Email Routing Beta - mx.cloudflare.net and SPF failures being relayed

Why does mx.cloudflare.net relay email which SPF fails rather than reject?

I have a very strict DMARC and SPF policy on timodonoghue.com, but mx.cloudflare.net does not appear to implement DMARC/SPF enforcement on inbound emails.

My SPF and DMARC records are:

It would be better if mx.cloudflare.net checked for SPF/DMARC policy compliance when accepting email rather than blindly relaying, which appears to be the case here (with a clear SPF failure of an obviously spoofed inbound email).

An example email SPF failing which I’d expect to be rejected by mx.cloudflare.net below.

Received: from [168.205.62.129] (168.205.62.129)
by email.cloudflare.net (unknown) id ilzm7QUIAGNK
for [email protected]; Mon, 13 Dec 2021 23:55:15 +0000
Received-SPF: fail (mx.cloudflare.net: domain of [email protected] does not designate 168.205.62.129 as permitted sender)
helo="[168.205.62.129]"; envelope-from="[email protected]";
Authentication-Results: mx.cloudflare.net; spf=fail;
Message-ID: [email protected]
Date: Mon, 13 Dec 2021 06:55:10 -0900
From: [email protected]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: [email protected]
Subject: Do You Do Any of These Embarrassing Things?

Thanks for the report @timodonoghue. We are are planning to reject failing SPF and DKIM. I’m currently working on it and it should ship over the next week.

2 Likes

best ever update… thx @sven2 :bowing_man:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.