[Email Security] Get started page

Maddy-Cloudflare · Maddy-Cloudflare · commit f8afb6f0cd52 · 2025-05-09T10:43:48.000+01:00
diff --git a/src/content/docs/cloudflare-one/email-security/setup/index.mdx b/src/content/docs/cloudflare-one/email-security/setup/index.mdx
@@ -5,57 +5,107 @@ sidebar:
   order: 11
 ---
 
-import { DirectoryListing } from "~/components"
+import { Markdown } from "~/components";
 
-You can set up Email Security via:
-
-<DirectoryListing />
+Before you start the onboarding process, you will have to choose a deployment path. Email Security provides two deployment modes: [post-delivery](/cloudflare-one/email-security/setup/) (for API and BCC/Journaling), and [pre-delivery](/cloudflare-one/email-security/setup/#pre-delivery-deployment) (for MX/Inline).
 
 ## Post-delivery deployment
 
-With post-delivery deployment, Email Security scans emails **after** they reach users' inbox.
+### How it works
+
+When you choose post-delivery deployment, Cloudflare scans emails **after** they reach a users' inbox.
 
-Post-delivery deployment includes [Microsoft Graph API](/cloudflare-one/email-security/setup/post-delivery-deployment/api/) and [BCC](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/)/[Journaling](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/office365-journaling/).
+If you are a Microsoft 365 user, this is done via Microsoft's Graph API or journaling.
 
-With Microsoft Graph API, you authorize Email Security to scan domains via your email provider credentials. With BCC/Journaling, you send messages to Email Security via BCC or Journaling configurations within your email provider.
+If you are a Google Workspace or Microsoft Exchange user, this is done via BCC.
 
-When you set up Microsoft Graph API, you get access to the following features:
+### Why you should consider post-delivery deployment
 
-- Auto-moves.
-- Directory synchronization.
-- Post-delivery response / Phish submission response.
-- Auto pull EMLs for [reclassification](/cloudflare-one/email-security/email-monitoring/search-email/#reclassify-messages) whose disposition is "None".
-- Manually move messages to different inboxes.
+Post-delivery deployment is time-efficient, because it does not involve MX changes. Post-delivery deployment does not disrupt mail flow. Post-delivery deployment allows you to enable [auto-move events](/cloudflare-one/email-security/auto-moves/) and synchronize your [directory](/cloudflare-one/email-security/directories/) when you use Microsoft Graph API or Google Workspace.
 
-If you set up Email Security via BCC/Journaling and you want to access the features listed above, you will need to [associate an integration](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-auto-moves/).
+:::note
+When you choose post-delivery deployment:
+The threat is removed **after** the message has been delivered to the inbox.
+It requires API scopes, or journaling rule configuration.
+Auto-move is only available in BCC/Journaling if you associate an integration.
+:::
 
 ## Pre-delivery deployment
 
-With pre-delivery deployment, Email Security scans emails **before** they reach users' inbox.
+### How it works
+
+When you choose pre-delivery deployment, Cloudflare scans emails **before** they reach a users' inbox. The MX record points to Cloudflare.
+
+### Why you should consider pre-delivery deployment
+
+Pre-delivery deployment provides you with the highest level of protection. It enforces [bannering](/cloudflare-one/email-security/detection-settings/configure-text-add-ons/) or link rewrite at delivery.
+
+Pre-delivery blocks threats in transit, and it adds banners or texts before the user views the email.
+
+:::note
+When you choose pre-delivery deployment:
+You must edit MX records or create a connector.
+You can enable auto-move events only once you associate an integration.
+Cloudflare [egress IPs](/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) are allowed on downstream servers.
+:::
+
+## Dispositions
+
+Email traffic that flows through Email Security is given a final disposition, which represents Email Security's evaluation of that specific message. Refer to [Dispositions and attributes](/cloudflare-one/email-security/reference/dispositions-and-attributes/) to learn more.
+
+Dispositions allow you to configure policies and tune reporting. For example, you can configure a policy to move suspicious emails to your junk folder.
+
+## Impersonation registry
+
+Most [Business email compromise(BEC)](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/) targets executives or finance roles. You must add addresses of roles who are likely to be impersonated. Refer to [Impersonation registry](/cloudflare-one/email-security/detection-settings/impersonation-registry/) to learn how to add a user to the impersonation registry.
+
+Roles you may want to include in the impersonation registry are:
+
+C-suites
+Finance roles
+HR
+IT help-desk.
+
+You should review your impersonation registry on a quarterly basis as roles change.
+
+## Reclassifications
+
+A reclassification is a change to an email's disposition **after** initial scanning. It is Cloudflare's built-in feedback loop for correcting false positives/negatives **and** training the detection models to get smarter over time. 
+
+### Who can reclassify messages
+
+[Security teams](/cloudflare-one/email-security/email-monitoring/search-email/#team-submissions) and [end users](/cloudflare-one/email-security/email-monitoring/search-email/#user-submissions) can submit a reclassification. Refer to [Reclassify messages](/cloudflare-one/email-security/email-monitoring/search-email/#reclassify-messages) to learn how to reclassify a message.
 
-MX/Inline allows you to send messages to Email Security to scan before they reach your users' inbox. You may need to update your MX records.
+### Why you should reclassify messages
 
-With MX/Inline, you will not be able to auto-move emails.
+Reclassifications are critical because:
 
-However, you will need to associate an integration to access the following features:
+**They help improve model accuracy**: Every validated reclassification teaches Cloudflare's machine learning to recognise new lures, language, infrastructure and benign patterns.
+**They reduce alert fatigue**: Correcting Suspicious or Spam emails that users actually want tailors detections to your organization, cutting noise in the dashboard.
+**They close the remediation loop**: When a disposition is upgraded to Malicious, Cloudflare auto-moves those emails out of every inbox (Graph API or Google Workspace API integrations).
+**They can help you log activity taken on any reclassification**: Each reclassification displays a submission ID, details about original, requested and final dispositions, and more. Refer to [Reclassify messages](/cloudflare-one/email-security/email-monitoring/search-email/#reclassify-messages) to learn more about reclassifications.
 
-- Directory synchronization.
-- Post-delivery response / Phish submission response.
-- Auto pull EMLs for reclassification for disposition "None".
-- Manually move messages.
+To make the most of reclassifications:
 
-### Associate an integration
+1. Review reclassifications on a weekly basis.
+2. Ensure you have an integration associated with any MX/Inline deployment. When you associate an integration, you will not need to upload the EMLs every time, and we can use APIs to receive a copy of your email messages.
+3. Investigate any increase in [user submissions](/cloudflare-one/email-security/email-monitoring/search-email/#user-submissions) (users may have found a phish that bypassed filters) and confirm that analyst-final dispositions align with your policies.
 
-To associate an integration:
+A correct use of reclassifications ensures that Email Security delivers a stronger protection with less manual tuning.
 
-1. Log in to [Zero Trust](https://one.dash.cloudflare.com/) > **Email Security**.
-2. Go to **Settings** and locate your domain.
-3. Select the three dots > **Associate an integration**.
-4. Select the integration you want to associate, then select **Associate**.
+## Configuration checklist
 
-To enable post-delivery response and phish submission response:
+| Step                                                                                                    | Post-delivery | Pre-delivery |
+|---------------------------------------------------------------------------------------------------------|---------------|--------------|
+| Authorize integration ([Graph API](/cloudflare-one/email-security/setup/post-delivery-deployment/api/office365-api/#enable-microsoft-integration) or [Google Workspace](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/))[^1]                                                 | Required      | Required [^2]     |
+| Associate an integration with an MX/Inline domain                                                       |               | Required     |
+| Add/verify domains                                                                                      | Required      | Required     |
+| [Update MX records/connector](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/), then allow Cloudflare [egress IPs](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) on downstream mail server |               | Required     |
+| Enable [Post‑delivery response and Phish submission response](/cloudflare-one/email-security/auto-moves/)                                             | Required      | Required     |
+| Populate [impersonation registry](/cloudflare-one/email-security/detection-settings/impersonation-registry/) and [allow](/cloudflare-one/email-security/detection-settings/allow-policies/)/[block](/cloudflare-one/email-security/detection-settings/blocked-senders/) lists                                                 | Required      | Required     |
+| Configure [partner domain TLS](/cloudflare-one/email-security/setup/pre-delivery-deployment/partner-domain-tls/) and admin quarantine                                                              |               | Required     |
+| Configure [text add-ons](/cloudflare-one/email-security/detection-settings/configure-text-add-ons/) and [link actions](/cloudflare-one/email-security/detection-settings/configure-link-actions/)                                                                  |               | Required     |
+| Send a test email and verify it appears in **Monitoring** > [**Email activity**](/cloudflare-one/email-security/email-monitoring/#email-activity) with expected disposition        | Required      | Required     |
 
-1. Go to **Settings** > **Moves**.
-2. Go to **Auto-moves**, select **View** > **Configure**.
-3. Select **Post-delivery response (Recommended)** and **Phish submission response (Recommended)**.
-4. Select **Save**.
+[^1]: Alternatively, you can create a service account and add BCC rules.
+[^2]: Still used for directory/auto‑move insight if desired as well as authorizing free API CASB
