SPF Failures Leading to Gmail Rate Limiting on Forwarded Emails

Hello Cloudflare Community,

I am encountering a persistent issue where emails forwarded to my Gmail account are being rate limited due to SPF failures, and I’m hoping to get some assistance in resolving this.

I have an SPF record in place that includes Cloudflare’s email forwarding service, but emails continue to be rate limited by Gmail due to the SPF check failures associated with the IP address, which I believe is related to Cloudflare’s forwarding service.

I am looking for advice on how to configure my domain’s DNS and email settings to overcome this SPF issue without discontinuing the use of Cloudflare’s email forwarding feature. Here are my questions:

  1. Is there a way to adjust my SPF setup to accommodate Cloudflare’s forwarding service so that SPF checks won’t fail when my emails are sent to Gmail?
  2. Would enabling Sender Rewriting Scheme (SRS) help in this situation, and if so, how can I implement it with Cloudflare?
  3. Are there other Cloudflare Community members who have faced and overcome a similar challenge?

I appreciate any insights or guidance you can provide.

Welcome to the Cloudflare Community. :logodrop:

I don’t want to be the one that tells you that there is not anything you can do, but there is not anything you can do. It is just going to happen sometimes with forwarding to Gmail. Google isnt looking at just your forwarded email. They are looking at all email arriving through Cloudflare Email Routing, possibly grouped by relay IP, but we really cannot know from the outside.

Email forwarding was already being rendered impractical by email authentication technology (SPF and DMARC especially) years before Cloudflare even opened up Email Routing as a beta. Forwarding is especially challenging when you have no control over the receiving server, such as you encounter with a freemail provider.

To your specific questions:

  1. No. Your SPF record only covers email that is sent using your domain name. SRS notwithstanding, it has no impact on email sent to you from other domains.

  2. My understanding is that Cloudflare Email Routing always uses SRS. That is the reason for adding the Cloudflare include to your SPF. That of course breaks the SPF alignment used by DMARC. If the sender also uses valid DKIM, they can still pass DMARC with non-aligned SPF.

  3. Searching the Email Routing category will reveal many that have encountered this with Gmail as well as there being no real solution.

There are scenarios where email forwarding can work reliably. Forwarding to Gmail is not one of them. I stopped all forwarding to Gmail about a decade ago because it clearly had the potential to become problematic. Using a domain mailbox via MX, even a cheap one with limited storage capacity, and then configuring the Gmail account to poll to over POP3 at regular intervals has proven to be a preferable option. (Be sure to not leave the messages on the POP server.) It also tends to include an outbound relay that can be added to Gmail. If that outbound relay includes DKIM signing, you can publish the records needed to send authenticated email from that address.

Inconsistent delivery is unfortunately a known side effect of email forwarding in the age of DMARC.

Hi Eric,

Thanks for your prompt response. I want to make sure I understood your advice correctly. Are you suggesting I should opt for hosting with a custom domain and set up email forwarding to that domain? I’ve explored some services like Namecheap’s email hosting. If I choose to use IMAP for connecting my Gmail account, would I encounter similar problems?

If you will be using the mailbox directly with an email client application, IMAP is preferable. When using it with Gmail, POP3 is better becuase it makes the mailbox ephemeral by keeping it empty and it keeps all of your email in your Gmail account.

Google Workspace also can be used as your mailbox provider to allow routing directly to domain email on a business Gmail account. While not terribly expensive, it will run more than the mailboxes offered by a cheap email hosting provider.

Thank you for the additional information. I have setup an account on namecheap and configured pop3. Cloudflare appears to be forwarding emails to the namecheap email, but when it is trying to sync with google account it appears to still have issues forwarding. Is this the correct implementation?

You shouldn’t be forwarding anymore. Getting mail to your Namecheap mailbox is done via MX records. Did you disable Cloudflare Email Routingand add the MX records that your Namecheap mail needs?

Polling that mailbox from your Gmail is configured in the Settings under Accounts and Import. In the Check mail from other accounts you can click Add a mail account and follow the prompts.

Configuring sending email follows a similar process in the Send mail as: section

Configuring your Gmail settings is drifting off-topic for discussion here, so hopefully the Gmail part is relatively straight forward.

If you want the Community to take a look at your published DNS settings, you can share your domain name.

Hi @spindletop, your topic has a solution here.

Let us know what you think of the solution by logging in and give it a :+1: or :-1:.

Solutions help the person that asked the question and anyone else that sees the answer later. Login to tell us what you think of the solution with a :+1: or :-1:.

Seems to have worked. Thank you for the help!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.