Will email campaigns suffer from Cloudflare's Bot Detection?

It is well known that when you send out an email campaign, the provider checks incoming emails for malicious external links. So a software visits all links in the campaign (mostly very fast) in order to be sure that the content behind all URLs is free of malware.

However, Cloudflare might interpret that kind of burst requests as malicious requests and might block it. This will then make the email provider check software think: no good, there is an error behind these URLs, and will not deliver the email to the final inbox.

How is this solved?

Hi there,

To address the issue of Cloudflare potentially blocking burst requests that check incoming emails for malicious external links, a solution involves configuring Cloudflare’s security settings to allow these legitimate requests while still maintaining protection against malicious activities. By adjusting Cloudflare’s WAF rules, specifically the rate limiting and custom rules the burst requests can be identified as legitimate and not trigger security blocks. This ensures that the email provider’s checking software can scan the URLs without interference. Additionally, utilising Cloudflare’s WAF Rules to allowlist the IP addresses of the email checking software can prevent it from being blocked, ensuring that the email campaigns are properly scanned for malware without disruptions. This approach allows for the necessary security measures to remain in place while enabling legitimate email scanning processes to function effectively.

For more information you can refer to the following link: Cloudflare Web Application Firewall · Cloudflare Web Application Firewall (WAF) docs

1 Like

Ok, I fully understand. However, imagine this: let’s say we know about 20 different email providers doing this kind of scanning, we could manually configure all these IP ranges to be allowed.
But what about all the email providers we have no clue that they exist but which also do the scanning?
Sounds like a high maintenance approach you are suggesting and I’m looking for something better, but didn’t find it yet.