Hi. Our users configure their personal email accounts to send as their email address from our domain. These email addresses are routed with Cloudflare. I have spf includes for both yahoo and google, as well as cloudflare. If yahoo-user@our-domain sends email to gmail-user@our-domain delivery fails with error: transient error (421): 4.7.27 This mail has been rate limited because s p f does not pass. Sending the other way around from gmail-user to yahoo-user works fine.
In a twist, sending from yahoo-user@our-domain to a gmail account outside of our Cloudflare email routing rules works fine.
I have used an spf checker and it warns that yahoo ptr records are deprecated and shouldn’t be used. Obviously I have no control over that. It seems their recommended spf record is actually two nested ptr records.
Any ideas? So far it seems like a combination of Yahoo using PTR, and maybe Google not recognizing that as SPF, and maybe when Cloudflare routes email it qualifies the message as coming from a bulk sender?
The Yahoo user emailed my gmail account and I looked at the original to see all the header stuff. It passed all SPF, DKIM, and DMARC.
So it would seem Google does recognize our Yahoo settings, and it is somehow breaking down in Cloudflare email routing. Header shows: spf=pass (google.com: domain designates 74.6.129.124 as permitted sender).
I understand Cloudflare may trigger the “bulk sender” added requirements, but why would our settings break down?
Does this long error mention any domain, and if so, is it the one you call our-domain, yahoo.com or what exactly?
Also, what exact domain is that our-domain?
If your own domain is example.com, and that an email is being forwarded to [email protected], the SPF authentication will actually happen on your own domain, as the SMTP MAIL FROM (also known as Envelope From, Return-Path, et al), is being re-written to something like this, with the destination being [email protected]:
So, assuming that you have include:_spf.mx.cloudflare.net within your own SPF, the SPF authentication should actually succeed, at the point it reaches Gmail.
However, one thing worth to mention, is that even though it will pass SPF on Gmail’s side, it won’t pass the SPF ALIGNMENT.
Gmail could be claiming that SPF fails, because Gmail is also expecting the alignment to be perfect, however, that’s a thing you will never get it to, when you’re running through any email routing/forwarding services.