa;p=StringHere\;
(note no spaces and no quotation marks in TXT record value, we use value that was generated by the server that is relaying e-mail (smtp server), not webhosting server)

OTHER IMPORTANT THINGS TO DO:

If we instruct PHP scripts to relay e-mails via our remote SMTP mail server (including one provided by shared hositng account we purchased just for e-mailing) trying to hide our webserver IP, it will probably fail, because if our PHP script/s send an attacker e-mail, he can discover real webserver IP in this e-mail headers/source code. To prevent this leak, server admin can reconfigure SMTP server not to leak the IP thanks to "Received: from" header (google: hide received from header SMTP). On shared hosting where we are not server admins, admin may not agree to edit this which is understandable.
--
If you know about any simpler way or have any fixes for this tutorial, please kindly describe it below.