But Cloudflare Email Routing console states: SPF status
softfail DMARC status
fail DKIM status
neutral
Email is below:
Delivered-To:
Subject: You have an outstanding payment.
MIME-Version: 1.0
Content-Type: text/plain; charset=“iso-8859-2”
Content-Transfer-Encoding: 8bit
Hello there!
Unfortunately, there are some bad news for you.
Around several months ago I have obtained access to your devices that you were using to browse internet.
Subsequently, I have proceeded with tracking down internet activities of yours.
Gmail evaluated the mail based on the Cloudflare to Gmail transaction. Cloudflare evaluated the transaction between Cloudflare and the previous hop. Both results are accurate from the vantage point and criteria in place at that point.
Your SPF ends with ~all which suggests that a soft fail is permissible.
Unfortunately, it will not. You lacked sufficient email origin sources in your SPF for that to be a safe move at this time. Once your SPF covers the authorized relays for your domain, then you could consider moving to -all.
I don’t if Cloudflare’s new DMARC Management (beta) plays will with the Cloudflare Email Routing, but DMARC monitoring can be helpful to get an idea where email that claims to be from your domain is originating.
Would it not make sense for any emails where the spf failed and Cloudflare sends on my behalf to somehow send an email to the destination so the spf fails there also? (not sure how, maybe send the email from a Cloudflare domain (badcloudflaredomain.net) not in spf record?)
In my initial post, someone is claiming / spoofing to send from [email protected] to [email protected]. But was not sent from Cloudflare.
Cloudflare knows that it did not send it and it was sent from an ip not in the spf record.
So why does Cloudflare merrily send an email (with failed spf) to my ‘Customer Address’ as if nothing happened.
Surely Cloudflare could ‘simulate’ a spf fail when it sends to my customer email address, or at the very least paste a warning at the start of the email.
Your SPF ending in ~all tells receiving servers to accept your email even when the SPF test fails.
Other than forwarding email according to your directives, Cloudflare sends no email claiming to be from your domain.
Your SPF currently lacks any authorized sources other than Cloudflare, which will only forward to your inbox.
If you will not be sending email using your domain email address, you could switch your SPF to -all to communicate that. You will need to add your genuine sources to your SPF if you later decide to send domain email.