This doesn’t seem like a real fix for the issue. This brings the number of spoofable sites way down from all MC users to just those who send mail through CF. But it is still a big vulnerability.
For any domain that is using mailchannels through cloudflare, you can see what region they are using. And you can continue to spoof them. You just have to do it from the same region.
And this is terrible positioning from Cloudflare’s POV. Why would anyone send email through a CF worker since it requires advertising through a public record (DNS) that is by design accessible/scrapable by bots that you are using an insecure service. It’s like asking people to spoof you.
I don’t get why CF doesn’t do something more sensible, like limit sender addresses to domains that are already set up in the cloudflare account where the worker was created. Basically every other provider does this.
For any domain that is using mailchannels through cloudflare, you can see what region they are using. And you can continue to spoof them. You just have to do it from the same region.
And this is terrible positioning from Cloudflare’s POV. Why would anyone send email through a CF worker since it requires advertising through a public record (DNS) that is by design accessible/scrapable by bots that you are using an insecure service. It’s like asking people to spoof you.
I don’t get why CF doesn’t do something more sensible, like limit sender addresses to domains that are already set up in the cloudflare account where the worker was created. Basically every other provider does this.