From 2340807b204be922aa5018bc745c4c7ec9ce7b79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Cruz?= Date: Wed, 18 Jun 2025 12:46:01 +0100 Subject: [PATCH 1/2] Email Workers auth requirement Update docs mentioning that mail authentication will be required in the near future to be able to forward email from CF. --- .../2025-06-30-mail-authentication.mdx | 20 +++++++++++++++++++ src/content/docs/email-routing/postmaster.mdx | 8 +++++++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 src/content/changelog/email-routing/2025-06-30-mail-authentication.mdx diff --git a/src/content/changelog/email-routing/2025-06-30-mail-authentication.mdx b/src/content/changelog/email-routing/2025-06-30-mail-authentication.mdx new file mode 100644 index 000000000000000..cf4d762f57ea062 --- /dev/null +++ b/src/content/changelog/email-routing/2025-06-30-mail-authentication.mdx @@ -0,0 +1,20 @@ +--- +title: Mail authentication requirements for Email Routing +description: Emails will need to be authenticated either via SPF or DKIM in order to be forwarded. +date: 2025-06-30T10:00:00Z +--- + +The Email Routing platform supports [SPF](https://datatracker.ietf.org/doc/html/rfc7208) records and [DKIM (DomainKeys Identified Mail)](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) signatures and +honors these protocols when the sending domain has them configured. However, if the sending domain doesn't implement them, +we still forward the emails to upstream mailbox providers. + +Starting on July 3, 2025, we will require all emails to be authenticated using at least one of the protocols, SPF or DKIM, to +forward them. We alsostrongly recommend that all senders implement the DMARC protocol. + +If you are using a Worker with an Email trigger to receive email messages and forward them upstream, you will need to handle the case where +the forward action may fail due to missing authentication on the incoming email. + +SPAM has been a long-standing issue with email. By enforcing mail authentication, we will increase the efficiency of identifying abusive senders and blocking +bad emails. +If you're an email server delivering emails to large mailbox providers, it's likely you already usethese protocols; otherwise, please ensure +you have them properly configured. \ No newline at end of file diff --git a/src/content/docs/email-routing/postmaster.mdx b/src/content/docs/email-routing/postmaster.mdx index 5602e436cee8f8f..393b59a9c705d5d 100644 --- a/src/content/docs/email-routing/postmaster.mdx +++ b/src/content/docs/email-routing/postmaster.mdx @@ -49,6 +49,11 @@ dig TXT cf2024-1._domainkey.example.com +short ### DMARC enforcing Email Routing enforces Domain-based Message Authentication, Reporting & Conformance (DMARC). Depending on the sender's DMARC policy, Email Routing will reject emails when there is an authentication failure. Refer to [dmarc.org](https://dmarc.org/) for more information on this protocol. +It is recommended that all senders implement the DMARC protocol in order to successfully deliver email to Cloudflare. + +### Mail authentication requirement + +Starting on 2025-07-03, Cloudflare will require emails to either pass SPF verification or be correctly DKIM-signed to forward them. Having DMARC configured will also have a positive impact and is recommended. ### IPv6 support @@ -152,6 +157,7 @@ Email Routing uses an internal Domain Name System Blocklists (DNSBL) service to ```txt 554 found on one or more RBLs (abusixip). Refer to https://developers.cloudflare.com/email-routing/postmaster/#spam-and-abusive-traffic/ ``` + We update our RBLs regularly. You can use combined block list lookup services like [MxToolbox](https://mxtoolbox.com/blacklists.aspx) to check if your IP matches other RBLs. IP reputation blocks are usually temporary, but if you feel your IP should be removed immediately, please contact the RBL's maintainer mentioned in the SMTP error directly. ### Anti-spam @@ -226,4 +232,4 @@ Email Routing does not support sending or replying from your Cloudflare domain. ### Signs such "`+`" and "`.`" are treated as normal characters for custom addresses -Email Routing does not have advanced routing options. Characters such as `+` or `.`, which perform special actions in email providers like Gmail and Outlook, are currently treated as normal characters on custom addresses. More flexible routing options are in our roadmap. \ No newline at end of file +Email Routing does not have advanced routing options. Characters such as `+` or `.`, which perform special actions in email providers like Gmail and Outlook, are currently treated as normal characters on custom addresses. More flexible routing options are in our roadmap. From b5c601abd549a3db824dba8777cfdaffaef011df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Cruz?= Date: Mon, 30 Jun 2025 15:01:24 +0100 Subject: [PATCH 2/2] Update src/content/docs/email-routing/postmaster.mdx Co-authored-by: Kody Jackson --- .../email-routing/2025-06-30-mail-authentication.mdx | 4 ++-- src/content/docs/email-routing/postmaster.mdx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/changelog/email-routing/2025-06-30-mail-authentication.mdx b/src/content/changelog/email-routing/2025-06-30-mail-authentication.mdx index cf4d762f57ea062..18a39f9f0475e99 100644 --- a/src/content/changelog/email-routing/2025-06-30-mail-authentication.mdx +++ b/src/content/changelog/email-routing/2025-06-30-mail-authentication.mdx @@ -9,7 +9,7 @@ honors these protocols when the sending domain has them configured. However, if we still forward the emails to upstream mailbox providers. Starting on July 3, 2025, we will require all emails to be authenticated using at least one of the protocols, SPF or DKIM, to -forward them. We alsostrongly recommend that all senders implement the DMARC protocol. +forward them. We also strongly recommend that all senders implement the DMARC protocol. If you are using a Worker with an Email trigger to receive email messages and forward them upstream, you will need to handle the case where the forward action may fail due to missing authentication on the incoming email. @@ -17,4 +17,4 @@ the forward action may fail due to missing authentication on the incoming email. SPAM has been a long-standing issue with email. By enforcing mail authentication, we will increase the efficiency of identifying abusive senders and blocking bad emails. If you're an email server delivering emails to large mailbox providers, it's likely you already usethese protocols; otherwise, please ensure -you have them properly configured. \ No newline at end of file +you have them properly configured. diff --git a/src/content/docs/email-routing/postmaster.mdx b/src/content/docs/email-routing/postmaster.mdx index 393b59a9c705d5d..bdaddc7a738dc2b 100644 --- a/src/content/docs/email-routing/postmaster.mdx +++ b/src/content/docs/email-routing/postmaster.mdx @@ -53,7 +53,7 @@ It is recommended that all senders implement the DMARC protocol in order to succ ### Mail authentication requirement -Starting on 2025-07-03, Cloudflare will require emails to either pass SPF verification or be correctly DKIM-signed to forward them. Having DMARC configured will also have a positive impact and is recommended. +Cloudflare requires emails to [pass some form of authentication](/changelog/email-routing/2025-06-30-mail-authentication/), either pass SPF verification or be correctly DKIM-signed to forward them. Having DMARC configured will also have a positive impact and is recommended. ### IPv6 support