"Be careful with this message"
Greetings everyone! (Thanks to Cloudflare for offering such a generous freebie for email routing). I've set up everything, but my new email isn't fully authenticated and there are quite a few red flags here (see Img.)
As a result, all incoming emails end up in the spam folder. I've read several community posts about DKIM config and even tried my hand at it, but none of it seems to add up.
I could definitely use some guidance on how to set up DKIM and all those extras properly. Thanks for all your support!
12 Replies
Howdy! Could you share the affected email's DKIM header (DKIM-Signature) or state if it is missing, and share the DNS records that you have put in place for DKIM?
hey, thanks for reaching out! I'm not sure if I'm sharing the right values here. I learned there was a tool called https://easydmarc.com/tools/dkim-record-generator so I used it to get a new DKIM record for my email address.
if you could tell me where to find this DKIM header (DKIM-Signature), I'd be happy to assist you in helping me :)
here are the results from https://www.learndmarc.com/
DKIM-Signature is available in the headers of any email that your system has sent, so if you can send a test email to yourself and look at the email headers when it has arrived in your inbox. E.g. with Gmail, these are in the three dots menu under "Show original".
For the DNS records if you could share what DNS domain we're talking about, I could check, but for that I would need to know the DKIM "Selector" value for this as well. If you don't want to discuss this publicly, you can send me a private message.
Hi there @mayo!! I hope this input finds you well & happy holidays!!
I too suffered the exact same issue, I posted about it in the general help, but no one ever responded.
HOWEVER, I’ve sort of found a solution.
So, the problem isn’t you at all.
When I set mine up, I did it before I enabled my Cloudflare Email Routes. I had a solid 100/100 on that exact test.
When I added the Cloudflare Email Routes, it still performed 100/100.
So— what exactly is the issue?
Apparently, CloudFlare is having minor issues & you may also be inclined/required to import your custom IPv4/IPv6.
I had Apple, Inc. & Google (who already is embedded in my DNS because they were threatening my newly registered domain with false claims) —Google too needed me to verify.
It appears, Google added a “GUID” SSL Certificate into my Cloudflare without my permission & Cloudflare blocked it.
So, I added Apple’s IP & Cloudflare’s IP into my Domain/DNS (I verified their hand-out DNS Record) & reinitiated my Mail Server’s IP —then all of a sudden —who knew… My messages now go back to inbox & then that GUID SSL enabled/verified itself somehow. Scary.
This isn’t a you problem. This is an update to the Cloudflare Routes “somewhere” & I’m unsure where.
My advice to you— go into your DNS, ensure you’re linking your correct Mail Server IP & All “Rule” like participants Parties (Google, Apple, Cloudflare, etc.) their requesting or injected DNS Permissions. This will solve your problem.
Have a great holiday! If you need anymore help, feel free to @ me— my inbox is still standing strong (HOWEVER, the DMARC, SPF & DKIM STILL RESULTS TO “NONE” & “FAIL” (it is a Cloudflare Route issue) —but, fret not. Your “Spam Score” is or should still be safe & valid!
That's a bunch of different topics in one message. It's worthwhile to split problems into individual tasks, e.g. fix routing first, fix spf, fix dkim, fix dmarc all separately. TLS encryption between mail transfer agents is yet another separate topic.
Here we're first trying to fix dkim and then look at dmarc.
Cloudflare does have DNS servers that can be used to configure SPF/DKIM/DMARC. Cloudflare does not have email sending services?
So with Cloudflare one apparently should use things like Google Workspace, Sendgrid, Mailgun or AWS SES or the likes for sending outbound email.
For sending email from Cloudflare Workers to previously verified email addresses such as your own, that is possible tho without external SMTP services.
Oh wow, one can also reply to incoming email from Workers: https://developers.cloudflare.com/email-routing/email-workers/reply-email-workers/
But it has a few restrictions, such as DMARC must be valid for the incoming email.
solid breakdown! thank you so much for that! this DKIM and SPF mess was taking me nowhere until someone told me about email delivery platforms. now I'm using Mail Gun for sending emails, and although it's rate limited the free tier is as good as Cloudflare's. Don't think I need to go looking for anything more complex, for now. your message has a festive flair to it, love it! thank you and I wish you a very happy holidays as well! 🎄 ❄️ cc: @heze @Leo
@SciGineer
Idk… All my stuff passes. But, recently after I posted my message here it’s been acting really weird. I think I’m just gonna drop Cloudflare from my emailing. All my stuff comes back valid, but somewhere it’s acting weird. I’m really puzzled. It’s not because we’re “required” to use something like MailGun, because we’re not. So— I’m genuinely a little confused wtf is going on here. I got my Server & my Cloudflare & my Mail Server all linked together. Now, it’s saying it’s doing it because Cloudflare is generating a… Conflicting Event/Record? 🤦♂️
@mayo
@SciGineer I recommend you open a new post about your issues, so it will be easier to discuss your case even tho a bit similar to mayo's, you're talking about a bunch of different things.
@heze, I tried. It never got any responses… However, is basically the exact same issue. I got everything to pass but still getting some minor errors. It seems to have been a duplicate SPF & they were having an authentication error. Seems like the way we send emails has been updated via requirements. We use be able send emails through PHP without needing to authenticate (least with my provider), but seems now I have to ensure a stable connection even though it’s a “localhost” —It’s so much freaking issues all snapped together like a billion damn Lego’s. I’m just waiting on propagation so I can see exactly what’s still broken & not.
I hate technology, stuff updates more than my heart beats. 💀
I didn't find your post, if you can link it, I can try answering there.
Generally speaking these things usually either work all the time or do not work at all, there aren't configurations where e.g. DKIM sometimes pass and sometimes does not, with the same configuration everywhere. Of course e.g. DKIM might pass with one email sending service and fail with another if they're configured differently.
Also you seem to be disappointed in technology because you're trying to do something yourself that you don't have the necessary prerequisite skills for. You can try to learn and/or get it done with our help, but being negative about it doesn't really help in getting help from others. Also "acting weird", "minor errors", "authentication error", "issues" aren't very descriptive about the problems you are facing. Try to describe the actual problem in a bit more detail and it will be easier to help. Screenshots help a ton. Email headers help a ton. DNS records that you are using help a ton. If you don't want to publicly reveal these, ask if somebody could help in private with these details.