DMARC check fails for emails sent by Atlassian Jira

Hi Cloudflare community :wave:t2:

I’m in contact with Atlassian support for several weeks and now they asked me for additional info from Cloudflare, maybe someone already experienced such issue.

  • I have email routing configured through Cloudflare (from my domain to gmail)
  • Jira Cloud sends email notification to my email with configured routing
  • DMARC check is shown as failed in Cloudflare Dashboard (thus my emails are rejected and I never get email notifications from my Jira)

I was thinking that issue is on their side (DMARC DNS record is configured with “reject” Network Tools: DNS,IP,Email and subdomain doesn’t have DMARC DNS record), but Atlassian insists that the issue is likely on Cloudflare side, posting their Support Team reply here

As of right now, we can see that the email gateway is probably altering signed headers, which will break DKIM, and forwarding the email, which will break SPF, which is why the DMARC is failing. Our developers are requesting a copy of the email headers in order to further explore the issue, as these need to be updated on the receiving end. Is there a way to get in touch with the Cloudflare community to see if they can help you access the Cloudflare support through there?

How could I get this debug info for the Atlassian support if I’m on a free plan at Cloudflare?

And maybe someone has other insights, I still think the issue is on Atlassian side (not configured DMARC DNS record for Jira Cloud subdomains, thus all emails sent from subdomain’s mail server will fail DMARC check)

Thanks in advance.

And here is screenshot from Cloudflare’s dashboard

I’m having the same problem. I migrated from Google Domains to Cloudflare on April 19 (before Squarespace took over). I have the usual forwarding in place ([email protected][email protected]).

I’m not getting any email from Jira or Confluence (Bitbucket does work) because those two services use a custom domain like jira@{orgName}.atlassian.net from my client. I don’t admin their Atlassian account, but they’re looking into possible incorrect config.

I can only see the same: pass/fail/pass in the email routing activity log.

Can you test an email with https://www.mail-tester.com and share the result here? There’s not much to do without seeing the headers.

If you don’t want to share the sender’s domain publicly, you could also share the result with me via a private message, though I’d have to message you first so you can reply.

Hi everyone,

I am from Atlassian Support and I have been working with Artsiom on this issue from the Atlassian side,
Below are the points as per our findings:

  • We have worked with our developer teams & Atlassian confirms that we do have a DMARC record for all subdomains of atlassian.net, and it’s the one that’s inherited from _dmarc.atlassian.net.

"v=DMARC1; p=reject; sp=reject; fo=1; rua=mailto:[email protected]; ruf=mailto:[email protected]"

  • As per Atlassian’s dev team, DMARC is failing in this case because the email gateway (their Cloudflare email solution) is likely modifying signed headers, which will break DKIM, and forwarding the email, which will break SPF. DMARC relies on at least one SPF or DKIM passing. These are things that need to be fixed on the Cloudflare end.

  • To further investigate, I replicated all the steps by performing the below:

  • I got a custom domain, ‘denz.co.in’, from a Domain Provider.

  • I changed the Nameservers at my Domain provider to the Nameservers provided by Cloudflare.

  • I then added my custom domain ‘denz.co.in’ in admin hub>>Settings>>Email>>Email Domains.

  • Got the DNS records from the above settings and then added them in Cloudflare under DNS>>records.

  • Enabled Email routing in Cloudflare, which in turn added the respective MX records in Cloudflare under DNS>>records.

  • Also, I added a destination email address to one of my Gmail email ids and the alias email id containing my custom domain ‘denz.co.in’.

  • I created an Atlassian Account using my custom email id and added it to my test Jira instance.

  • I performed a few events which sent Jira notifications emails to the custom email id but the email routing from Cloudflare failed here as well:

  • As we were using the MX records(A mail exchanger record specifies the mail server responsible for accepting email messages on behalf of a domain name) from Cloudflare, I decided to change it to different mail exchanger records.

  • So, I disabled Email routing in Cloudflare, which deleted the Mail Exchanger records related to Cloudflare.

  • Then I went to Forward Email ,a different email routing service, signed up and enabled it’s email routing for the domain ‘denz.co.in’.

  • As part of the above step, I added the MX records provided by https://forwardemail.net/
    in the DNS records of my Cloudflare instance, then verified the domain in the Forward Email instance.

  • After this, I performed a few events in my Jira instance, and Jira notification emails successfully reached the mailbox of the destination Gmail address via the custom email ID of the domain ‘denz.co.in’.

  • I also checked the email headers of the delivered email, when using a different Email routing service, and the DMARC, SPF & DKIM checks were passed.

|Subject:|[JIRA] (BUZZN-24) Test2|
|---|---|
|SPF:|PASS with IP 156.70.150.12 Learn more|
|DKIM:|'PASS' with domain mail-us.atlassian.net Learn more|
|DMARC:|'PASS' Learn more|

Thus Atlassian notification emails are getting routed fine when used with another Email Routing Service’s Mail exchanger records. The issue is with Cloudflare’s Mail servers.

As this is a non-Atlassian issue, I will request Cloudflare\Cloudflare support to look into it and fix the Mail servers causing it.

1 Like

Then I will repeat my last question for you: