I am a happy user of Email Routing and Email Workers. However, I don’t know how to deal with one type of email: those emails that are sent from DMARC-enabled domains with a reject policy, that do not include a DKIM signature.
These emails, when not forwarded, pass DMARC thanks to valid SPF auth and DMARC SPF alignment. Cloudflare can forward these emails and then claims forwarding success. However, the mailboxes that I forward the emails to reject the forwarded emails because the forwarding process breaks DMARC SPF alignment. In the absence of a valid DKIM signature, the DMARC check fails.
I don’t think there’s a perfect solution for this, as this is kind of what DMARC is meant to do. However, the current state really is the worst possible outcome: everything appears to work (success!) but I don’t receive emails.
One way that I can think of would be a huge improvement over the current state would be to get the DMARC check results and do an explicit forward (Fwd: ) with the From header set to that of my forwarding domain for these particular emails. Is there a way to do this from an email worker? How do you deal with emails like this?
Email Routing signs emails with ARC.
That essentially means Cloudflare vouches that the email passed DMARC when they received it.
You can now configure a list of trusted ARC forwarders on the receiving mail server. If an email fails DMARC but comes from a trusted forwarder, you can try to verify the ARC signature.
This obviously requires that you have control of the receiving mail server.
Note that I haven’t tried this myself, that’s just how it is supposed to work.
Thanks for your reply, that’s very useful information! I can indeed see the ARC headers.
Unfortunately, I do not have full control over all of the receiving mail servers. I also can’t find settings for adding trusted ARC forwarders (ARC “sealers”? ARC “signers”?) on Google Workspace or Gmail .
It’s nice that Cloudflare already supports ARC, but unfortunately, it does not seem to be of help to me. The ability to selectively rewrite the From: header to be that of the relay would.
.