Cloudflare email : How is this happening

This has happened a few times.

Gmail says:

SPF: PASS with IP Learn more
DKIM: ‘PASS’ with domain Learn more
DMARC: ‘PASS’ Learn more

But Cloudflare Email Routing console states:
SPF status
DMARC status
DKIM status

Email is below:

Subject: You have an outstanding payment.
MIME-Version: 1.0
Content-Type: text/plain; charset=“iso-8859-2”
Content-Transfer-Encoding: 8bit

Hello there!

Unfortunately, there are some bad news for you.
Around several months ago I have obtained access to your devices that you were using to browse internet.
Subsequently, I have proceeded with tracking down internet activities of yours.

blah blah…

Gmail evaluated the mail based on the Cloudflare to Gmail transaction. Cloudflare evaluated the transaction between Cloudflare and the previous hop. Both results are accurate from the vantage point and criteria in place at that point.

Your SPF ends with ~all which suggests that a soft fail is permissible.

1 Like

So I assume (with my limited spf understanding), that -all should fix this issue?

Unfortunately, it will not. You lacked sufficient email origin sources in your SPF for that to be a safe move at this time. Once your SPF covers the authorized relays for your domain, then you could consider moving to -all.

I don’t if Cloudflare’s new DMARC Management (beta) plays will with the Cloudflare Email Routing, but DMARC monitoring can be helpful to get an idea where email that claims to be from your domain is originating.

1 Like

Would it not make sense for any emails where the spf failed and Cloudflare sends on my behalf to somehow send an email to the destination so the spf fails there also? (not sure how, maybe send the email from a Cloudflare domain ( not in spf record?)

I’m not following what you are describing.

In my initial post, someone is claiming / spoofing to send from [email protected] to [email protected]. But was not sent from Cloudflare.
Cloudflare knows that it did not send it and it was sent from an ip not in the spf record.

So why does Cloudflare merrily send an email (with failed spf) to my ‘Customer Address’ as if nothing happened.
Surely Cloudflare could ‘simulate’ a spf fail when it sends to my customer email address, or at the very least paste a warning at the start of the email.

Just thinking out loud…

Your SPF ending in ~all tells receiving servers to accept your email even when the SPF test fails.

Other than forwarding email according to your directives, Cloudflare sends no email claiming to be from your domain.

Your SPF currently lacks any authorized sources other than Cloudflare, which will only forward to your inbox.

If you will not be sending email using your domain email address, you could switch your SPF to -all to communicate that. You will need to add your genuine sources to your SPF if you later decide to send domain email.

1 Like


Yes, all my email is sent from Cloudflare, so -all is what I need.

OMG. I just noticed that I am a big part of the confusion.

I had set the destination address of [email protected] to [email protected]. That has been corrected.

The odd part off this however is that there was no [email protected] listed in my destination addresses so I am not sure how I initially set that up.

Thanks again. You have gave me much to think about.