Why does mx.cloudflare.net relay email which SPF fails rather than reject?
I have a very strict DMARC and SPF policy on timodonoghue.com, but mx.cloudflare.net does not appear to implement DMARC/SPF enforcement on inbound emails.
My SPF and DMARC records are:
- v=spf1 include:mailgun.org include:_spf.mx.cloudflare.net -all
- v=DMARC1; p=reject; sp=reject; pct=100; aspf=s; adkim=s; fo=1; rua=mailto:[email protected]; ruf=mailto:[email protected];
It would be better if mx.cloudflare.net checked for SPF/DMARC policy compliance when accepting email rather than blindly relaying, which appears to be the case here (with a clear SPF failure of an obviously spoofed inbound email).
An example email SPF failing which I’d expect to be rejected by mx.cloudflare.net below.
Received: from [168.205.62.129] (168.205.62.129)
by email.cloudflare.net (unknown) id ilzm7QUIAGNK
for [email protected]; Mon, 13 Dec 2021 23:55:15 +0000
Received-SPF: fail (mx.cloudflare.net: domain of [email protected] does not designate 168.205.62.129 as permitted sender)
helo=“[168.205.62.129]”; envelope-from="[email protected]";
Authentication-Results: mx.cloudflare.net; spf=fail;
Message-ID: [email protected]
Date: Mon, 13 Dec 2021 06:55:10 -0900
From: [email protected]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: [email protected]
Subject: Do You Do Any of These Embarrassing Things?
