Email is getting spoofed with default CloudFare settings

What is the name of the domain?

francisgrillo.com

What is the isssue you’re encountering

Email is getting spoofed with default Cloudflare settings

What are the steps to reproduce the issue?

Hello everyone, first time poster here. I recently set up an email alias to receive emails only, without the ability to send. It worked fine until last week, when I started receiving hundreds of “Mail Delivery Subsystem” notifications with the subject “Delivery Status Notification (Failure).” This suggests my address/domain is being spoofed.

I’m not an expert, but I tried tightening the SPF records to prevent sending emails from my address. I’m unsure if this is enough. Initially, I used the default Cloudflare settings, which I suspect were too lax (~all and +all):

"v=spf1 include:_spf.mx.cloudflare.net ~all"
v=spf1 +all

I’ve just changed these to just “[…Cloudflare…] -all”, and removed the other +all, but this was not sufficient to eliminate the issue. How come?

Just like you demonstrated with your SPF above, you do also have multiple conflicting DMARC records:

$ dig +noall +answer TXT _dmarc.francisgrillo.com
_dmarc.francisgrillo.com. 300   IN      TXT     "v=DMARC1; p=reject; rua=mailto:@me.com"
_dmarc.francisgrillo.com. 300   IN      TXT     "v=DMARC1;  p=none; rua=mailto:[email protected]"
_dmarc.francisgrillo.com. 300   IN      TXT     "v=DMARC1; p=none; rua=mailto:@me.com"

Note: As first and third seems to be including a personal email address, I removed the local part (the part before @) in the output above, even though DNS records is public data.

DMARC reports sent to a personal email address can cause a lot of email traffic towards you, and they are not that easily readable for all human eyes.

Dropping the first and third DMARC record, and then updating the second one, the one that is sending reports towards Cloudflare, to become “p=reject;” can be advisable.

Highly appreciated, @DarkDeviL. So, I gather that ultimately having one record for each DMARC & SPF is sufficient. I see, I was under the impression that configuring SPF was sufficient to avoid others sending emails on my behalf. Thank you for your help! I’ve updated them.

You also shouldn’t have Cloudflare in your SPF record, as you are not using Email Routing.

Thank you! Yes, you’re right. I am using iCloud Custom Domain now so I have since removed the Cloudflare SPF record, too.

Hi both, Cc. @DarkDeviL @Laudian. Thank you btoh again for your help.

On that note — even after correcting the SPF and DMARC, I am still getting tons of Delivery Failure emails in my inbox & spam folders. I have the catch-all feature on, i.e. I get emails for all possible addresses. Could this be why?

I am also attaching a screenshot of the DMARC Management page on Cloudflare where it seems that my email is still being used, but bouncing back from servers (assuming that I am interpreting this correctly).

Screenshot 2024-06-22 at 21.33.232134×1276 273 KB

Please test your email with https://www.mail-tester.com/ and share a link to the result here.

Hi @Laudian! Thank you for your reply, I really appreciate it.

I re-added the DNS from scratch. The results from both mail-tester (here) and dmarcian seem satisfactory to me. Any thoughts?

I believe the only remaining problem is that you have your own email address in your DMARC record.

The Sources in your screenshot look like they are supposed to fail, so all is good. You should just let Cloudflare handle the DMARC reporting instead of getting the “spam” to your own address.

Fair point! I’ve changed it form

“v=DMARC1; p=reject; rua=mailto:[email protected],mailto:[email protected]”

to

“v=DMARC1; p=reject; rua=mailto:[email protected]”

I believe this should do. I’ll make sure to monitor my mail and the reports closely. Thanks again, @Laudian.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.