This has happened a few times.
||PASS with IP 188.8.131.52 Learn more
||‘PASS’ with domain email.cloudflare.net Learn more
||‘PASS’ Learn more
But Cloudflare Email Routing console states:
Email is below:
Subject: You have an outstanding payment.
Content-Type: text/plain; charset=“iso-8859-2”
Unfortunately, there are some bad news for you.
Around several months ago I have obtained access to your devices that you were using to browse internet.
Subsequently, I have proceeded with tracking down internet activities of yours.
Gmail evaluated the mail based on the Cloudflare to Gmail transaction. Cloudflare evaluated the transaction between Cloudflare and the previous hop. Both results are accurate from the vantage point and criteria in place at that point.
Your SPF ends with
~all which suggests that a soft fail is permissible.
So I assume (with my limited spf understanding), that -all should fix this issue?
Unfortunately, it will not. You lacked sufficient email origin sources in your SPF for that to be a safe move at this time. Once your SPF covers the authorized relays for your domain, then you could consider moving to
I don’t if Cloudflare’s new DMARC Management (beta) plays will with the Cloudflare Email Routing, but DMARC monitoring can be helpful to get an idea where email that claims to be from your domain is originating.
Would it not make sense for any emails where the spf failed and Cloudflare sends on my behalf to somehow send an email to the destination so the spf fails there also? (not sure how, maybe send the email from a Cloudflare domain (badcloudflaredomain.net) not in spf record?)
I’m not following what you are describing.
In my initial post, someone is claiming / spoofing to send from [email protected] to [email protected]. But was not sent from Cloudflare.
Cloudflare knows that it did not send it and it was sent from an ip not in the spf record.
So why does Cloudflare merrily send an email (with failed spf) to my ‘Customer Address’ as if nothing happened.
Surely Cloudflare could ‘simulate’ a spf fail when it sends to my customer email address, or at the very least paste a warning at the start of the email.
Just thinking out loud…
Your SPF ending in
~all tells receiving servers to accept your email even when the SPF test fails.
Other than forwarding email according to your directives, Cloudflare sends no email claiming to be from your domain.
Your SPF currently lacks any authorized sources other than Cloudflare, which will only forward to your inbox.
If you will not be sending email using your domain email address, you could switch your SPF to
-all to communicate that. You will need to add your genuine sources to your SPF if you later decide to send domain email.
Yes, all my somewhereincanada.co email is sent from Cloudflare, so -all is what I need.
OMG. I just noticed that I am a big part of the confusion.
I had set the destination address of [email protected] to [email protected]. That has been corrected.
The odd part off this however is that there was no [email protected] listed in my destination addresses so I am not sure how I initially set that up.
Thanks again. You have gave me much to think about.