This Knowledge Base article explains the correct DNS architecture, configuration, and operational best practices when:
A domain is delegated to Cloudflare for DNS and security
Website hosting is provided by Hostinger
Email is provided by Hostinger Email, Google Workspace, Zoho Mail, or no email service
The document focuses on:
Eliminating DNS authority conflicts
Ensuring predictable resolution behavior
Preventing SSL, email delivery, and verification failures
This article assumes Cloudflare is the authoritative DNS provider.
| Component | Role |
|---|---|
| Domain Registrar | Delegates authoritative nameservers |
| Cloudflare | Authoritative DNS, CDN, WAF, SSL |
| Hostinger | Web hosting (origin server) |
| Email Provider | Mail routing & authentication |
A domain MUST have exactly one authoritative DNS provider.
When Cloudflare nameservers are configured at the registrar:
Cloudflare becomes the sole DNS authority
Hostinger nameservers must NOT be used
All DNS records are created inside Cloudflare only
User Request
β
Cloudflare Nameservers (Authoritative)
β
Cloudflare DNS Records
β
Hostinger Server IP (Website)
β
Email Provider MX (Mail Flow)
| Misconfiguration | Impact |
|---|---|
| Mixing Cloudflare + Hostinger NS | Split DNS authority |
| Adding Hostinger NS inside Cloudflare | Undefined resolution |
| Using Hostinger DNS zone | Records ignored |
| Proxying email records | Mail failure |
WordPress / PHP websites on Hostinger
Static websites
Google Workspace business email
Zoho Mail business email
Hosting-only (no email) domains
Multi-client MSP / IT service environments
Set ONLY Cloudflare nameservers at the registrar:
Remove:
ns1.dns-parking.com
ns2.dns-parking.com
Any legacy hosting nameservers
Create these records in Cloudflare β DNS:
Notes:
Orange-cloud proxy must be enabled
Enables CDN, SSL, DDoS protection
All email-related records MUST be DNS-only (gray cloud)
Behavior:
No MX records
All inbound mail will bounce
Acceptable only for non-communication domains
| Record Type | Proxy Setting |
|---|---|
| A / CNAME (Web) | Proxied |
| MX | DNS only |
| TXT (SPF/DKIM/DMARC) | DNS only |
| NS (subdomain only) | DNS only |
| Error | Root Cause | Fix |
|---|---|---|
| Website works intermittently | Mixed NS authority | Remove Hostinger NS |
| Email not delivered | MX proxied | Set DNS-only |
| Google verification fails | Wrong TXT location | Add TXT in Cloudflare |
| SSL pending | A record not proxied | Enable proxy |
| DNS changes ignored | Using Hostinger DNS | Use Cloudflare DNS |
Missing DKIM/DMARC β Email spoofing
Split DNS β Hijack risk
No Cloudflare proxy β No DDoS/WAF
Incorrect SPF β Mail spam rejection
Use Cloudflare as the only DNS authority
Always implement SPF + DKIM + DMARC
Proxy only web traffic
Document DNS for each client
Avoid registrar default parking DNS
Verify using:
When Cloudflare is used, it must fully own DNS authority. Hostinger should be treated strictly as an origin server, and email services must be integrated via explicit MX and TXT records inside Cloudflare.
Following this architecture ensures:
Predictable DNS behavior
Reliable email delivery
Strong security posture
Zero propagation ambiguity
#cloudflare #dns #hostinger #googleworkspace #zohomail #mxrecords #txtrecords #spf #dkim #dmarc #dnssecurity #dnstroubleshooting #cloudflaredns #webhosting #emaildns #domainsetup #dnsarchitecture #ssl #cdn #waf #dnsbestpractices #wordpresshosting #phphosting #itadmin #sysadmin #emailsecurity #dnsissues #dnsconfig #cloudflareproxy #dnsauthority #nameservers #emaildeliverability #domainmanagement #itkb #technicaldocumentation #networking #hostingguide #emailsetup #cloudflarehostinger #dnsguide
