Merge branch 'production' into patricia/pcx17678-overrides

Author: patriciasantaana

package-lock.json

@@ -36,7 +36,7 @@
 		"@astrojs/starlight-docsearch": "0.6.0",
 		"@astrojs/starlight-tailwind": "4.0.1",
 		"@cloudflare/vitest-pool-workers": "0.8.47",
-		"@cloudflare/workers-types": "4.20250620.0",
+		"@cloudflare/workers-types": "4.20250627.0",
 		"@codingheads/sticky-header": "1.0.2",
 		"@expressive-code/plugin-collapsible-sections": "0.41.2",
 		"@floating-ui/react": "0.27.12",
@@ -50,7 +50,7 @@
 		"@tailwindcss/postcss": "4.1.4",
 		"@types/hast": "3.0.4",
 		"@types/he": "1.2.3",
-		"@types/node": "24.0.4",
+		"@types/node": "24.0.6",
 		"@types/react": "19.0.7",
 		"@types/react-dom": "19.0.4",
 		"@typescript-eslint/parser": "8.35.0",

package.json

@@ -22,6 +22,7 @@ import {
 } from "@floating-ui/react";
 import { PiCaretDownBold } from "react-icons/pi";
 import { setSearchParams } from "~/util/url";
+import he from "he";
 
 function SearchBox(props: UseSearchBoxProps) {
 	const { query, refine } = useSearchBox(props);
@@ -79,7 +80,7 @@ function InfiniteHits(props: UseInfiniteHitsProps) {
 						href={item.url}
 						className="border-cl1-gray-8 hover:bg-cl1-gray-9 dark:border-cl1-gray-2 dark:bg-cl1-gray-0 dark:hover:bg-cl1-gray-1 flex flex-col rounded-sm border p-6 text-black! no-underline"
 					>
-						<strong>{title}</strong>
+						<strong>{he.decode(title)}</strong>
 						<p className="line-clamp-2">
 							<Highlight attribute="content" hit={item} />
 						</p>

src/components/search/InstantSearch.tsx

@@ -0,0 +1,20 @@
+---
+title: Mail authentication requirements for Email Routing
+description: Emails will need to be authenticated either via SPF or DKIM in order to be forwarded.
+date: 2025-06-30T10:00:00Z
+---
+
+The Email Routing platform supports [SPF](https://datatracker.ietf.org/doc/html/rfc7208) records and [DKIM (DomainKeys Identified Mail)](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) signatures and
+honors these protocols when the sending domain has them configured. However, if the sending domain doesn't implement them,
+we still forward the emails to upstream mailbox providers.
+
+Starting on July 3, 2025, we will require all emails to be authenticated using at least one of the protocols, SPF or DKIM, to
+forward them. We also strongly recommend that all senders implement the DMARC protocol.
+
+If you are using a Worker with an Email trigger to receive email messages and forward them upstream, you will need to handle the case where
+the forward action may fail due to missing authentication on the incoming email.
+
+SPAM has been a long-standing issue with email. By enforcing mail authentication, we will increase the efficiency of identifying abusive senders and blocking
+bad emails.
+If you're an email server delivering emails to large mailbox providers, it's likely you already usethese protocols; otherwise, please ensure
+you have them properly configured.

src/content/changelog/email-routing/2025-06-30-mail-authentication.mdx

@@ -16,7 +16,7 @@ A Letter of Agency (LOA) - sometimes referred to as a Letter of Authorization -
 The letter must contain both the prefixes you are authorizing Cloudflare to announce and which ASN they will be announced under. Cloudflare can announce a prefix under your ASN or you can use Cloudflare's ASN, which is AS13335.
 
 :::note
-Current customers who are still using Cloudflare's AS209242 can continue using this same ASN. No further change is required.
+For all future onboardings, you must use AS13335. Current customers who are already using Cloudflare's AS209242 do not need to make any changes and can continue using that ASN.
 :::
 
 Cloudflare accepts digital signatures on an LOA, as long as it is clear who is signing the LOA.

src/content/docs/byoip/concepts/loa.mdx

@@ -33,6 +33,8 @@ If you use Microsoft 365, you will have to use the broken down `/24` subnet mask
 158.51.64.0/26
 158.51.65.0/26
 134.195.26.0/23
+35.157.195.63
+52.58.35.43
 ```
 
 ### IPv6
@@ -41,11 +43,6 @@ If you use Microsoft 365, you will have to use the broken down `/24` subnet mask
 2405:8100:c400::/38
 ```
 
-```txt
-52.58.35.43
-35.157.195.63
-```
-
 ## Microsoft 365 `/24` addresses
 
 Use these IPv4 addresses for Microsoft 365, instead of the `/19` and `/23` subnets:

src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips.mdx

@@ -38,4 +38,8 @@ Yes, you have these options available:
 
 These options only offer L3/L4 DDoS protection and using them imply that no application / L7 security or performance services can be applied.
 
+## I have configured [Customer Metadata Boundary](/data-localization/metadata-boundary/) for EU region, I'm accessing the Cloudflare Dashboard from Europe, why am I getting an error `Data not available due to your account's Customer Metadata Boundary configuration`?
+
+Based on Internet conditions that vary over time, users may be dynamically steered to a data center that is physically further away. This can be based on a variety of factors, including latency and network congestion. [Out of region access](/data-localization/metadata-boundary/out-of-region-access/) allows requests arriving in the United States to pull Customer Logs from the European Union and vice-versa. The analytics are still exclusively stored in the CMB configured region.
+
 

src/content/docs/data-localization/faq.mdx

@@ -49,6 +49,11 @@ dig TXT cf2024-1._domainkey.example.com +short
 ### DMARC enforcing
 
 Email Routing enforces Domain-based Message Authentication, Reporting & Conformance (DMARC). Depending on the sender's DMARC policy, Email Routing will reject emails when there is an authentication failure. Refer to [dmarc.org](https://dmarc.org/) for more information on this protocol.
+It is recommended that all senders implement the DMARC protocol in order to successfully deliver email to Cloudflare.
+
+### Mail authentication requirement
+
+Cloudflare requires emails to [pass some form of authentication](/changelog/email-routing/2025-06-30-mail-authentication/), either pass SPF verification or be correctly DKIM-signed to forward them. Having DMARC configured will also have a positive impact and is recommended.
 
 ### IPv6 support
 
@@ -152,6 +157,7 @@ Email Routing uses an internal Domain Name System Blocklists (DNSBL) service to
 ```txt
 554 <YOUR_IP_ADDRESS> found on one or more RBLs (abusixip). Refer to https://developers.cloudflare.com/email-routing/postmaster/#spam-and-abusive-traffic/
 ```
+
 We update our RBLs regularly. You can use combined block list lookup services like [MxToolbox](https://mxtoolbox.com/blacklists.aspx) to check if your IP matches other RBLs. IP reputation blocks are usually temporary, but if you feel your IP should be removed immediately, please contact the RBL's maintainer mentioned in the SMTP error directly.
 
 ### Anti-spam
@@ -226,4 +232,4 @@ Email Routing does not support sending or replying from your Cloudflare domain.
 
 ### Signs such "`+`" and "`.`" are treated as normal characters for custom addresses
 
-Email Routing does not have advanced routing options. Characters such as `+` or `.`, which perform special actions in email providers like Gmail and Outlook, are currently treated as normal characters on custom addresses. More flexible routing options are in our roadmap.
+Email Routing does not have advanced routing options. Characters such as `+` or `.`, which perform special actions in email providers like Gmail and Outlook, are currently treated as normal characters on custom addresses. More flexible routing options are in our roadmap.

src/content/docs/email-routing/postmaster.mdx

@@ -22,6 +22,7 @@ You can evaluate origin uptime, latency, failure reason, and specific event logs
 * **Health Checks By Latency**: Shows average latency – measured in round trip time — for individual origins over time.
 * **Event Log**: Shows individual health check data.
   * Select each record for additional details on **Round trip time**, the **Failure Reason**, the **Average Waterfall** (showing chronological data about request stages), **Response status code**, and more.
+  * Note that **Global** is not a configured region; it represents the aggregated data from all enabled regions.
 
 ## Set up alerts
 

src/content/docs/health-checks/health-checks-analytics.mdx

@@ -37,7 +37,7 @@ As a part of your onboarding process, you need to decide the ASN Cloudflare will
 If you do not have an ASN or do not want to bring your ASN to Cloudflare, you can use the Cloudflare Customer ASN (AS13335).
 
 :::note
-Current customers who are still using Cloudflare's AS209242 can continue using this same ASN. No further change is required.
+For all future onboardings, you must use AS13335. Current customers who are already using Cloudflare's AS209242 do not need to make any changes and can continue using that ASN.
 :::
 
 ## Advertise or withdraw a prefix