[zfa]

Can someone with more knowledge on this subject explain if there's a technical reason Cloudflare can't 'properly' MITM the inbound email.

That is you have your MX records pointing to `mx.example.com` in your example.com zone config, and enable the Cloudflare proxying of it (usual orange cloud in the UI).

Now, once it's proxied, Cloudflare returns the IP of their mailserver instead of yours on public lookup, just as they do when returing the IP of a proxied webserver.

So this Cloudflare MX server gets your mail, and then as it knows your 'real' MX server it connects to that server and delivers it to you, maybe adding some header or other on the way.

I don't like the fact they use bog-standard forwarding as it necessitates messing with your SPF records, getting crazy forwarding headers and having to navigate ARC etc.

There just seems to be a cleverer way to do this than just do what everyone else does, and they're generally ahead of the curve technically. Must be something I'm missing.

[justsomehnguy]

> Cloudflare can't 'properly' MITM the inbound email.

Define 'properly'.

It's a bog-standard forwarding specifically because this is the only way to have to separate systems to operate.

Gmail doesn't know what `yourdomain.tld`[0] is yours and what if it receives anyhting to *@yourdomain.tld it should route it to yourmailboxname@gmail.com.

If you don't point yourdomain.tld MX records to Cloudflare then Cloudflare would never receive anything to @yourdomain.tld, because MX doesn't point at them.

[0] the only way to for it know that is to run some Google Business or whatever it called now, where you actually ... point yourdomain.tld MX records to Gmail and it would process them... but it would not deliver them to yourmailboxname@gmail.com!

BTW it would be absolutely the same idea if instead of Cloudflare you would use Google Business (again, whatsitsname). You would setup 'Send As' in yourmailboxname@gmail.com as a usual SMTP identity which would allow you to use Gmail interface to send from somename@yourdomain.tld, and similar you need some way to explain to Google/Gmail what all mails at *@yourdomain.tld should be forwarded to yourmailboxname@gmail.com.

[zfa]

Yeah, sorry I meant as a soln for when your backend MX actually is *your* backend MX. That is, it knows it hosts the mailbox for localpart@example.com and the mail recipient address matches on the envelope.

I understand the vagaries wrt forwarding to an acount of a different name and you're spot on there.

[ignoramous]

> That is you have your MX records pointing to `mx.example.com` in your example.com zone config, and enable the Cloudflare proxying of it (usual orange cloud in the UI).

Support for such use cases is imminent: https://blog.cloudflare.com/announcing-route-to-workers/

[zfa]

Interesting. I have a few bits and pieces on my Workspace domains to automate mail processing using Google Apps Script so will have to see if I can move that over to Cloudflare. Be nice to extend the functionality to non-GMail inboxes. Thanks for the heads up.

[robjan]

For that to work the destination server, in this case Gmail, would have to know to deliver mail addressed to me@domain.com into your Gmail mailbox. In this example it's a limitation on the Gmail side.

Domains and subdomains are handled by DNS which is why Cloudflare can E2E proxy them. Email mailboxes are handled by an application running on a server.

[zfa]

Sorry - just had to clarify elsewhere too so I obviously wasn't clear... I meant in situations where the backend MX has a mailbox which matches to mail recipient as in the case where you're running your own mail server and would like Cloudflare sat in fonrt of it just like they sit in front of your own webserver.

Obviously if there's any recipient address trranslation in play forwarding becomes necessary.