I have set Cloudflare to forward a custom email address to a Gmail address. As far as I can tell, Cloudflare forwards everything, without any kind of spam filter or anything.
Some spammers set my own address as the sender, Cloudflare forwards it, and Gmail receives email from my address being sent by Cloudflare’s servers, which are listed as valid senders for my domain in SPF. So the spam passes SPF.
It’s not a big problem, Gmail sends it to the spam folder anyway, but it does feel like the spammers found an exploit. Presumably, they could use any address which uses Cloudflare’s email redirection as “From” to send spam to any other address which uses Cloudflare’s email redirection, and it will pass SPF.
Am I doing something wrong, or is there a way to solve this? Maybe writing a quick script on Email Workers, once I get access to it.
I believe that including Cloudflare’s servers in SPF is required as part of using their email forwarding service. I suppose so that Gmail (or whatever receiving server) doesn’t mark everything as spam. But a lot of it is spam. In any case, Gmail does a good job filtering, but I was seeing DMARC reports from Google about emails from my domain passing SPF but failing DKIM, when they should be passing both. I traced it (I think) to spammers using my own address as the From address. Anyway, as I said, it’s not a big deal, everything works fine if you don’t look at those technical details.