[Email Security] Add secure mail flow (#24295)

Maddy-Cloudflare · patriciasantaana · web-flow · commit b0a39bd83ac4 · 2025-08-11T19:06:03.000+01:00
* [Email Security] Add secure mail flow

* Keep copy same as Area 1

* update copy to reflect the original

* Updating docs based on Todd's suggestion

* Use Google Workspace instead of Gmail

* Update heading

* Apply suggestions from code review

Co-authored-by: Patricia Santa Ana &lt;103445940+patriciasantaana@users.noreply.github.com&gt;

---------

Co-authored-by: Patricia Santa Ana &lt;103445940+patriciasantaana@users.noreply.github.com&gt;
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/gsuite-email-security-mx.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/gsuite-email-security-mx.mdx
@@ -5,7 +5,7 @@ sidebar:
   order: 4
 ---
 
-import { Render } from "~/components"
+import { Render, GlossaryTooltip } from "~/components"
 
 ![A schematic showing where Email Security is in the life cycle of an email received](src/assets/email-security/Email_Security_Gmail_MX_Inline.png)
 
@@ -64,4 +64,24 @@ If desired, you can create a separate quarantine for each of the dispositions.
 
 ## 4. Set up MX/Inline
 
-<Render file="email-security/deployment/set-up-mx-inline-step"/>
+<Render file="email-security/deployment/set-up-mx-inline-step"/>
+
+## 5. (Recommended) Secure Google Workspace from MX records bypass
+
+One method of a DNS attack is to search for old MX records and send <GlossaryTooltip term="phishing">phishing</GlossaryTooltip> emails directly to the mail server. To secure the email flow, you should enforce an email flow where inbound messages are accepted by Google Workspace only when they originate from Email Security. This can be done by adding a connector to only allow email from Email Security with TLS encryption. This step is optional but recommended.
+
+:::caution[Important]
+This step should not be performed until 72 hours after all domains in your Google Workspace have been onboarded to Email Security, and Email Security is their MX record. If a domain has not been onboarded or DNS is still propagating, you will impact production email flow for that domain.
+:::
+
+After 72 hours, the MX record DNS update will have sufficiently propagated across the Internet. It is now safe to secure your email flow. This will ensure that Google Workspace only accepts messages that are first received by Email Security. This step is highly recommended to prevent threat actors from using cached MX entries to bypass Email Security by injecting messages directly into Google Workspace.
+
+1. Access the [Google Administrative Console](https://admin.google.com/), then select **Apps** > **Google Workspace** > **Gmail**.
+
+2. Select **Spam, Phishing and Malware**.
+
+3. Go to **Inbound gateway** and select **Edit Inbound gateway**.
+
+4. Enable **Reject all mail not from gateway IPs** and select **Save**.
+
+5. Select **Save** once more to commit and activate the configuration change in the Gmail advanced configuration console.
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/index.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/m365-email-security-mx/index.mdx
@@ -105,4 +105,45 @@ To create the transport rules that will send emails with certain [dispositions](
 
 ## 5. Set up MX/Inline
 
-<Render file="email-security/deployment/set-up-mx-inline-step"/>
+<Render file="email-security/deployment/set-up-mx-inline-step"/>
+
+## 6. (Recommended) Secure Microsoft 365 from MX records bypass
+
+One method of a DNS attack is to search for old MX records and send <GlossaryTooltip term="phishing">phishing</GlossaryTooltip> emails directly to the mail server. To secure the email flow, you should enforce an email flow where inbound messages are accepted by Microsoft 365 only when they originate from Email Security. This can be done by adding a connector to only allow email from Email Security with TLS encryption. This step is optional but recommended.
+
+:::caution[Important]
+This step should not be performed until 72 hours after all domains in your Microsoft 365 organization have been onboarded to Email Security, and Email Security is their MX record. If a domain has not been onboarded or DNS is still propagating, you will impact production email flow for that domain.
+:::
+
+#### Create Connector
+
+1. Go to the new [Exchange admin center](https://admin.exchange.microsoft.com/#/homepage).
+
+2. Go to **Mail flow** > **Connectors**.
+
+3. Select **Add a connector**.
+
+4. Go to **Connection from** > **Partner organization**.
+
+5. Select **Next**.
+
+6. Set the following options:
+
+   - **Name** - `Secure M365 Inbound`
+   - **Description** - `Only accept inbound email from Email Security`
+
+7. Select **Next**.
+
+8. Make sure **By Verifying that the sender domain matches one of the following domains** is selected.
+
+9. Enter `*` in the text field, and select **+**.
+
+10. Select **Next**.
+
+11. Make sure **Reject email messages if they aren't sent over TLS** is selected.
+
+12. Still in the same screen, select **Reject email messages if they aren't sent from within this IP address range**, and enter all the egress IPs in the [Egress IPs](/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page.
+
+13. Select **Next**.
+
+14. Review your settings and select **Create connector**.
