Skip to main content
DNS Settings

Fixing Destination Address Not Verified (Cloudflare Email Sending)

Tom Morton

Fixing the “Destination Address Not Verified” Error

If you use Cloudflare Workers to send emails and recently upgraded to the Paid Workers plan ($5/month), you might still see this error when trying to send to a new customer:

{"error": "Failed to process request", "debug_reason": "destination address is not a verified address"}

This error is confusing because Cloudflare’s documentation says Paid Worker plans have unrestricted bindings and can send to any destination address.

Here is why this happens and how to fix it.

Why is Cloudflare blocking the email?

The error implies the person you are sending the email to is the problem. It isn’t. The problem is your From: address.

To prevent zero-day spammers from firing off millions of emails the moment they upgrade to a paid account, Cloudflare’s Email Sending product quarantines your API access into a sandbox until your sender domain fully authenticates.

If your code attempts to send an email from support@yourdomain.com, but yourdomain.com hasn’t been explicitly onboarded into the Email Sending dashboard, the system ignores your paid status and defaults back to the sandbox block.

The 60-second fix

You do not need to submit a Trust & Safety ticket. Just follow these steps to authenticate your root domain for outbound email sending.

Step 1: Open the Email Sending Dashboard

Log into your Cloudflare dashboard. Navigate to Compute -> Email Service -> Email Sending. Do not click Email Routing—that is an older, separate product.

Step 2: Onboard your root domain

Click the Onboard Domain button. Select the root domain (e.g., wpflaremail.com) that perfectly matches your sender From: address.

Step 3: Add the dedicated DNS records

Cloudflare will automatically provision four new cf-bounce.yourdomain.com DNS records (MX, SPF, DKIM, DMARC) into your zone file. Click to add them natively.

Step 4: Wait for the lock

Wait roughly 5 minutes for DNS to propagate. Refresh the Email Sending dashboard until your four cf-bounce records display a green Locked status.

Verification

The moment those records hit “Locked,” Cloudflare’s backend detects your paid plan and recognizes your sender domain as an authenticated outbound node.

Your sandbox flag drops immediately, and your WPFlareMail installation will route open transactional emails globally without triggering the unverified destination block.