On Eurostar dot com’s “Forgot Password” the emails it sends get 100% rejected by Cloudflare’s email routing (shows up in dashboard as SPF pass/DKIM fail) but if I switch back to GSuite/Gmail then Gmail accepts the email just fine (Google headers show “Authentication-Results-Original: mx google com; dkim=pass”) and the email comes through in the main inbox (not even Junk). I can share the raw email with headers if someone from Cloudflare wants to take a look (or if you create a Eurostar account and click “forgot password” you can repro easily).
While it’s likely that eurostar.com has something odd about their setup, it’s unclear if their setup is wrong or whether Cloudflare’s validation is wrong. Either way since Gmail allows it through while Cloudflare has no way to recover the email it’s a serious issue (I had to change back to Gmail due to this issue to recover my Eurostar account), ideally there should be at least some way to access rejected emails through the dashboard or have a setting to allow the DKIM failed emails.
Another user hit something similar here: Email Routing - DKIM Fail - Error Result and Undelivered - Feedback / Previews & Betas - Cloudflare Community
