Email Routing Reliability
When Cloudflare reroutes an email to a desired email address it rewrites the
Return-Path which becomes something like this Return-Path: <cfbounces+ndrdrop@yourdomain.com>, which will not mach the From: address which is the original sender email address.
This by definition will make SPF to fail the DMARC’s alignment test. So if I have p=quarantine or p=reject in my _dmarc DNS text field am I in danger to lose legitimate incoming email with the CF Email Routing? Or even with p=none the receiving inbox, Gmail for example, may decide to flag the email as spam?
I implemented the CF email routing 7 days ago, so all DNS propagation is done long ago, so it can't be that, but LinkedIn is reporting to me that the email is unreachable. I am getting some of their emails, but apparently not all. So they are telling me to re-verify the email address. I am doing this for a third time in the past seven days.
Also, when CF reroutes an email it will use your domain to send that email, so mailed-by: field will be filled with your domain, becoming mailed-by:yourdomain.com. Inevitably CF will forward some spam which Gmail will eventually mark as spam, and since these are now mailed by your domain I am wondering if I am doing a domain reputation damage by using this service.
Different AIs give different answers to the last problem. For example Claude is assuring me that mailed-by: header is nothing to worry about, that this designates which server was used to mail, and has nothing to do with reputation. The reputation damage is awarded to the original sender. But since these guys can often hallucinate and introduce subtle lies, I can't trust them.
But still, the LinkedIn warnings stand and the Return-Path: and From: misalignment worries me.
Is there anyone knowledgeable enough to advise on this? Should I ditch CF Email Routing?14 Replies
Is there anyone knowledgeable enough to advise on this?Don't worry. DMARC requires EITHER DKIM Pass w/Alignment, OR SPF Pass w/Alignment. As long as you have one of them, the DMARC will work just fine. SPF Pass w/Alignment will ALWAYS fail after forwarding. Even if Cloudflare didn't rewrite the SMTP MAIL FROM / Return-Path, you would still NOT be able to pass the SPF Pass w/Alignment area, unless the original sender added the Cloudflare Email Routing SPF to their SPF record. In other words, - without rewriting: Your bank, PayPal, Facebook, Google, or any other email senders would still need to add "
include:_spf.mx.cloudflare.net" to the SPF record of their domain, in order to satisfy the SPF Pass w/Alignment requirement.
I highly doubt you would get any of them, or any other arbitrary senders, to add that.
Should I ditch CF Email Routing?If you should, you would have to ditch all kind of Email Routing / Forwarding.
If you should, you would have to ditch all kind of Email Routing / Forwarding.That's correct I assume, because all forwarding services have this "issue" so to speak. I also have Google Workspace and I was operating these domains for branded emails as aliases to one main domain. Even in that case I think this SPF misalignment was there, because you are not in fact sending from the original domain, and only the DKIM will pass, not both DKIM and SPF. I am not sure though. However, the LinkedIn issue still stands. God knows how many other senders are experiencing unreachable issue too. Also, I should add that in the CF email dashboard there are no rejected or dropped emails from LinkedIn, or from anyone for that matter. I also suspect this part of their dashboard is broken because it show only 3 emails forwarded in the last 7 days bit there are at least 20 in my Gmail inbox.
However, the LinkedIn issue still stands.Can you elaborate on what exact issue there is?
God knows how many other senders are experiencing unreachable issue too.What "unreachable issue"? According to your explanation, it sounds like you did in fact receive the emails? And if you didn't, how would you be able to talk about them?
According to your explanation, it sounds like you did in fact receive the emails? And if you didn't, how would you be able to talk about them?When you login to LinkedIn they inform you in RED in their dash that your email is unreachable and you should re-verify it. So by chance I found out about this when I logged in there. First I though it was a propagation issue, new domain DNS records not available to them yet, but as I said after 7 days they still persist that the email is unreachable. This is partially true though because some of their emails pass through, I receive them, but I guess one failed email is enough to trigger their warning in their dash. I don't believe for nothing they'll throw such a warning message in RED.
Can you share a screenshot of that LinkedIn message?
And share what domain name the email address is on?
The domain I would rather not share, but I can assure you the DNS is okay there because when adding a domain to the CF Email Routing, CF will add the DNS records automatically and lock those records so you are not able to edit them.
P.S. Sorry for the delay.
Without your domain name, it won't be possible to dig further in to it from here (e.g. the Cloudflare Community).
There are a lot of other DNS records, that have the potential of affect something like this, which aren't directly related the ones that Cloudflare Email Routing will add (and/or keep locked) for you .
I will therefore suggest you to contact LinkedIn, and ask them to provide clarity to the situation, such as e.g. by sharing what error code(s)/message(s) they see, from their end.
Right. I am confident though that the DNS records are okay.
I cleared the warning in LinkedIn (re-verified the address) and opened a ticket with them to see what they see on their end, but I suspect it will be easy getting any answer from them like it's not easy getting ANY answer from CF (I have a ticket opened with them for over 10 days now) unless you pay hundreds of dollars for Enterprise tier, and even then I read complaints about the CF's customer support. It is really sad to see how their support degraded over the years.
The CF Email activity log dash is broken though. The filters don't work, they don't show all the messages in the log. You filter for delivery failed emails they show you all the emails, and so on.
If I see another red warning in LinkedIn I am walking away from the email routing, after an attempt to clarify why they can't deliver a message.
I am confident though that the DNS records are okay.We won't be able to know for sure though.
I cleared the warning in LinkedIn (re-verified the address)- Did that re-verification go through? - Do you see the message on the final destination (Gmail?)? - Did you see anything at all, on the Activity Log, regarding LinkedIn, after the new attempt?
Did that re-verification go through?Yes, several times in the past 10 days. That's why I am talking about reliability. I'll re-verify the email address, some LinkedIn emails will pass through (I'll receive them in the final destination) and then the warning message will reappear in the LinkedIn dash and the emails from them will stop. I'll re-verify again and the same all over again. I think 3 times so far this happened.
Do you see the message on the final destination (Gmail?)?No. Click
mark email as correct and you're good to go. Re-verification is a wrong word here, my bad. Just one click to confirm that I still use this address, because I am not in fact changing the address, just it became unreachable.
Did you see anything at all, on the Activity Log, regarding LinkedIn, after the new attempt?I see the legit emails from LinkedIn being forwarded again. You see my suspicion? There's no way this is a coincidence. LinkedIn is acting as a tester here.
No. Click mark email as correct and you're good to go. Re-verification is a wrong word here, my bad. Just one click to confirm that I still use this address, because I am not in fact changing the address, just it became unreachable.
What I meant was, the "mark email as correct" procedure would be sending an email towards your Email Routing address, that you in the end, would see on the final destination (Gmail)?
That's how you saw the "mailed-by:", and similar, that you initially mentioned?
I see the legit emails from LinkedIn being forwarded again.That sounds good, and as if everything with Email Routing is working perfectly fine.
You see my suspicion? There's no way this is a coincidence. LinkedIn is acting as a tester here.I completely understand your suspicion, and I also understand very well how certain things, such as e.g. situations like this can be very hard to understand, or make sense of, for many people.
That's why I am talking about reliability.If you care about reliability, my advice is always: - Avoid forwarding to a free mail (Google/Gmail, Microsoft (Hotmail, Live, Outlook, ...)), at any cost. If you really insist on forwarding, you MUST be the one operating the final destination yourself, so that you're in full control of the final destination yourself. The free mail providers have a good reputation for rejecting deliveries from time to time, and you have literally have no control over that, with a such free mail. If Gmail is rejecting the delivery from LinkedIn, Cloudflare will pass on that rejection to LinkedIn, that in the end would see it as Cloudflare rejecting the message (as Cloudflare isn't revealing the final destination in any way). It isn't impossible, depending on how these LinkedIn messages are set up, that there was a single word (let's say "
example", but could be whatever), that Google out of sudden didn't like, for example if it has been used a lot in spam messages.
Now, LinkedIn would like to let you know, that there are new business connections from the company "Example Corporation," which is matching the word "example".
Since Google doesn't like "example", Google is rejecting the delivery attempt from Cloudflare, which Cloudflare is passes on as a rejection - on the fly - to LinkedIn, when LinkedIn tries to deliver the message.
LinkedIn will now see your email address as being unreachable.It isn't impossible, depending on how these LinkedIn messages are set up, that there was a single word (let's say "example", but could be whatever), that Google out of sudden didn't like, for example if it has been used a lot in spam messages. Now, LinkedIn would like to let you know, that there are new business connections from the company "Example Corporation," which is matching the word "example". Since Google doesn't like "example", Google is rejecting the delivery attempt from Cloudflare, which Cloudflare is passes on as a rejection - on the fly - to LinkedIn, when LinkedIn tries to deliver the message. LinkedIn will now see your email address as being unreachable.That is highly unlikely. If Google doesn't like the word "example" it would flag that mail as spam and you would find that mail in the spam folder. That is not the case here. Even if Google rejected the mail (which can happen due to rate limiting) I should see that email in the CF dashboard. There were such few examples in the CF dash from other senders.
What I meant was, the "mark email as correct" procedure would be sending an email towards your Email Routing address, that you in the end, would see on the final destination (Gmail)? That's how you saw the "mailed-by:", and similar, that you initially mentioned?Not such email no, I didn't receive, for example "your email is active again voila." I was talking about the
mailed-by: header in general. In ALL emails forwarded from CF to Gmail mailed-by: yourdomain.com will be there.
If you really insist on forwarding, you MUST be the one operating the final destination yourself, so that you're in full control of the final destination yourself. The free mail providers have a good reputation for rejecting deliveries from time to time, and you have literally have no control over that, with a such free mail.You may have a point here. But If I wanted to pay I would continue to use the Google Workspace. This experiment with CF is to see whether I can ditch GW. As I said in GW I can add alias domains to the primary domain and I can receive and send mail from those domains with no problems whatsoever. I operate this way for over a decade. At first GW was free, then they made it paid service, and now in August I think they're increasing the price. So that's that.
That is highly unlikely.Not really, no. It is very likely.
If Google doesn't like the word "example" it would flag that mail as spam and you would find that mail in the spam folder.It is actually more likely that Google is rejecting the messages there, rather than delivering them (to the Spam folder).
Even if Google rejected the mail (which can happen due to rate limiting) I should see that email in the CF dashboard.This one is completely true, - if you're set up with Cloudflare Email Routing, and you do not see anything in the Activity Log, then it would mean that Cloudflare Email Routing never saw the email. In other words, that it never made it's way from the sender and to Cloudflare Email Routing. 1. If only happening with one single sender (e.g. LinkedIn) -> Something on LinkedIn's end. 2. If happening more globally (both LinkedIn AND others) -> I would dig deeper in to your domain (which is impossible without it being shared though).
This experiment with CF is to see whether I can ditch GWAgain, I wouldn't suggest relying on forwarding, if you rely on receiving emails destined to you. Especially not towards destinations at either larger providers or free mail providers.
At first GW was free,Fully aware of the circle of life there, including different names from same thing (e.g. Apps, Suite, Workspace, ...).
and now in August I think they're increasing the price.Sounds like it's time to be looking at migrating to another email provider instead?
It is actually more likely that Google is rejecting the messages there, rather than delivering them (to the Spam folder).
...if you're set up with Cloudflare Email Routing, and you do not see anything in the Activity Log, then it would mean that Cloudflare Email Routing never saw the email.
-> Something on LinkedIn's end.Lol, you give all the benefit of the doubt to CF, none to Google and LinkedIn. I am in the opposite corner though, I think CF Email routing is still in beta for the very fact that their dashboard is broken. I was away for 3-4 days and as I am writing this message I opened the Gmail inbox. I have exactly 22 unread forwarded emails. I have them automatically labeled. I can see them with my own eyes. I go the the CF Email routing dashboard and I filter for the previous 7 days, ALL custom addresses, ALL results, I see only 4 emails forwarded, all in the last 12 hours. I filter for the last 24 hours, the same 4 emails appear. LOL. I can bet my life on the fact that CF does not show ALL forwarded emails, nor rejected. This is indisputable. Having said that, the LinkedIn warning is very likely to be a thing.