DKIM for Cloudflare routed email?

I use a catch-all address to route all email from domain.com to privatedomain.com. The routing is configured with suggested Cloudflare DNS and everything works as expected.

Why there is no DKIM DNS entry provided? Is this covered by Cloudflare in a transparent way? I want to make sure nobody can impersonate my domain.com and send spoofed emails.

Thank you.

Because DKIM keys are used to sign outgoing email, and Cloudflare Email Routing is for inbound email. DKIM keys will come from the servers you send mail from.

2 Likes

The reason I ask this is because I had the email spoofed, with Cloudflare catch-all setup in place people impersonated the domain.com and I received a reply to that email which I never sent. How do I combat this behavior? People should not be able to send spoofed emails from a Cloudflare routed domain.

@jkneeley Let’s not change the subject, this thread is specific to a Cloudflare email routed domain. Please start a new thread.

People can send spoofed email anywhere. That’s the whole issue with spoofing. How successful the delivery of that spoofed email is depends on how you have implemented DMARC (which leverages SPF & DKIM) and whether or not the receiving mail server checks (and respects) your published DMARC policy.

I don’t know if Cloudflare’s email forwarding service checks DMARC, but you would need to implement a DMARC policy first, which is a non-trivial procedure.

1 Like

Thank you for the reply, this is already done. I edited the email address, just to take the screenshot. I already did an SPF check and everything is okay also. [email protected] is forwarded to privatedomain.com.

Hopefully you aren’t sending your DMARC reports to a mailbox. DMARC reports are meant to be parsed by software so you can make use of the processed data. A DMARC monitoring service is best suited for such activity.

If this is a new DMARC deployment, it’s also not advisable to jump straight to a DMARC policy of reject, as you may not have working DKIM signing or all of the necessary SPF records in place. It’s best to start with a policy of none, and just monitor for a while. Otherwise you might find your domain email getting binned until you fix any issues.

1 Like

I had it for an year on quarantine while with GSuite Legacy service. Since GSuite is not free anymore soon, I switched the domain to Cloudflare and did a catch-all forwarding to a private domain email. That includes the [email protected], I did not know is not recommended to send that report to an email address. I will look into it for the proper procedure, thanks for letting me know.

I get every day forwarded email, I’m not sending any email from the domain, I only receive.

If you were still on Google’s platform, I’d say that moving to a policy of reject was safe, as long as you had been effectively monitoring the reports. Having recently changed your sending servers to another provider may cause hurdles if you haven’t updated DKIM and SPF records to match your new environment.

You certainly can send the reports to a mailbox, but to get better information out of them you will want to feed them into a parser like dmarcian’s DMARC XML to Human Converter. It’s certainly not as convenient as logging into a dashboard and reviewing summaries of the processed data. Good DMARC monitoring services come with an associated subscription cost, so you may find other methods preferable if that poses an issue. Report URI has a free tier that can serve as a good starting point, even if the reporting isn’t as easily digestible as some of of the other service providers.

1 Like

For a personal domain, you can get free monitoring with dmarcian.com as well.

I’m also looking at this guide with open-source software that I could host on my public server.

That being said, I would really like to get an answer what will happen with a Cloudflare catch-all email domain setup where there is no DKIM defined, since I do not plan to ever send emails from it.

Thank you.

Here is good guide for securing domains that don’t send email.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.