Hi there, I’ve seen this problem before on other systems but am surprised to see it on Cloudflare.
I occasionally on Cloudflare see result “Delivery Failed” for an email that should be forwarded and when I expand, the message is
“Our system has detected an unusual4.7.28 rate of unsolicited mail originating from your IP address. To4.7.28 protect our users from spam, mail sent from your IP address has been4.7.28 temporarily rate limited.”
Now, the issue is that once this happens, Google will NEVER receive the email in question. I don’t know if Cloudflare is to blame – and they aren’t retrying delivery – or if Google is to blame – and the “temporarily rate limited” is a lie.
(I actually think from my own experimentation that it’s the latter, I’ve seen this on other domains where I have access to the queue, and the mail system will contact Google over and over trying to deliver the mail for days and never succeed, always getting the same message.)
I have email forwarding set up for a domain on Cloudflare and various aliases to Gmail email addresses. This all works usually, but sometimes it doesn’t, which is maddening.
It happens with some frequency that someone sends me email and I never get it and if I look back in the logs they did in fact email me and was logged at Cloudflare with that message.
Any suggestions, tips, ideas? It’s terrifying if Google is blocking, rate limiting, and or silently rejecting black listing emails that originate through Cloudflare email.
Do you have
include:_spf.mx.cloudflare.net in your SPF record? Google will see the mail as coming from your domain via Cloudflare’s mail server so you should have that.
Yes, I have that, as well as several other entries for the various systems that send email for our domain.
The problem continues… it’s random, it happens probably about one out of every one hundred emails that are sent to our domain.
I, too, started getting a lot of these “temporary” failures over the past couple of weeks. I didn’t notice it, but one of my contacts emailed me a copy of a bounce message they were receiving from gmail.
I also have the proper SPF record in place, and I have been using the Cloudflare Email Routing service for many months. This seems to be a new problem.
I switched over to Cloudflare Email Routing when Google started charging money for their Workspaces (which they originally offered for free). Perhaps they are clamping down on CF users in order to get them to come back and pay?
A more likely explanation is that a lot of users that are sending their email to a Gmail account through Cloudflare Email Routing receive enough spam to trip Google’s detection threshold and in turn rate limit Cloudflare IPs. The best current practice on email forwarding is to not use it. The practice has been hindered for over a decade, long before Cloudflare released their Email Routing Beta. If you absolutely must forward email, it is best to make sure that it is heavily spam filtered prior to forwarding to prevent the forwarding relay from being flagged as a spam source.
In the rare isolated cases where I had users who needed to receive domain email in their Gmail account, I eliminated all forwarding to Gmail in favor of POP retrieval from a basic mailbox. Even then those domain accounts pass through a hosted spam-filter before they reach the basic mailbox that Gmail pulls from.
If you can find any way other than forwarding for delivery of mail that you intend to access via a user mailbox, I strongly encourage it. Forwarding domain mail to free email services is hit and miss at best.
Fair point. I can see from the logs that forwarding “spam” is not happening in my case. The failed deliveries are from trusted contacts of mine.
In any case, it’s pretty unfortunate if this issue is as widespread as it seems – Cloudflare Email Routing uses forwarding to a gmail address in their examples, and it seems to be a target use case.
At any rate, it does seem that this is more of a Google problem than a Cloudflare problem. AFAICT, we are doing everything “correct” on the CF side and still getting denied.
I actually thought this would be the Holy Grail solution for having custom email domains consolidated into a single gmail account. Seems like maybe that’s not the case after all.
The search for the Grail continues…
Yeah, my biggest issue honestly is that Gmail is returning an error code and a message that indicates the delivery should be retried – temporary rate limiting – and in fact they will never accept the message once it’s bounced in this way.
I agree with the previous poster that we have CF configured correctly and emails that are decidedly not spam – inbound email to our custom domain from one of our vendors – is silently failing.
(CF doesn’t always provide a bounce message – in fact, from my analysis of the logs, usually it doesn’t.)