Adding prereq steps and egress ips

Maddy-Cloudflare · Maddy-Cloudflare · commit 368338d01c65 · 2025-02-13T15:40:48.000Z
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips.mdx
@@ -0,0 +1,103 @@
+---
+title: Egress IPs
+pcx_content_type: reference
+sidebar:
+  order: 4
+---
+
+When you set up Email Security using an [inline deployment](/cloudflare-one/email-security/setup/pre-delivery-deployment/inline-deployment/), you need to tell your existing email providers to accept messages coming from Email Security's egress IP addresses.
+
+Refer to this page for reference on what IP subnet mask ranges to use.
+
+:::caution[Additional information for O365]
+
+Office 365 does not support IPv6 addresses nor the following IPv4 subnet mask ranges:
+
+* `104.30.32.0/19`
+* `134.195.26.0/23`
+
+If you use Office 365, you will have to use the broken down `/24` subnet mask IP addresses. Refer to [Office 365 `/24` addresses](#office-365-24-addresses) for a list of supported IPv4 addresses.
+
+
+:::
+
+## United States
+
+For customers in the United States, enter the following IP addresses:
+
+### IPv4
+
+```txt
+52.11.209.211
+52.89.255.11
+52.0.67.109
+54.173.50.115
+104.30.32.0/19
+158.51.64.0/26
+158.51.65.0/26
+134.195.26.0/23
+```
+
+### IPv6
+
+```txt
+2405:8100:c400::/38
+```
+
+## Europe
+
+For customers in Europe, add all our US IP addresses. Additionally, you need to add the following IP addresses for our European data centers:
+
+```txt
+52.58.35.43
+35.157.195.63
+```
+
+## India
+
+For customers in India, add all our US IP addresses.
+
+## Australia / New Zealand
+
+For customers in Australia and New Zealand, add all our US IP addresses.
+
+## Office 365 `/24` addresses
+
+Use these IPv4 addresses for Office 365, instead of the `/19` and `/23` subnets:
+
+```txt
+104.30.32.0/24
+104.30.33.0/24
+104.30.34.0/24
+104.30.35.0/24
+104.30.36.0/24
+104.30.37.0/24
+104.30.38.0/24
+104.30.39.0/24
+104.30.40.0/24
+104.30.41.0/24
+104.30.42.0/24
+104.30.43.0/24
+104.30.44.0/24
+104.30.45.0/24
+104.30.46.0/24
+104.30.47.0/24
+104.30.48.0/24
+104.30.49.0/24
+104.30.50.0/24
+104.30.51.0/24
+104.30.52.0/24
+104.30.53.0/24
+104.30.54.0/24
+104.30.55.0/24
+104.30.56.0/24
+104.30.57.0/24
+104.30.58.0/24
+104.30.59.0/24
+104.30.60.0/24
+104.30.61.0/24
+104.30.62.0/24
+104.30.63.0/24
+134.195.26.0/24
+134.195.27.0/24
+```
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/inline-deployment-setup.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/inline-deployment-setup.mdx
@@ -2,7 +2,7 @@
 title: Set up inline deployment
 pcx_content_type: concept
 sidebar:
-  order: 2
+  order: 3
 ---
 
 To set up MX Inline:
@@ -29,7 +29,7 @@ If you have verified zones on Cloudflare, continue with the following steps:
 3. (**Optional**, select **Skip for now** to skip this step) **Configure quarantine policy**: Select dispositions to automatically prevent certain types incoming messages from reaching a recipient's inbox. Select 
 4. (Optional ) **Update MX records**: 
     - Email Security can automatically update MX records for domains that proxy traffic through Cloudflare. Under your mail processing location, select your mail processing location.
-    - You can also choose to allow Cloudflare to update MX records by selecting **I confirm that I allow Cloudflare to update to thew new MX records**.
+    - You can also choose to allow Cloudflare to update MX records by selecting **I confirm that I allow Cloudflare to update to the new MX records**.
     - Select **Continue**.
 5. **Review details**: Review your domain, then select **Go to domains**.
 
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/inline-deployment.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/inline-deployment.mdx
@@ -2,7 +2,7 @@
 title: Inline deployment
 pcx_content_type: concept
 sidebar:
-  order: 1
+  order: 2
 ---
 
 With pre-delivery deployment, also known as Inline deployment, Email Security evaluates email messages before they reach a user's inbox.
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/google-prerequisites.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/google-prerequisites.mdx
@@ -0,0 +1,56 @@
+---
+title: Google Workspace as MX Record
+pcx_content_type: concept
+sidebar:
+  order: 4
+---
+
+In this tutorial, you will learn how to configure Google Workspace with Email Security as MX record.
+
+## Requirements
+
+- Provisioned Email Security account.
+- Access to the Google administrator console ([Google administrator console](https://admin.google.com/) > **Apps** > **Google Workspace** > **Gmail**).
+- Access to the domain nameserver hosting the MX records for the domains that will be processed by Email Security.
+
+## Set up Inbound Email Configuration
+
+On the [Google administrative console](https://admin.google.com/), set up [Inbound Email Configuration](https://support.google.com/a/answer/60730?hl=en) with the following details:
+    - In **Gateway IPs**, select the **Add** link, and add the IPs mentioned in [Egress IPs](cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/).
+    - Select **Automatically detect external IP (recommended)**.
+    - Select **Require TLS for connections from the email gateways listed above**.
+
+## Set up an email quarantine
+
+[Set up an email quarantine](https://support.google.com/a/answer/6104172?hl=en#:~:text=Sign%20in%20with%20an%20administrator,t%20access%20the%20Admin%20console.&text=Manage%20quarantines.,Click%20Add%20Quarantine.):
+    - In the quarantine configuration pop-up, enter the following details:
+        1. **Name**: Email Security Malicious.
+        2. **Description**: Email Security Malicious.
+        3. For the **Inbound denial consequence**, select **Drop message**.
+        4. For the **Outbound denial consequence**, select **Drop message**.
+
+## Create a content compliance filter
+
+Create a [content compliance filter](https://support.google.com/a/answer/1346934?hl=en#zippy=%2Cstep-go-to-gmail-compliance-settings-in-the-google-admin-console%2Cstep-enter-email-messages-to-affect) to send malicious messages to quarantine:
+    - **Name**: `Quarantine Email Security Malicious`.
+    - **In 1**: Email message to affect, select **Inbound**.
+    - **In 2**: **Add expressions that describe the content you want to search for in each message**:
+        - Select **Add** to add the condition.
+        - In **Simple content match**, select **Advanced content match**.
+        - In **Location**, select **Full headers**.
+        - In **Match type**, select **Contains text**.
+        - In **Content**, enter `X-EmailSecurity-Disposition: MALICIOUS`.
+        - Select **SAVE** to save the condition.
+    - In 3. **If the above expression match, do the following**, select **Quarantine message** and the **Email Security Malicious quarantine** that was created in the previous step.
+        - Select **SAVE**.
+
+If you would like to quarantine the other dispositions, repeat the above steps and use the following strings for the other dispositions:
+
+- `X-EmailSecurity-Disposition: MALICIOUS`
+- `X-EmailSecurity-Disposition: SUSPICIOUS`
+- `X-EmailSecurity-Disposition: SPOOF`
+- `X-EmailSecurity-Disposition: UCE`
+
+If desired, you can create a separate quarantine for each of the dispositions.
+
+Now that you have completed the prerequisite steps, you can set up [MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/inline-deployment-setup/) on the Cloudflare dashboard.
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/index.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/index.mdx
@@ -0,0 +1,14 @@
+---
+title: Prerequisites
+pcx_content_type: navigation
+sidebar:
+  order: 1
+  group:
+    hideIndex: true
+---
+
+import { DirectoryListing } from "~/components"
+
+
+
+<DirectoryListing />
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/office365-prerequisites.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/office365-prerequisites.mdx
@@ -0,0 +1,42 @@
+---
+title: Office 365 as MX Record
+pcx_content_type: concept
+sidebar:
+  order: 3
+---
+
+In this tutorial, you will learn how to configure Microsoft Office 365 with Email Security as its MX record. 
+
+## Add Email Security IP addresses to Allow List
+
+1. Go to the [Anti-spam policies page](https://security.microsoft.com/antispam) > Select **Edit connection filter policy**.
+2. In **Always allow messages from the following IP addresses or address range**, add IP addresses and CIDR blocks mentioned in Egress IPs.
+3. Select **Save**.
+4. Microsoft recommends disabling SPF Hard fail when an email solution is placed in front of it:
+    - Return to the [Anti-spam option](https://security.microsoft.com/antispam).
+    - Select **Default anti-spam policy**.
+    - Select **[Edit spam threshold and properties](https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-complaint-level-bcl-about)** > **Mark as spam** > **SPF record: hard fail**, and ensure it is set to **Off**.
+5. Select **Save**.
+
+## Enhanced Filtering configuration
+
+### Create an inbound connector
+
+1. [Set up a connector](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#1-set-up-a-connector-from-your-email-server-to-microsoft-365-or-office-365). 
+2. Select **Partner organization** under **Connection from**.
+    - Provide a name for the connector:
+        - **Name**: ```Email Security Inbound Connector```
+        - **Description**: ```Inbound connector for Enhanced Filtering```
+3. In **Authenticating sent email**, select **By verifying that the IP address of the sending server matches one of the following IP addresses, which belongs to your partner organization.**
+4. Enter all of the egress IPs in the [Egress IPs](/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page.
+5. In **Security restrictions**, accept the default **Reject email messages if they aren't sent over TLS** setting.
+
+### Enable enhanced filtering
+
+Now that the inbound connector has been configured, you will need to enable the enhanced filtering configuration of the connector.
+
+1. Go to the [Security admin console](https://security.microsoft.com/homepage), and [enable enhanced filtering](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors#use-the-microsoft-defender-portal-to-configure-enhanced-filtering-for-connectors-on-an-inbound-connector).
+2. Select **Automatically detect and skip the last IP address** and **Apply to entire organization**.
+3. Select **Save**.
+
+Now that you have completed the prerequisite steps, you can set up [MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/inline-deployment-setup/) on the Cloudflare dashboard.
