[Email Security] Expand detection settings docs (#24151)

* [Email Security] Expand detection settings docs

* Address Dom's suggestions

* Update src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx

Co-authored-by: Jun Lee <[email protected]>

* Add example of lookalike domain

* Correct sentence

---------

Co-authored-by: Jun Lee <[email protected]>

Author: Maddy-Cloudflare

src/content/docs/cloudflare-one/email-security/detection-settings/additional-detections.mdx

@@ -23,11 +23,13 @@ To configure additional detections:
 
 The domain age is the time since the domain has been registered.
 
+Because of the domain age detection, [trusted domains](/cloudflare-one/email-security/detection-settings/trusted-domains/) can be used to create an exception to the age detection. 
+
 To configure a domain age:
 
 1. On the **Edit additional detections** page:
-   - Select **Malicious domain age**: Controls the threshold for a malicious disposition. Maximum of 100 days.
-   - Select **Suspicious domain age**: Controls the threshold for a suspicious disposition. Maximum of 100 days.
+   - Select **Malicious domain age**: Controls the threshold for a malicious disposition. Maximum of 100 days. It is recommended to set the **Malicious domain age** to 7 days.
+   - Select **Suspicious domain age**: Controls the threshold for a suspicious disposition. Maximum of 100 days. It is recommended to set the **Suspicious domain age** between 30 and 45 days.
 2. Select **Save**.
 
 ## Configure blank email detection

src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx

@@ -9,6 +9,40 @@ import { Example, Details } from "~/components"
 
 Email Security allows you to configure allow policies. An allow policy exempts messages that match certain patterns from normal detection scanning.
 
+## How allow policies work
+
+Allow policies are crucial for legitimate messages that may otherwise be blocked due to, for example, an incorrect setup.
+
+<Example title="Example of allow policy">
+
+An example of allow policy is a phishing simulation product. You want to configure a phishing simulation product as **Accept sender** so Email Security does not scan the messages (or crawl links) in these simulated messages.
+
+</Example>
+
+Allow policies can be configured to match messages based on specific criteria such as individual email addresses, IP address ranges, or domains. This flexibility allows you to exempt legitimate messages from specific sources, even if those sources have low spam reputation or send bulk messages from their own servers.
+
+Allow policies are used to mitigate false positives. When an email has been marked as malicious or suspicious, but you still want to receive that email, you configure that email as part of an allow policy.
+
+### Accept sender
+
+Allow policies in Email Security give you the option to choose **Accept sender**. 
+
+Accept sender creates exceptions for messages that would otherwise be marked as spam, bulk, or spoof. However, Email Security will continue to scan the message for maliciousness.
+
+It is recommended to choose this option, as it is the safest option to protect your email inbox from malicious or suspicious activities.
+
+<Example title="Example of a use case where marketing emails that are legitimate have been blocked">
+
+When a marketing email does not follow the correct template, it may be marked as malicious or spam. It may not be possible to change the template. However, in this scenario, the marketing email is legitimate. 
+
+To make sure that users still receive the marketing email, you will have to select **Accept sender** and add the marketing domain in **Rule Type** > **Domains**.
+
+**Accept sender** and **Domains** combined exempt marketing emails that may not follow the correct template. 
+
+</Example>
+
+## Configure allow policies
+
 To configure allow policies:
 
 1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
@@ -23,10 +57,10 @@ To configure allow policies:
                - **Exempt recipient**: Message to this recipient will bypass all detections.
                - **Accept sender**: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions. Refer to [Allow policy configuration use cases](#use-case-1) for use case examples on how to configure allow policies for accept sender.
        - **Rule type**: Specify the scope of your policy. Choose one of the following:
-           - **Email addresses**: Must be a valid email.
-           - **IP addresses**: Can only be IPv4. IPv6 and CIDR are invalid entries.
+           - **Email addresses**: Must be a valid email. Enter an email address whose emails are going to be exempted.
+           - **IP addresses**: This is the IP address of the email server. Any email address sent from this email server is going to be allowed. The IP address can only be IPv4. IPv6 and CIDR are invalid entries.
            - **Domains**: Must be a valid domain.
-           - **Regular expressions**: Must be valid Java expressions. Regular expressions are matched with fields related to the sender email address (envelope from, header from, reply-to), the originating IP address, and the server name for the email.
+           - **Regular expressions**: Must be valid Java expressions. Regular expressions are matched with fields related to the sender email address (envelope from, header from, reply-to), the originating IP address, and the server name for the email. For example, you can enter `.*@domain\.com` to exempt any email address that ends with `domain.com`.
      - **(Recommended) Sender verification**: This option enforces DMARC, SPF, or DKIM authentication. If you choose to enable this option, Email Security will only honor policies that pass authentication.
        - **Notes**: Provide additional information about your allow policy.
    - **Uploading an allow policy**: Upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes` fields. The first row must be a header row. Refer to [CSV uploads](/cloudflare-one/email-security/detection-settings/allow-policies/#csv-uploads) for an example file.

src/content/docs/cloudflare-one/email-security/detection-settings/blocked-senders.mdx

@@ -5,7 +5,15 @@ sidebar:
   order: 2
 ---
 
-Email Security marks all messages from these senders with a [disposition](/cloudflare-one/email-security/reference/dispositions-and-attributes/).
+Email Security marks all messages from these senders with a malicious [disposition](/cloudflare-one/email-security/reference/dispositions-and-attributes/).
+
+## How blocked senders work
+
+Blocked senders ensures messages from any sender is automatically marked as malicious, preventing them from reaching users' inbox.
+
+Sometimes, the same email, IP address or domain always sends malicious emails to the company. In this case, you can add an email address, IP address or domain as a blocked sender. You can choose to enter a regular expression by turning **Regular expression** on. 
+
+## Configure blocked senders
 
 To configure blocked senders:
 
@@ -19,7 +27,7 @@ To configure blocked senders:
              - **Email addresses**: Must be a valid email.
              - **IP addresses**: Can only be IPv4. IPv6 and CIDR are invalid entries.
              - **Domains**: Must be a valid domain.
-             - **Regular expressions**: Must be valid Java expressions. Regular expressions are matched with fields related to the sender email address (envelope from, header from, reply-to), the originating IP address, and the server name for the email.
+             - **Regular expressions**: Must be valid Java expressions. Regular expressions are matched with fields related to the sender email address (envelope from, header from, reply-to), the originating IP address, and the server name for the email. For example, you can enter `.*@domain\.com` to exempt any email address that ends with `domain.com`.
          - **Notes**: Provide additional information about the blocked sender policy.
    - **Upload blocked sender list**: Upload a file no larger than 150 KB. The file cannot can only contain `Blocked_Sender`, `Pattern Type,` and `Notes` fields. The first row must be a header row. Refer to [CSV uploads](/cloudflare-one/email-security/detection-settings/blocked-senders/#csv-uploads) for an example file.
 6. Select **Save**.

src/content/docs/cloudflare-one/email-security/detection-settings/trusted-domains.mdx

@@ -5,7 +5,31 @@ sidebar:
   order: 3
 ---
 
-Email Security allows you to exempt known partner and internal domains from typical detection scanning. Adding trusted domains helps to reduce false positives on [malicious, suspicious, and spoof dispositions](/cloudflare-one/email-security/reference/dispositions-and-attributes/).
+Email Security allows you to exempt known partner and internal domains from typical detection scanning. Adding trusted domains helps to reduce false positives on [malicious, suspicious, and spoof dispositions](/cloudflare-one/email-security/reference/dispositions-and-attributes/). Email Security only checks the date when the domain is created.
+
+## How trusted domains work
+
+Trusted domains are not for the email message itself, but for entire domains. 
+
+By default, Email Security automatically detects lookalike domains. Lookalike domains can be something like this: `thisisdomain.com` and `thisisadomain.com`. Both domains almost look identical.
+
+If an email is received from a domain that looks like a configured domain, this will trigger a detection. Trusted domain is configured to ignore this detection. 
+
+In [Additional detections](/cloudflare-one/email-security/detection-settings/additional-detections/), you can configure malicious domain and suspicious [domain age](/cloudflare-one/email-security/detection-settings/additional-detections/).
+
+Malicious domain age means that someone may create a domain today, similar to a target, and start sending emails with that domain. This is usually how many phish campaigns start. In this case, the domain is usually marked as Malicious. Malicious domain age is usually set to 7 days.
+
+Suspicious domain age means that after 7 days (this number corresponds to the Malicious domain age), a domain may not be malicious, but it can still be suspicious. Email Security will mark these domains as Suspicious. It is recommended to configure the **Suspicious domain age** between 30 and 45 days.
+
+To view whether a domain is malicious or suspicious:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Investigation**.
+2. Run a screen. For example, select **Run screen** for **Malicious emails**, then select **Run screen**.
+3. Under **Your matching messages**, if any message displays **Domain Age** under **Threat types**, that means that the domain age is too low, and therefore the disposition assigned is Malicious. If the domain is legitimate, you can add it as a trusted domain:
+    - Go to **Settings** > **Trusted Domains**.
+    - Under **Domain Info**, add the domain, and select **New Domain**. This will mark the domain whose age is low as a trusted domain.
+
+## Configure trusted domains
 
 To configure a trusted domain:
 

src/content/docs/cloudflare-one/email-security/email-monitoring/search-email.mdx

@@ -257,7 +257,7 @@ Email Security shows you the following email detail information:
 Email Security displays the following details:
 
 1. **Threat type**: Threat type of the email, for example, [credential harvester](/cloudflare-one/email-security/reference/how-es-detects-phish/#credential-harvesters), and [IP-based spam](/cloudflare-one/email-security/reference/how-es-detects-phish/#ip-based-spam).
-2. **Validation**: Email validation methods [SPF](https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/), [DKIM](https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/), [DMARC](https://www.cloudflare.com/learning/dns/dns-records/dns-dmarc-record/).
+2. **Validation**: Email validation methods [SPF](https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/), [DKIM](https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/), [DMARC](https://www.cloudflare.com/learning/dns/dns-records/dns-dmarc-record/). The dashboard will display **Pass** if SPF, DKIM and DMARC checks have passed.
 3. **Sender details**: Information include:
    - IP address
    - Registered domain