SPF should not be limited to Cloudflare

Hi all,

For a while I have been using Cloudflare Email Routing, and previously I was able to control the SPFs value in the DNS record. This allowed me to have a 2 includes, one from Cloudflare and one from a different provider. However, I logged in the other day and saw a tempting button saying “Lock DNS” to prevent these records from being removed, I clicked it, and really wish I had not.

With the new behaviour, Cloudflare is forcing a very specific SPF value upon us that we cannot change and is now breaking our setup. I believe this is incorrect and Cloudflare should allow us to manage the value as per before.

I understand why its been implemented, though in its current form it’s too restrictive. Maybe the logic should be updated to simply ensure that the Cloudflare include is present?

For example, imagine a situation whereby you’re using Cloudflare Email Routing to handle forwarding of incoming email, but you may be using a service such as AWS SES to send email from your domain. Previously, an SPF value of v=spf1 include:_spf.mx.cloudflare.net include:amazonses.com ~all was possible, and worked just fine. However, that’s now not possible.

The same is true if you’re using a workaround to have a custom domain with a gmail account. Use Cloudflare Email Routing to forward to your Gmail address, and configure Gmail to send email as your custom domain. Again, I used to be able to have includes for both Cloudflare & Google, but now we cannot.

I see this as quite an important & breaking change in behaviour. Is there any change we can get in touch with somebody at CF to look at this?

Did you try disabling and then re-enabling Email Routing?

I would also put a :facepalm: here, and agree with your following statement about there are other ways to ensure that the Cloudflare include is actually present.

However, - for this specific part:

That isn’t actually true.

Any tutorials/guides saying otherwise are misleading you, which could eventually be due to their author’s ignorance about how SPF actually works.

True fact is that Including Google in your SPF while using that specific trick / workaround, serves exactly no purpose at all:


Yes, unfortunately it always now wants that very particular value.

Good point on the Google issue, though the point remains for other setups such as the AWS SES one mentioned. It’s a legitimate need for being able to modify the SPF value.


1 Like

If I understand how the SPF records work, you only need to add the cloudflare servers if you WANT cloudflare TO SEND emails using your domain(s).

As I do not want any other servers than my own ISP to send emails (as moving over to cloudflare, I started seeing my domain being used by scammers again), I removed the cloudflare servers from my SPF record.

And since forwarding still works (I’m still getting my emails forwarded), I will take this “conflict” and let it stay where it is.

9 hours later, and I just want to clarify that I can still send emails, and receive them without any issues.
Emails sent from my domain still works, and emails sent to my domain are still routed/forwarded properly.
So cloudflare’s SPF record only needs to be there for cloudflare’s own services.

Note: I want to clarify that I’m technically spoofing emails sent from my own domain name. I use my ISP email-address to do it, and since I have contacted them and they didn’t appear to have any issues allowing me to do it (they didn’t know what I was on about…), I guess it’s fine :stuck_out_tongue: