Cloudflare has quietly raised the bar on email authentication for its users. As of early July, the company began enforcing a new requirement for its Email Routing service: forwarded messages must pass either SPF or DKIM authentication, or they risk being dropped. While not mandating DMARC, Cloudflare now explicitly recommends its use, bringing its policies a little closer in line with major mailbox providers.
A Quiet But Critical Shift
Cloudflare’s updated postmaster documentation (last revised on 21 July 2025) now states that only messages authenticated via SPF or DKIM will be forwarded. Messages that fail both checks are no longer delivered.
South African security vendor Sendmarc, citing Cloudflare’s policy change in a 9 July 2025 blog post, noted that the requirement was introduced in June and formally enforced as of 3 July 2025. Cloudflare’s guidance encourages senders to configure DMARC to monitor and control message forwarding behaviours, despite it not being a hard requirement.
The Broader Context
This move addresses a long-standing flaw in email forwarding: it often breaks authentication. For instance, SPF validation typically fails when emails are forwarded by an intermediary service, while DKIM signatures may be invalidated by header modifications.
Cloudflare’s new requirement acts as a forcing function: senders must properly authenticate their email if they want it to reach recipients via Cloudflare’s infrastructure.
The decision follows the lead of Google, Microsoft, Yahoo, and other mailbox providers who have in recent years toughened their stance on unauthenticated mail. The new forwarding rule also indirectly accelerates DMARC adoption, a trend security vendors and standards advocates have long supported.
Implementation Checklist
Organisations using Cloudflare’s Email Routing services should immediately verify that:
- All sender domains have valid SPF records listing the correct sending IPs
- Outbound email is DKIM-signed, with public keys published in DNS
- A DMARC record is published—even if only in monitoring mode (
p=none)—to gain visibility - Forwarding configurations are tested to confirm authentication survives transit
- Internal stakeholders are informed that unauthenticated mail will no longer be forwarded
Timeline
- June 2025 – Cloudflare introduces SPF/DKIM requirement
- 3 July 2025 – Enforcement begins: only authenticated mail will be forwarded
- 21 July 2025 – Official documentation updated to reflect new policy and DMARC recommendation
Strategic Implications
While Cloudflare’s documentation update may appear minor, the operational impact is significant. It reflects an industry-wide consensus: email authentication is no longer optional.
Forwarding services, long a blind spot in authentication frameworks, are being brought into alignment with modern anti-abuse practices. Cloudflare’s decision will likely increase pressure on smaller providers to adopt similar standards, and on senders to bring their authentication policies up to spec.
Organisations failing to comply may find their messages silently discarded—without notice to the sender or recipient.
