Spam using my address as sender passes SPF


I have set Cloudflare to forward a custom email address to a Gmail address. As far as I can tell, Cloudflare forwards everything, without any kind of spam filter or anything.

Some spammers set my own address as the sender, Cloudflare forwards it, and Gmail receives email from my address being sent by Cloudflare’s servers, which are listed as valid senders for my domain in SPF. So the spam passes SPF.

It’s not a big problem, Gmail sends it to the spam folder anyway, but it does feel like the spammers found an exploit. Presumably, they could use any address which uses Cloudflare’s email redirection as “From” to send spam to any other address which uses Cloudflare’s email redirection, and it will pass SPF.

Am I doing something wrong, or is there a way to solve this? Maybe writing a quick script on Email Workers, once I get access to it.


Why are Cloudflare’s servers in your SPF? You don’t use Cloudflare to send emails, so they should be removed.

1 Like

It looks like you’re using Email Routing, which should be in your SPF for sending email, which would cause spam to get through. Email forwarders aren’t so great because of this.

1 Like

I believe that including Cloudflare’s servers in SPF is required as part of using their email forwarding service. I suppose so that Gmail (or whatever receiving server) doesn’t mark everything as spam. But a lot of it is spam. In any case, Gmail does a good job filtering, but I was seeing DMARC reports from Google about emails from my domain passing SPF but failing DKIM, when they should be passing both. I traced it (I think) to spammers using my own address as the From address. Anyway, as I said, it’s not a big deal, everything works fine if you don’t look at those technical details.