Use Cloudflare safely with InstaChime

Before changing DNS

Export the current DNS records from the registrar before importing them into Cloudflare.
Confirm Microsoft 365 MX, SPF, DKIM, and DMARC records are present after import.
Confirm Resend SPF/DKIM records are present after import.
Keep email-related records DNS-only. Do not proxy MX, SPF, DKIM, DMARC, or verification records.
Lower DNS TTL before a planned migration if your registrar supports it.

Proxy only the public website hostnames after DNS import is verified.
Do not cache `/api/*`, `/app`, `/admin`, `/settings`, `/cms`, `/integrations`, `/workflows`, `/clients`, `/mfa`, `/billing/*`, `/verify-email`, `/reset-password`, or `/accept-invite`.
Do not cache `/api/webhooks/capture` or any customer-owned bridge URL.
Cache static assets conservatively first, then tune after smoke tests and analytics confirm stability.
Keep the origin health URL `https://instachime.com/api/health/ready` uncached.

Start new WAF and rate-limit rules in log mode where the plan supports it.
Rate-limit obvious abuse against signup, login, forgot-password, contact, CMS/admin login, and public form endpoints.
Avoid aggressive blocking on lead-source webhook endpoints until every vendor and bridge has been tested through Cloudflare.
Allow known provider IP ranges only when the vendor publishes stable ranges and you are ready to maintain them.
Review Cloudflare events before changing a rule from log/challenge to block.

Open the homepage, pricing, help, compare, contact, signup, login, admin, CMS, and settings pages.
Submit the contact form and confirm the email arrives.
Create a test lead and confirm the dashboard, alert history, and delivery history update.
Run the health check at `/api/health/ready`.
Send one source webhook and one outgoing CRM webhook test before enabling stricter WAF rules.