Features Pricing MSP
Documentation Learning Hub Blog
Sign in
← Blog
Last updated Jul 3, 2025

Cloudflare starts enforcing SPF and DKIM on forwarded emails

  • 2 min. read

Cloudflare has announced that starting 3 July 2025 new stricter requirements will apply to the authentication of emails going through the Email Routing platform.

Specifically, Cloudflare says that either SPF or DKIM must now be enabled:

Starting on July 3, 2025, we will require all emails to be authenticated using at least one of the protocols, SPF or DKIM, to forward them. We also strongly recommend that all senders implement the DMARC protocol.

These requirements apply to all users of the Email Routing product, which provides a way for users to have emails sent to a domain they own forwarded to other email addresses, usually external to the domain.

What’s changing

Cloudflare Email Routing already supported and enforced DMARC, meaning that if you had a policy of quarantine or reject it would honor it on incoming email before forwarding it.

The new announcement adds authentication requirements even if you don’t have DMARC set up or if the DMARC policy is set to none.

This means that while previously emails that didn’t pass SPF or DKIM verification would still be forwarded, now at least one of the two mechanisms is required to pass.

This change doesn’t affect the additional alignment checks that are performed by DMARC on both SPF and DKIM when it’s enabled.

What you should do

If you’re an email sender and want to avoid Cloudflare rejecting your emails, you should make sure that:

  • Your SPF configuration is valid (i.e. the IP addresses of your mail servers must be allowed by the SPF record).
  • Your email messages must be properly signed with a DKIM signature.

Additionally, Cloudflare now explicitly recommends to enable the DMARC protocol to ensure successful delivery of email to Cloudflare.

With DMARC, one of these two additional requirements must be satisfied:

  • The SPF domain (Envelope From) must be aligned with the sender domain (From).
  • The DKIM signature domain (d tag) must be aligned with the sender domain (From).

DMARC also gives you control on whether you want to enforce these checks or not, and most importantly lets you monitor your email flows to identify email authentication issues that could impact the delivery of the emails.

Struggling with email deliverability?

Test your email setup for free, then start monitoring SPF, DKIM and DMARC.

✅ Ensure your emails land in the inbox
🚀 Troubleshoot with a powerful dashboard
🧪 Run interactive diagnostics
📊 Monitor with weekly email digests

Create a free account
or

Learn more about DMARCwise