Cloudflare now requires auth for email forwarding

As of July 3, 2025, Cloudflare is enforcing a new requirement for its Email Routing platform: Messages must be authenticated with either SPF or DKIM in order to be forwarded. Now, if a message doesn't pass SPF or isn't signed with DKIM, it's not getting forwarded.

Cloudflare explains that their rationale is simple: unauthenticated mail is often abuse-prone. These measures allow Cloudflare to reduce the amount of spam and scam messages that make it through its infrastructure. They're not the first to go this route, and they won't be the last.

Of note:

• If you're using Cloudflare Email Routing and your incoming mail isn't authenticated, forwarding will break.
• This includes use cases involving Cloudflare Workers that forward mail upstream.
• Messages only need to pass SPF or DKIM (both is great, but either/or is OK), and Cloudflare does strongly recommend DMARC.

While Cloudflare doesn't handle inbound mail for as many domains as Google or Microsoft, it is not insignificant. I see more than 30,000 domains (among the top 10 million MX data) that appear to point at Cloudflare's routing service. That gives this policy real-world impact.

And it's great to see Cloudflare join the MAGY (Microsoft, Apple, Gmail, Yahoo) party, where more and more handlers and forwarders of inbound mail are requiring email authentication.