Is cloudflare's spf handling for email routing flawed?

when configuring email routing, one of the instructions is to add include:_spf.mx.Cloudflare.net to spf dns record.

that helps with email forwarding delivery, but i believe there’s an issue with the way Cloudflare handles forwarding.

seems like Cloudflare alters the envelope sender, appending to it the zone’s @<domain_name>.

that means that the message will always pass spf check at the final destination, no matter what.

as of today, this works whether the original sender passes or fails the spf check when the message arrives at Cloudflare.

for example,

say my zone is example.com and i have set up [email protected] to forward to [email protected].

a spammer spoofs his email address as [email protected] and emails [email protected] from his home.

Cloudflare mta receives the email and correctly identifies that this email is failing spf check.

but then it changes the sender envelope to [email protected] and forwards it to [email protected].

gmail’s mta receives the email and it passes spf check, since Cloudflare’s addresses are declared legit for @example.com.

am i incorrect to assume this breaks the intent of spf?

What you are describing is an issue with any email forwarding service that uses Sender Rewriting Scheme - Wikipedia.

a spammer spoofs his email address as [email protected] and emails [email protected] from his home.
Cloudflare mta receives the email and correctly identifies that this email is failing spf check.

The attacker’s home isn’t allowed to send email on behalf of microsoft.com. Cloudflare will authentificate the email using SPF and DMARC and reject the email if it’s failing to pass.

thanks, but what if dmarc is missing or its policy is none for some company that’s being spoofed? spf check will still fail at Cloudflare, but it won’t show failure at the final forwarded destination and that’s kinda misleading, no? maybe there’s no proper solution for this.

I did try it with a forged outlook.com address and the email has been delivered. (it showed up in the spam folder)

Which is usually the case with most webmail providers (gmail, outlook, …)

going by sven2’s answer on server rewriting scheme (srs), it seems that srs was devised to facilitate delivery when spf check passes on the forwarder’s mta. by using srs and correct spf record, spf check will also pass on the forwardee’s mta.

but that introduces the issue of spf check always passing on forwardee, regardless of the prior spf checks as the message transits through forwarders.

there seems to be no good solution to that for now and it’s not exclusive to Cloudflare.

at any rate, it’s nice to have email routing on Cloudflare.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.