Cloudflare Email Routing Fixed

TL;DR: Cloudflare needs to disable IPv6 that they use to communicate with the Gmail servers to stop Gmail from bouncing all routed email.

Don’t let Cloudflare support tell you that email routing to Gmail addresses is your fault. Support tried to brush me off and tell me that the problem was a result of me not turning off the sender verification in your destination mail server for any forwarded recipient domains. I detailed the whole thing in my last post here. After I never heard back from support again and 30 days had passed I had enough and took to Twitter to tweet at the Cloudflare leaders. I spend very little time on Twitter since the new ownership took over, but since Cloudflare never seems to reply on Mastodon there seemed to be no choice. Well that finally got some movement on my ticket and I heard from a Cloudflare support person.

Previously I had no luck routing email to another email service, all mail still bounced, but I had been wanting to try ProtonMail for awhile so I decided this might be a good opportunity to try ProtonMail. After setting up my account with them I setup the ProtonMail address and a confirmed destination address and moved the email routing on Cloudflare from using ImprovMX and went and sent a test email to my lgr.ca email address. To my surprise it worked! Cloudflare email routing was able to route my email to another email provider with no problem so I thought I would try to send that email to my Gmail account. Unfortunately routing that email to Gmail still bounced no matter what account I sent my test emails from.

This was now in the hands of Cloudflare support, and they finally came through. After working with them, and even doing a redirect to one of their Gmail addresses, they finally admitted that the problem was a result of something they were doing and had a fix. Why they could not set this up and find the problem without me having to route an email address I did not really use to them still is a bit of a mystery to me, but the end result is this is fixable.

It appears the whole problem with Gmail bouncing ALL email from Cloudflare routing is a result of Cloudflare using IPv6 to communicate with Gmail. Once they disabled IPv6 all email was able to be forwarded to Gmail. I have since been able to forward all my email to Gmail again and once again all seems to be working.

The Engineering team asked me to run another test after disabling IPv6 that we used to communicate to Gmail server. Based on the test that I just did, I can see that the email can go through my Gmail test inbox as follow:

I don’t know if Cloudflare has made this fix for everyone, but I can tell you that since they made this change all my email has been able to be routed to Gmail and only the spam that should be refused by Gmail is being refused.

Congrats to Cloudflare support for finally getting to the bottom of this. I hope that people submitting community and support tickets for Gmail bouncing all routed email actually get fixes from Cloudflare now instead of being brushed off.

Cloudflare Email Routing Broken

TL;DR: Cloudflare email routing and support sucks, move your email forwarding to ImprovMX.


One of the problems with hosting your website on a service like DigitalOcean is the fact that they don’t offer email. If you want an email address associated with your domain you had to go elsewhere. For many years that was not a problem you could get a free Google Workspace account and have all the email accounts you needed, and then of course Google stopped allowing free Workspace accounts. But there were other options. Mailgun worked well for awhile, they they stopped offering the email forwarding service. Not long after Mailgun stopped letting people route email through them Cloudflare came out with Email Routing.

Cloudflare Email Routing seemed perfect! You could easily setup the DNS records on your Cloudflare dashboard, setup email addresses to forward that email to and it meant you did not need another service to manage your email routing. It seemed perfect, until it wasn’t. I was happy to move the email routing for lgr.ca to Cloudflare, until roughly two weeks ago when I discovered all email sent to my lgr.ca email addresses was being rejected by Gmail.

The specific error I could find in the Cloudflare Email Routing log was:

521 5.3.0 Upstream error, please check https://developers.cloudflare.com/email-routing/postmaster for possible reasons why.

Cloudflare Community Support

Searching Cloudflare Community support shows 26 results for 521 5.3.0 Upstream error. I went through all 26 of those posts looking for an answer. The common theme in the majority of those posts is there is no fix for this. There were four posts that had slightly more information or possible fixes.

Turn it off and on again fix
I kid you not. This fix could be straight out of the IT Crowd. Here is the short version.

I’ve disabled routing, including clearing MX records. I waited a few minutes, reactivated it and it worked.

In any case, I would like to know what happened so that it happens again.

Thank you all.

I tried this for my domain and had no luck. All emails continued to fail with the 521 error.

Emails being rejected with valid domain (google dot com)
This community post suggests that this is a problem specifically with Google (Gmail). It might be, I tried routing email to another email address that was not Gmail and it also failed. I do not have an Outlook email address and well, I could not be bothered to set one up to test. Even if it works with an Outlook email address this is not really a fix, it is merely an attempt to work around the problem that exists. If the problem is Google (Gmail) perhaps Cloudflare needs to work with them to find a way to make it work. After all how many people use Gmail as their primary email provider?

Emails bouncing when using Cloudflare Email forwarding
This is by far the most common type of community support post I found on my search. Simply, Cloudflare email routing does not work, and there is no reply from Cloudflare that will make it work. There is one more reply that I will touch on from the Community support board but it relates to what I did next.

Cloudflare Support Ticket

The lgr.ca domain having this problem is on a Cloudflare Pro plan and I get ticket support I thought I would just put in a support ticket. In the past Cloudflare ticket support has been helpful and usually pretty quick. I thought adding a support ticket surely I would get some help so I put in a ticket and wait for a reply. There were other issues along the way waiting for a reply, but here is the short version of my support ticket.

Ticket was submitted on February 28th, 2023. I did not get a reply from any one at Cloudflare support until March 10th. Now I understand that Pro plan customers don’t get priority support, but 10 days to even reply. The 10 day wait aside, surely the support ticket response would have a fix for my problem. Sadly, it did not. In fact this brings me back to the other community support post that I left out above. First here is the support ticket reply.

Hi there,

Apologies for the delay in getting back to you.

The below community thread may be useful to resolve the issue you are facing.
https://community.cloudflare.com/t/email-routing-521-5-3-0-upstream-error/422198

I hope this helps. Please let us know if you have any further questions or issues by replying to this e-mail or ticket.

Kind regards,

Think about this, the Cloudflare support solution is to send me to a community support post that first is not even from an official Cloudflare support person that says:

Turn off the sender verification in your destination mailserver for any forwarded recipient domains.

First off, how is that even a fix? It does not say how to turn off sender verification on any mail servers. It does not link to any other information about how to do this. This might be helpful for people that run their own mail servers, although it sounds more like a spam nightmare if you turn off sender verification on your email server. Google searching for how to turn off sender verification on a Gmail account shows very little helpful results. This apparently is the best reply that Cloudflare support can send to a customer after waiting 10 days for a reply. To say I was unimpressed being nice.

My ticket is still open. I replied the same day I got that reply. It has now been 18 days since my ticket was opened and it sits there, apparently being ignored by Cloudflare support with no further replies from them.

Cloudflare Email Routing Fix

The only fix that appears to work for Cloudflare email routing not working is simply to leave Cloudflare email routing. I had to move my email routing for this domain to ImprovMX and I highly recommend them so far. Looking at the logs of my forwarded email on ImprovMX also tells me that the suggested fix of turning off sender verification on Gmail is not the solution. The ImprovMX logs show that sender verification is still happening on Gmail and many spam emails are being prevented from showing up in my inbox. If I had gone ahead and actually found a way to turn off sender verification on my Gmail account I can only imagine the spam that I would have opened my inbox up to.

Closing Thoughts

Cloudflare has really dropped the ball on this. Email routing is a product many people need and it is convenient that Cloudflare offers it, but here is the most important thing. IT NEEDS TO WORK! With no answers on the Community support section being the norm to this issue and support tickets taking 10 plus days before being replied to with no real solutions it is no surprise that there are people that leave Cloudflare completely. When the best answer support can give is to pass the buck to the forwarding email server and it can be clearly shown using another service that is not the case Cloudflare needs to step up their support of this product OR retire it because their lousy support when it does not work just makes them look dumb.

In short you need to do better Cloudflare.

Backblaze B2 to Cloudflare Using Page Rules

Two companies I really like are Backblaze and Cloudflare. I have trusted Backblaze for years with my personal computer backup and I have been a long time customer of Cloudflare since 2011 at least. Both companies are part of the bandwidth alliance, meaning you don’t have to worry about bandwidth fees when you are transferring data between a Backblaze B2 bucket and Cloudflare if you set up the Backblaze B2 bucket to run through Cloudflare. Backblaze even gives you a tutorial on how to set it all up, except that is not the tutorial I followed years ago using page rules.

I understand that things change and people might want to host their cdn data on a private Backblaze B2 bucket but it is interesting to me that they replaced an easy to use tutorial on how to use Backblaze B2 with the Cloudflare CDN using page rules with a much more complicated tutorial involving Cloudflare Workers. This is the opposite of a user friendly option. If you are a developer sure, but the page rule tutorial was much more simple and was easy for the average user to setup. I would not even think of sending a client to try and follow the new tutorial.

If you are looking for the old Using Backblaze B2 with the Cloudflare CDN with Page Rules tutorial I have found the Wayback Machine copy here. It is much easier to setup and while it does require a public Backblaze B2 bucket if you are making this content available over the Internet do you really need to make it a private bucket?

Things don’t always have to be made more complicated to work. I have to admit I am a little disappointed in both Backblaze and Cloudflare for removing a good solid easy to use tutorial in favour of a more complicated one.

Cloudflare Location Check

Recently I had a client come to me with a very interesting problem. They have multiple web servers running behind a Cloudflare load balancer and the majority of those requests flow through the load balancer and are directed properly. However, there were still a number of requests that would make it through straight to the origin IP’s. The majority of those requests were often attempts at common WordPress exploits or simply plugin scanning looking for vulnerable plugins. If those requests were properly going through Cloudflare they would be dealt with by the Cloudflare firewall but by using the IP address these bad actors were able to bypass that layer of security.

Thankfully Cloudflare has a way to check to see if the request actually passed through Cloudflare if the website has turned on the Cloudflare IP Geolocation. That service automatically adds the country code value passed along in the CF-IPCountry request header to the origin web server. If you want to know more about the Cloudflare IP Geolocation check out their support document.

The logic is pretty simple, if the request does not have the CF-IPCountry request header then the request did not pass through Cloudflare (and the Cloudflare Firewall) so redirect the request back to the fully qualified domain name.

/**
* Cloudflare Location Check
*
* Checks for the Cloudflare location header. This is only there if the visitor has come through Cloudflare.
* If the request does not have this it is direct access and should be redirected to the host name
*
*/
function lgr_cflocation_check () {
//the country header is added by Cloudflare. If it is not there then this is direct IP access and needs to be redirected.
if( !$_SERVER["HTTP_CF_IPCOUNTRY"] ) {
//send them to the full URL which should add it.
header("Location: ".home_url().$_SERVER['REQUEST_URI']);
die();
}

}
add_action( 'init', 'lgr_cflocation_check' );

If you are having problems with direct access to your website through the IP address this might help you.

ClassicPress Compatible with Cloudflare Automatic Platform Optimization

I am a big fan of Cloudflare, if you had not known that by my previous posts on them. In Friday October 10 2020, during their Birthday week celebration announcements they released a new feature called Automatic Platform Optimization. This new feature is targeted specifically at WordPress users, which is understandable, WordPress websites account for 30ish% of the worlds Internet websites.

While I am no longer a big fan or user of WordPress, for many reasons, there is good news about this new feature from Cloudflare for ClassicPress users. The Cloudflare WordPress plugin is compatible with ClassicPress and this new feature works perfectly with ClassicPress 1.2.0.

This is not entirely surprising considering that ClassicPress is forked from WordPress 4.9, but it is good news for those of us that use ClassicPress to know that we too can just use this new CloudFlare feature simply by turning it on if you have the CloudFlare plugin installed. If you already have a paid Cloudflare account it will be included in your plan. Free Cloudflare users will need to pay $5.00/month for the new feature.

How well does Automatic Platform Optimization work? It has only been a few days but in my testing I have seen considerable speed increase for my ClassicPress websites on Cloudflare. The time to first byte is considerably faster offering a faster response time for users around the globe.

If you are already a ClassicPress user with a Cloudflare paid plan I highly suggest you give this feature a try. If you are a Cloudflare free user this one new feature from Cloudflare is a good reason to either subscribe to a paid plan or just for the Automatic Platform Optimization feature. Your users will notice a difference very quickly.

CloudGuard

It was not long ago that I was looking for a way to block visitors from some countries on some of my clients websites. The sites really only needed to be accessible from North America and did not need to be exposed to the extra visitors, bandwidth and possible hackers that might just want to hack their websites for fun. Since I setup all my clients with CloudFlare now it is possible to turn on IP Geolocation in CloudFlare to know what country users are from, but unless you are an enterprise customer with CloudFlare you cannot outright block a whole country.

I had been using a simple PHP function on my customers websites to simply look for the CloudFlare IP Geolocation header and if the person was not from the country that was not allowed I was blocking them, but had never gotten around to turning it into a full blown WordPress plugin. Now thanks to CloudGuard I can retire my quick test and use their plugin to only allow visitors from the countries we want to be able to access a website.

Using CloudGuard you can simply whitelist the countries you want to be able to login to the website and know that the rest will be blocked. You even get a nice map showing you the countries that have been blocked.

The plugin has cut down on the number of hacking attempts on WordPress considerably and it is very easy to use if you are a CloudFlare user, even free users are able to use it. Just a matter of turning on the IP Geolocation in CloudFlare so CLoudGuard can read the location header that CloudFlare adds to a visitor when they visit your website. The only feature that might be nice to have on CloudGuard would be the ability to block people not just from the login but from the whole website altogether.

If you want to cut down on the number of hacking attempts and limit access to your WordPress login to a country or two and are a CloudFlare user as well I suggest you give CloudGuard a try. It has been a great help since I installed it on clients websites.

Download it at the WordPress plugin repository.

Spam, Spam and More Spam

Some WordPress Spam

As long as there has been the ability to leave comments on websites there has been spam. I recall creating a guestbook for a client once and even though the guestbook used a captcha it did not take long before it started to become overwhelmed with spammy comments. Fighting spam has become so difficult in fact that it can start to distract you from what you need to be focused on with your website in the first place, creating good content, attracting leads and making sales. If spam has become a constant battle with your WordPress website here are some ideas and tools that might help turn the tide on the battle.

Turn Off Comments

Depending on the purpose of your website you might not need or want comments in the first place. By turning comments off altogether your spam problem can be virtually eliminated over night. Even if you run a popular blog you can still turn off comments, much like Copyblogger did last year. I you do turn off comments altogether you might also want to add a redirect on the WordPress wp-comments-post.php file. Many spammers simply post to that WordPress file and never actually visit your website. By redirecting it using .htaccess or some other redirect you can simply send the spammer off to some location where they will do no harm.

Use Another Commenting System

There are several other commenting system that are available that can help cut down on the amount of spam you receive. Services like Disqus, Facebook Comments and IntenseDebate all offer the ability to host comments for you. Depending on your needs they might be just want you are looking for. They certainly can help in reducing the amount of spam your comments receive.

Use an Anti-Spam Plugin

If you do decide to keep comments on your website making sure you use a decent anti-spam plugin is essential. Many people will simply tell you to use Akismet, and while I would say Akismet is certainly a good plugin, if your website uses any ads or is for any kind of commercial use AT ALL then you should honestly stay away from Akismet unless your website has grown to the point of being able to earn enough money to be able to afford the Akismet monthly rates.

Thankfully Akismet is not the only anti-spam plugin available. Some of the more popular plugins include Anti-Spam, WP-SpamShield Anti-Spam and one I have been testing on some sites, Spam Destroyer. There are even some that use Google’s new “No Captcha reCaptcha” like this plugin Google’s No Captcha reCaptcha.

Use Cloudflare

One of the best ways to keep spam off your website it to not let them get to your website in the first place. Some people dislike Cloudflare but it can help a great deal in reducing the automated spam from bots. You can even create a special page rule to protect the wp-comments-post.php file to increase the checks done no the people and bots trying to post a comment. This can make it much easier to keep the bots away and by even just making it a little slower to try and post a comment to your website.

What is your favourite anti-spam technique on your website?

Use CloudFlare Page Rules to Protect WordPress from Brute Force Attacks

I have talked about CloudFlare before and there are many reasons why you should use them, from helping to speed up your website to making it easy to monetize your website using Viglink. If none of those reasons convinced you why you should use CloudFlare perhaps this one reason alone will help convince you. You can use CloudFlare page rules to protect your WordPress powered website!

One of the great things CloudFlare has introduced is page rules. You can define a page rule to have different rules from the rest of your website. To help protect your WordPress website from a brute force attack, where usually an automated bot, hits your wp-login.php page again and again and again trying to get entry you can simply create a page rule in CloudFlare to protect the page. This can slow and often stop the brute force attack because the bots will either be stopped dead by the CloudFlare check or slow them down so much that it will take them much longer to actually try to login.

Free accounts with CloudFlare only get three page rules, and you will need two of them to protect your wp-login file. You might be able to get this down to one if you do some .htaccess redirects but to keep it simple lets stick with the two CloudFlare page rules. The two page rule URL patterns I have been using for the WordPress login page are:

example.com/wp-login.*
*.example.com/wp-login.*

You have to enter each one separately but it is much easier than trying to do this through .htaccess. The important part after you have added a page rule URL match is in your rules make sure you turn the Security and Browser Integrity to ON and set the Security Level to Help, I’m Under Attack.

cloudflare-page-rules

This will cause CloudFlare to closely inspect every visit to your wp-login.php page. This will also slow you down when you go to login to your website unless you whitelist your IP address with CloudFlare. Then you will bypass this and be sent straight to the login.

cloudflare-wp-login

This will not totally protect your WordPress website but it will provide an extra layer of protection from brute force attacks. It is still important to use strong passwords, keep your WordPress install up to date and you can try some plugins that limit the number of login attempts.

WordPress Brute Force Attack

There have been reports that a distributed attack is going on trying to brute force WordPress websites. If you run a WordPress website you should be aware that your site might come under attack. I have noticed one site that is managed by me come under attack in the last 24 hours and it has caused some higher than normal server loads.

From everything I have read and seen so far the attack attempts to brute force the WordPress login using only the admin username and random passwords but the attack uses a LARGE number of IP addresses and floods the WordPress site with attempts.

The good news is this attack seems to only try to brute force the admin user name. If you have removed the admin user name from your WordPress website they will obviously not be able to brute force an account that does not exist. You should also remember to use strong passwords and if you are up to doing some editing of your htaccess file you can help protect your wp-login and wp-admin. Hostgator has a good tutorial on how to protect your wp-login.php file if you are interested.

If you have signed up for Cloudflare you will also have an extra layer of security from this attack. They have pushed out a rule to all customers (including free customers) that will stop the attack from hitting your WordPress website. Just another great reason to use Cloudflare.

You can read more about this attack on: Sucuri Blog, Hostgator Blog and the Cloudflare blog.

If you suspect your website has been affected by this latest brute force attack and you need a hand cleaning things up or protecting your site drop me a note and I will be able to help keep your site up.

The Need For Speed

I have talked about different methods to speed up your website in the past. By enabling GZip, using external files for CSS and Javascript and signing up for Cloudflare are all great methods to help speed up your website. It is becoming more important all the time in the eyes of search engines (particularly Google) how fast your website loads. The reality is the faster your website is the better it is for your visitors and the more likely it is that your search engine position will improve. Today I wanted to talk about some other methods you can use to improve the speed of your website.

Move Servers – The reality is most shared server plans that you get from web hosts like Hostgator, Dreamhost or whatever your favourite web host is have hundreds of websites hosted on them. If you want to speed up your website one of the best things you can do is move up to a virtual private server (VPS) or a dedicated server. This gives your website more resources so it can respond faster to requests. This does present a higher level of technical knowledge though and it might not be cost effective for some people. It will most certainly speed up your website.

Cloud Hosting – There is a new form of web hosting that can help speed up your website without the technical barrier of a virtual private server or dedicated server but still offer a significant speed increase. New cloud web hosting has become popular and there are several reliable companies that offer this type of hosting. The idea is instead of having a single server you rent space on many servers thus improving processing and availability of your website on the Internet. Media Temple is one of the better known companies but there are others now offering this type of web hosting including GoDaddy. Cloud hosting can improve your website speed at a lower cost of getting your own VPS or dedicated server and still be more user friendly to use and setup.

Content Delivery Network – If you don’t like the idea of moving servers from your shared hosting another option to speed up your website is a content delvery network, also known as a CDN. A content delivery network might sound complicated, but really it is not very difficult to understand. They help to speed up your website by caching frequenty used content like CSS, Javascript and images in geographically different servers. This helps to load those parts of your website faster by delivering the content to the visitor from a server that is closest to them. A CDN can make a significant improvement in the speed of your website and they are fairly easy to setup. If your website is powered by WordPress you can use the W3 Total Cache plugin to help setup your CDN. Price wise it is considerably less expensive than the other methods mentioned here. Personally I use MaxCDN but there are many good CDN companies available.

House Cleaning – If you want to speed up your website and not spend any money one of the best methods is to clean up your website. All of the extra widgets from Facebook and Twitter tend to slow down websites. Change the like box from Facebook to a simple icon that links to your Facebook page and you could easily speed up your website.

Making sure you use smaller version of your images instead of the full size ones can also make a large improvement in speed. You might also want to look at a service like SmushIt to help compress images to speed them up. If you are also loading images regularly from Flickr or some other website in your WordPress powered website you might want to look at a plugin like Add Linked Images To Gallery or Cache Images to save a local copy to your media gallery and serve it from your own website.

Making sure you have combined all your Javascript and CSS into external files can also help to speed up your website.

Use Cloudflare. It is free afterall and gives you many of the benefits to help speed up your website. Not only will it help to speed up your website it will help protect your website as well. It is a fatastic service and I have been very pleased with it how it has helped speed up a number of my own websites and helped to protect them.

The faster your website loads the happier your visitors will be. It can also help improve your websites position in the search results and ultimately help to improve your online presence. If you want an excellent tool to help check your websites speed you should chek out Pingdom Tools and the Google Online Speed Test. Both will give you an idea of how fast or slow your website is and give you ideas where you can improve.

What other tips can you offer to  help people speed up their website?