Email Workers auth requirement

Update docs mentioning that mail authentication will be required in the
near future to be able to forward email from CF.

Author: edevil

src/content/changelog/email-routing/2025-06-18-mail-authentication.mdx

@@ -0,0 +1,18 @@
+---
+title: Mail authentication requirements for Email Routing
+description: Emails will need to be authenticated either via SPF or DKIM in order to be forwarded.
+date: 2025-06-20T15:00:00Z
+---
+
+The Email Workers platform supports [SPF](https://datatracker.ietf.org/doc/html/rfc7208) records and [DKIM (DomainKeys Identified Mail)](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) signatures,
+honoring these protocols when the sending domain has them configured. So far, when sending domains did not implement these protocols, emails could stil be forwarded
+to mailbox providers.
+
+Starting on _2025-07-01_, we will require all email to be authenticated using either one of those protocols in order to forward it. Preferably passing DMARC checks as well, although
+that will not be required at this time. If you are using a Worker with an Email trigger and forward the incoming email, you will need to handle the case where
+the forward action may fail due to missing authentication on the incoming email.
+
+SPAM has been an long-standing issue with email and by enforcing mail authentication we will be able to immediately filter out some of it, and identify SPAM senders
+when some of it gets through. SPF/DKIM/DMARC are not new protocols and there is ample documentation available on how to configure them. In fact, most of the senders
+already have these protocols configured. If you use a large mailbox provider, it is likely you are already using these protocols. If you manage your own domain,
+please ensure you have these protocols correctly configured.

src/content/docs/email-routing/postmaster.mdx

@@ -49,6 +49,11 @@ dig TXT cf2024-1._domainkey.example.com +short
 ### DMARC enforcing
 
 Email Routing enforces Domain-based Message Authentication, Reporting & Conformance (DMARC). Depending on the sender's DMARC policy, Email Routing will reject emails when there is an authentication failure. Refer to [dmarc.org](https://dmarc.org/) for more information on this protocol.
+It is recommended that all senders implement the DMARC protocol, which will be required in the near future in order to successfully deliver email to Cloudflare.
+
+### Mail authentication requirement
+
+Starting on 2025-07-01, Cloudflare will require emails to either pass SPF verification or be correctly DKIM signed in order to forward them. Having DMARC configured will also reflect positively and is recommended, although not yet required at this time.
 
 ### IPv6 support
 
@@ -152,6 +157,7 @@ Email Routing uses an internal Domain Name System Blocklists (DNSBL) service to
 ```txt
 554 <YOUR_IP_ADDRESS> found on one or more RBLs (abusixip). Refer to https://developers.cloudflare.com/email-routing/postmaster/#spam-and-abusive-traffic/
 ```
+
 We update our RBLs regularly. You can use combined block list lookup services like [MxToolbox](https://mxtoolbox.com/blacklists.aspx) to check if your IP matches other RBLs. IP reputation blocks are usually temporary, but if you feel your IP should be removed immediately, please contact the RBL's maintainer mentioned in the SMTP error directly.
 
 ### Anti-spam