Email Workers auth requirement

Update docs mentioning that mail authentication will be required in the
near future to be able to forward email from CF.

Author: edevil

src/content/changelog/email-routing/2025-06-30-mail-authentication.mdx

@@ -0,0 +1,20 @@
+---
+title: Mail authentication requirements for Email Routing
+description: Emails will need to be authenticated either via SPF or DKIM in order to be forwarded.
+date: 2025-06-30T10:00:00Z
+---
+
+The Email Routing platform supports [SPF](https://datatracker.ietf.org/doc/html/rfc7208) records and [DKIM (DomainKeys Identified Mail)](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) signatures and
+honors these protocols when the sending domain has them configured. However, if the sending domain doesn't implement them,
+we still forward the emails to upstream mailbox providers.
+
+Starting on July 3, 2025, we will require all emails to be authenticated using at least one of the protocols, SPF or DKIM, to
+forward them. We alsostrongly recommend that all senders implement the DMARC protocol.
+
+If you are using a Worker with an Email trigger to receive email messages and forward them upstream, you will need to handle the case where
+the forward action may fail due to missing authentication on the incoming email.
+
+SPAM has been a long-standing issue with email. By enforcing mail authentication, we will increase the efficiency of identifying abusive senders and blocking
+bad emails.
+If you're an email server delivering emails to large mailbox providers, it's likely you already usethese protocols; otherwise, please ensure
+you have them properly configured.

src/content/docs/email-routing/postmaster.mdx

@@ -49,6 +49,11 @@ dig TXT cf2024-1._domainkey.example.com +short
 ### DMARC enforcing
 
 Email Routing enforces Domain-based Message Authentication, Reporting & Conformance (DMARC). Depending on the sender's DMARC policy, Email Routing will reject emails when there is an authentication failure. Refer to [dmarc.org](https://dmarc.org/) for more information on this protocol.
+It is recommended that all senders implement the DMARC protocol in order to successfully deliver email to Cloudflare.
+
+### Mail authentication requirement
+
+Starting on 2025-07-03, Cloudflare will require emails to either pass SPF verification or be correctly DKIM-signed to forward them. Having DMARC configured will also have a positive impact and is recommended.
 
 ### IPv6 support
 
@@ -152,6 +157,7 @@ Email Routing uses an internal Domain Name System Blocklists (DNSBL) service to
 ```txt
 554 <YOUR_IP_ADDRESS> found on one or more RBLs (abusixip). Refer to https://developers.cloudflare.com/email-routing/postmaster/#spam-and-abusive-traffic/
 ```
+
 We update our RBLs regularly. You can use combined block list lookup services like [MxToolbox](https://mxtoolbox.com/blacklists.aspx) to check if your IP matches other RBLs. IP reputation blocks are usually temporary, but if you feel your IP should be removed immediately, please contact the RBL's maintainer mentioned in the SMTP error directly.
 
 ### Anti-spam
@@ -226,4 +232,4 @@ Email Routing does not support sending or replying from your Cloudflare domain.
 
 ### Signs such "`+`" and "`.`" are treated as normal characters for custom addresses
 
-Email Routing does not have advanced routing options. Characters such as `+` or `.`, which perform special actions in email providers like Gmail and Outlook, are currently treated as normal characters on custom addresses. More flexible routing options are in our roadmap.
+Email Routing does not have advanced routing options. Characters such as `+` or `.`, which perform special actions in email providers like Gmail and Outlook, are currently treated as normal characters on custom addresses. More flexible routing options are in our roadmap.