Cloudflare Email Routing IDN Not working

For me it’s started reporting no use even user correct, after I enabled catch-all it started to report upstream error.

550 5.1.1 Address does not exist (in reply to RCPT TO command)

521 550 Upstream error (in reply to end of DATA command

@valentin_gosu / @dragoangel could you please share the domain you are using so I can have a look? (here or privately at sven (at) cloudflare).

Hi @sven2, my domain already posted in my initial post :wink:

1 Like

My domain is goșu.ro (xn–gou-2lb.ro)
I think this may be related to gmail’s ability to send/receive emails to IDN domains.
I sent one via yahoo, and that one went through.

This can not be related to sender in my case, as cloudflare throwing error. I using my own postfix for sending mail, also tried gmail, yahoo & zoho, this not something about sender.

Okay, upstream error mean that email server in destination address rejected email. I think this way no details and good to get upstream reject status in bounce.

Cloudflare team you will be disappointed - gmail drop forwarded messages via your email system.
Zoho.eu accept, but putting your forwarded mail and validation mail to junk :frowning:.
Yahoo & Outlook (personal, not business) & mail.ru accept Cloudflare forwarded mail fine.
My personal mail server as well accept incoming mail and do not see anything bad in it with rspamd (dmarc, arc, spf are fine. IPs not in RBLS and there was no other bad symbols). I think you need contact Google and Zoho to resolve this.

With catch-all I can receive mail, but not with simple email, it still report not existing email by:
550 5.1.1 Address does not exist (in reply to RCPT TO command) and I still think this due to IDN domain which Cloudflare not fully understand

Issue still persists, @sven2 do you have time to check what is the reason? Happy new year :smiley: and thank you in advance.

Same issue on my account, if catch-all is enabled gmail responds with
“550 5.1.1 Domain does not exist”

Catch-all disabled, all works fine again.

1 Like

My case directly opposite

http address for verification email doesn’t works!

@dragoangel i’m taking a look, sorry for the delay

Also a note about MX security of cloudflare in general that could be enhanced:
amir.mx.cloudflare.net, isaac.mx.cloudflare.net, linda.mx.cloudflare.net:

  1. Servers that don’t enforce cipher suite preferences select the first cipher suite they support from the list provided by clients.
    This approach doesn’t guarantee that best-possible cipher suite is negotiated.
    With TLSv1.2-TLSv1.3 and strong cipher suite it’s ok, but with support of TLS v1.0-1.2 it’s not ok.
  2. Support of TLSv1.0 on MX is not a problem, better this then fallback to plaintext from my opinion, but why TLSv1.3 not supported?
  3. Forward secrecy and authenticated encryption not configured.
  4. DHE suites not supported.
  5. RSA 2048 bits is quite a small for 2022 year :smiley:, specially for a system that works in background.
  6. Cloudflare manage own DNS and DNSSEC for a while, maybe better enable DNSSEC on mx.cloudflare.net and configure TLSA which will provide DANE? DANE for most MTA mean that encryption is mandatory and downgrade to plaintext on 25 port is not allowed.This way works any mail server that support DNSSEC and TLSA.
1 Like

Hi, sorry, no update on the case?

Sorry, I had a look but I have a hard time finding a way to test / buy a IDN domain.

I think it’s fair to say that Email Routing doesn’t support IDN domains at the moment.

If this will help I can share mine :alien:zone.pp.ua, it’s used just for testing and it’s free. Can you pm me?

Or in case idn domain not supported better update docs, or even add an info banner which will tell people on email tab for any domain that start with xn-- that temporary it will not going to work

You must be kidding …

I just added / configured email forwarding for an IDN in Cloudflare. This problem is known for at least 6 weeks and the Cloudflare support is unable to test / buy an IDN domain and do nothing about it? Cloudflare is a domain registrar!

Not supporting IDNs in beta is one thing, but letting people enable email forwarding for an IDN domain when it is not supported is a major bug. Is Cloudflare working on a fix or is it the problem completely ignored? Has @sven2 created in issue in Cloudflare’s internal bug tracker or did he do nothing about it? Nobody knows …

I’m working on the IDN support in Email Routing. Note that the service is still in beta so we can expect a few edge cases.

3 Likes

This was my user experience with the beta:

  • Cloudflare advertised Email Forwarding
  • CF put Email Routing on the Dashboard
  • CF offered a “Request Access” button (for the IDN)
  • CF did send me an email:

The wait is over!

Your zone xn--**********.** has now access to the Email Routing Beta. You can access Email Routing in the Cloudflare dashboard. Select your account and zone, and click Email.

You can create as many custom email addresses as you want for your domain. Emails will be delivered to the mailbox of your choice (like Gmail, Outlook, or your work email address).

We strive to make the enrollment and usage as straightforward as possible, so please share your feedback with us on the community forum.

  • CF allowed me to setup an address for receiving emails
  • CF offered to automatically add the required DNS records
  • CF told me which DNS records have to delete to enable routing

End result: CF broke email delivery to my domain, which I then have to fix again (meanwhile mails to that domain returned to sender with an error).

(Edit: delete remaining part of the message, because it was tagged as “offensive”)

@user51411 I think you need to cheal out a bit.

:joy:

I created this topic to inform Cloudflare and it’s users and fix it. Glad you found it. I agree Cloudflare need take care more about it, but you quite hot here, please not get ban :upside_down_face:

1 Like