Issue with Cloudflare Workers and Mailchannels - Unauthorized Sender Error
I've encountered an issue with my contact form implementation using Cloudflare Workers and Mailchannels. The system was functioning correctly until Cloudflare added extra protections, which seem to have disrupted the process.
The error message I'm receiving is:
To resolve this, I've added a TXT record:
_mailchannels.co-medic.com with the content v=mc1 cfid=co-medic.com. However, the error persists.
I also tried with the domain of my worker: v=mc1 cfid=co-medic-email.meals-app.workers.dev, but this didn't resolve the issue either.
When I call my worker directly in the online worker editing dashboard (screenshot 1), it does work. The problem arises only when the request passes via my front-end (screenshot 2).
You can check the _mailchannels record here: https://dnschecker.org/all-dns-records-of-domain.php?query=_mailchannels.co-medic.com&rtype=TXT&dns=google
Also, note that calling the worker directly in the front-end (instead of passing through /api/contact) results in CORS problems, so switching to callling the worker directly from the browser is also not an easy fix :/
I'm currently unsure of the next steps to take, as adding the cfid TXT record doesn't seem to resolve the issue. Any guidance would be greatly appreciated.
3 Replies
Not a direct solution to your issue, but I would recommend avoiding MailChannels and using some other service like Amazon SES, Sendgrid, Postmark, etc.
There are a lot of security implications and their responses to the situation have been very undesirable. Further reading:
- https://github.com/byt3bl33d3r/SpamChannel
- https://byt3bl33d3r.substack.com/p/7fc21c89-4744-4a95-8095-cd080b498ded
- https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/byt3bl33d3r%20-%20SpamChannel%20Spoofing%20Emails%20From%202%20Million%20Domains%20and%20Virtually%20Becoming%20Satan.pdf
@stijn This wasn't clear to me in the docs at first but the TXT cfid should be your worker's zone. Reason being that the request is coming from your worker rather than domain.
Your's should be:
_mailchannels.co-medic.com TXT "v=mc1 cfid=meals-app.workers.dev
I found this post from the mailchannels guy somewhat helpful: https://community.cloudflare.com/t/this-week-mailchannels-will-enforce-domain-lockdown-on-legacy-workers-users/544874
Like James, I agree that it isn't worth the trouble. I had migrated one of my workers from sendgrid to mailchannels then they switched to the new security controls (not complaining) and just decided it wasn't worth it so I reverted back to sendgrid. Plus I was getting some weird errors and wasn't enjoying the process.
TL;DR That TXT record should fix your issue.@James thank you for the heads up! And interesting references, put on my TODO to change this. We're just a small startup tho, and really busy with other stuff so for now I hoped I could do a quick fix
@Mackenly Jones Tried again but sadly it didn't work. I tried meals-app.workers.dev, co-medic.com, co-medic-email.meals-app.workers.dev
Spent too much time on this, going to leave it broken and just move to mailgun asap
Thanks guys!