How To Use [email protected] for only recieving?


I am using Cloudflare Email Routing for my domain eg. abcd to receive and forward mail .
[email protected] forward to [email protected] but today I got a mail from [email protected] to [email protected] which I did not send , so how a user can send the mail without my authentication ?

So I have gone ahead DNS Tab and scroll down find Email Security then I set
Prevent illegitimate email traffic on your domain and hit create records then I got duplicate records inside the DNS .

So tell me which one to keep so that I get my email forward to [email protected]

Anyone here to help ?
How cn I enable email forwarder and keep my domain disabled from sending email.

Per the design of e-mail, anyone can send e-mail “from” any domain and any address (it was the 80’s; we didn’t know better)

Over the years, additional mechanisms have been added to try to limit abuse of e-mail. They’re not foolproof but they can help a lot.

First of all in your screenshot you have two SPF records for your apex domain, which is wrong. You only need one SPF record for the apex domain, like this:

v=spf1 ~all

Including Cloudflare there is necessary for Cloudflare’s e-mail forwarding to work properly, but this basically says that nobody except Cloudflare should be allowed to send e-mail on behalf of your domain. E-mail not meeting the requirement will “look spammy” and might be rejected or spam-filtered, especially in combination with a strict DMARC policy (below)

Next, the most important thing you can have is a DMARC record. Create a TXT record with the name field set to “_dmarc” and the value something like this:

v=DMARC1; p=reject; sp=reject; adkim=r; aspf=r; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

you can look up the DMARC specification and customize it to your liking. RUA / RUF are optional but you can supply addresses there to request to be notified if/when your domain is being used on spoofed e-mails.

Finally a DKIM record, create another TXT record with name “*._domainkey” and value “v=DKIM1; p=”

You should only have one DMARC record for your entire domain (the sp= defines policy for subdomains), and only one SPF for your apex domain, but you CAN have additional SPF records for subdomains, otherwise they inherit the policy of the apex domain.

For subdomains, you can optionally create an even more restrictive SPF record saying that not even Cloudflare is allowed. You’d need to create an entry for every subdomain that has a DNS entry, as well as one for * to cover arbitrary subdomains that don’t exist in DNS (or to match your wildcard * subdomain DNS entry if you have one)

v=spf1 ~all

Keep in mind that all these mechanisms are optional – you’re essentially REQUESTING that mail servers reject e-mail appearing to come from your domain, but there’s no way to actually force them to reject it.