DMARC & DKIM failing on incoming messages


As a newbie, I’ve been having problems with incoming messages failing DMARC & DKIM - now I understand that its to ensure safety, but these emails I’ve had are from companies, is there no way to allow them through, for forwarding to my email inbox?

I get that they’ve obviously not got their end right, but that is still stopping me getting genuine emails, and if I mention it to the companies, they just say “everyone else gets them”.

I’ve tried playing around with email workers, not allow emails through from email addresses, but this doesn’t work as expected.


Email forwarding services need to be restrictive in what they forward since they can be negatively impacted by forwarding spam. Even with such limitations, you will still see topics appear in the Community reporting that delivery has been temporarily limited by the receiving server due to the volume of spam being relayed.

Given the recent changes at Yahoo! and Gmail, you may eventually see the sender hygiene improve as they start to realize that, contrary to their belief, everyone is not seeing their email.

Until then, if you need to accept delivery of emails that are not able to pass SPF and DKIM checks, you will likely need to switch from Cloudflare Email Routing to a more complete and configurable email solution.

Thank you for the reply, I am confused, there is no spaming, relaying, newsletter etc, just business communications with clients, possible max of emails sent per month close to 50, my email is not hosted at cloudflare, I am only using Cloudflare DNS service, it was working fine before I changed DNS to cloudflare…

This is the error message I get
Diagnostic information for administrators:

Generating server:
[email protected] (NOTE: I override the email to [email protected] to avoid spam)
Remote server returned ‘550 5.7.509 Access denied, sending domain does not pass DMARC verification and has a DMARC policy of reject.’
Original message headers:

Your help is much appreciated.


My MX Record is in place please see for yourself at mxtoolbox dot com

My SPF Record is also in place v=spf1 ip4: ~all

My DMARC record is also in place please see for yourself at mxtoolbox dot com

My DKIM Record is also in place.

You have 2 MX records (one is being unproxied by Cloudflare), is that what you expect?

What DKIM selector are you using?

Please don’t use real email addresses, especially ones that are not yours. Use [email protected] or any other username in the reserved domain.

This is always problematic. When Cloudflare unproxies an MX hostname, they use a naming convention that is prohibited. Hostnames may not contain an underscore.

Make sure that the hostnames used in your MX records are :grey: DNS Only. If your MX record points to your apex name, consider replacing it with a dedicated hostname with its own :grey: A record.

Any email related records should be set to :grey:. The DKIM CNAMEs used by Microsoft 365are particularly important to be set to :grey:.