We use Cloudflare email routing for our domain, and the catch-all setting is enabled and configured to send emails to my GMail address.
We have SPF, DKIM and DMARC records set up for the domain that only allow Cloudflare and AWS to send emails from our domain.
This evening I received a catch-all spoof/scam email that was sent to [email protected], sent from [email protected].
According to the headers, this email was sent to Cloudflare from eberlesystems.ch (localhost [IPv6:::1]) by ibama.gov.br and passed all the SPF/etc checks.
Please can you explain why Cloudflare has accepted and forwarded this email from this host, that was sent from [email protected], even though the SPF/DMARC/DMARC policy does not permit eberlesystems.ch/ibama.gov.br as a permitted sender for @ourdomain.com?
I would greatly appreciate any insight you can offer, as we are concerned Cloudflare is allowing unauthorised senders to impersonate @ourdomain.com email addresses.
Our SPF record is:
v=spf1 include:_spf.mx.cloudflare.net include:amazonses.com ~all
Our DMARC record is:
v=DMARC1; p=quarantine
These records as well as our DKIM records are showing as valid/passed on MXToolbox.com.