cloudflare · Maddy-Cloudflare · Oct 23, 2024 · Oct 22, 2024 · Oct 23, 2024 · Oct 23, 2024
@@ -374,6 +374,8 @@
 # email-security
 /email-security/setup/api-deployment/ /email-security/setup/post-delivery-deployment/api/ 301
 /email-security/setup/api-deployment/office365-api/ /email-security/setup/post-delivery-deployment/api/office365-api/ 301
+/email-security/email-configuration/retract-settings/gmail-retraction/ /email-security/deployment/api/setup/gsuite-bcc-setup/add-retraction/ 301
+
 
 # firewall
 /firewall/api/cf-lists/ /waf/tools/lists/lists-api/ 301

@@ -0,0 +1,23 @@
+---
+title: Find BCC address and add domain
+pcx_content_type: how-to
+sidebar:
+  order: 2
+---
+
+import { Render } from "~/components"
+
+:::caution[Area 1 has been renamed]
+<Render file="rename-area1-to-ces" />
+:::
+
+To set up Email Security (formerly Area 1) for Gmail:
+
+1. Log in to the [Email Security (formerly Area 1) dashboard](https://horizon.area1security.com/).
+2. Select the question mark, where you will be able to find your BCC address.
+3. Once you found your address, select **Settings** (the gear icon), then select **New Domain**.
+4. Fill in the information needed to add your domain, then select **Publish Domain**.
+
+## Next steps
+
+Now that you have found your BCC address and added your domain, continue with [Add BCC rules](/email-security/deployment/api/setup/gsuite-bcc-setup/bcc-rules-to-area1/) to add BCC rules to Email Security.
@@ -0,0 +1,26 @@
+---
+title: Add retraction
+pcx_content_type: how-to
+sidebar:
+  order: 5
+---
+
+import { Render } from "~/components"
+
+1. On the [Email Security (formerly Area 1) dashboard](https://horizon.area1security.com/), select **Domains** under **DOMAINS & ROUTING**, then select **NEW DOMAIN**. Fill in the information to add a new domain:
+    - On **FORWARDING TO**: Enter `Google.com`.
+    - Adjust **Hops** to 2.
+    - On **Outbound TLS**: Ensure you select **Forward all messages over TLS**.
+2. Select **Publish Domain**.
+3. Select **RETRACT SETTINGS** > **Authorize Gmail**.
+4. Upload the JSON file [previously generated](/email-security/deployment/api/setup/gsuite-bcc-setup/create-service-account/).
+5. Under **DOMAINS**, select the domain you added previously, then select **SAVE**.
+
+## Post delivery retractions for new threats
+
+Email Security (formerly Area 1) is continuously gathering new information about phishing campaigns. Users might have email messages in their inboxes that were scanned by Email Security but not retracted initially because, at the time of scan, these email messages had not been identified as a threat. To mitigate risk, Email Security offers you tools to re-evaluate email messages at a fixed time interval based on knowledge Cloudflare may have acquired since initial delivery. Any email messages that fit this new threat knowledge will be retracted.
+
+You can enable two options:
+
+- **Post Delivery Response**: Email Security will continue to re-evaluate emails already delivered to your users' inboxes at a fixed time interval in search for phishing sites or campaigns not previously known to Cloudflare. If any email messages fitting these new criteria are found, Email Security retracts them.
+- **Phish Submission Response**: Email Security will retract emails already delivered that are reported by your users as phishing, and are found to be malicious by Email Security. Retraction will occur according to your configuration.
@@ -0,0 +1,31 @@
+---
+title: Add BCC rules
+pcx_content_type: how-to
+sidebar:
+  order: 3
+---
+
+import { Render } from "~/components"
+
+1. In the [Google Admin console](https://admin.google.com/), go to **Menu** > **Apps** > **Google Workspace** > **Gmail** > **Compliance**.
+2. Go to **Content Compliance** > Select **Edit**.
+3. Add a **Content Compliance** filter, and name it `Email Security (Area 1) - BCC`.
+4. In **Email messages to affect**, select **Inbound**.
+5. Select the recipients you want to send emails to Email Security (formerly Area 1) via BCC:
+    1. Select **Add** to configure the expression.
+    2. Select **Advanced content match**.
+    3. In **Location**, select **Headers + Body**.
+    4. In **Match type**, select **Matches regex**.
+    5. In **Regexp** input `.*`. You can customize the regex as needed and test within the admin page or on sites like [Regexr](https://regexr.com/).
+    6. Select **SAVE**.
+6. In **If the above expressions match, do the following**, select **Modify message**, select **Add more recipients** > Select **ADD** > Choose **Advanced**:
+    1. Under **Envelope recipient**, select **Change envelope recipient** > **Replace recipient** > Enter the email of the recipient.
+    2. Under **Spam and delivery options**, select **Suppress bounces from this recipient**.
+    3. Under **Headers**, select **Add X-Gm-Spam and X-Gm-Phishy headers**.
+    4. Select **SAVE**.
+7. In **Account types to affect**, select **Users** and **Groups**.
+8. Select **SAVE**.
+
+## Next steps
+
+Now that you have added BCC rules on the Area 1 portal, you need to [create a project on Google Cloud Console](/email-security/deployment/api/setup/gsuite-bcc-setup/create-project-gcp/).
@@ -0,0 +1,19 @@
+---
+title: Create a project on Google Cloud Console
+pcx_content_type: how-to
+sidebar:
+  order: 4
+---
+
+import { Render } from "~/components"
+
+1. Log in to the [Google Cloud Console](https://console.cloud.google.com/welcome/new). From the dashboard, select **CREATE OR SELECT PROJECT**.
+2. Provide the details for the new project, and select **CREATE** to start your new project.
+3. Once the new project has been created, the Google Cloud Platform console will automatically redirect you to the Project console. If not, you can use the Project selector to change to the project you created.
+4. In **Getting Started**, select **Explore and enable APIs** > Select **ENABLE APIs & SERVICES**.
+5. On search bar, search for `Admin SDK API`. Select **Admin SDK API**, then select **ENABLE**.
+6. Go back to the sidebar, select **Library**, and search for Gmail API. Select **Gmail API**, then select **ENABLE**.
+
+## Next steps
+
+Now that you have created a project on Google Cloud Console, you need to [create a service account](/email-security/deployment/api/setup/gsuite-bcc-setup/create-service-account/) on Google Cloud Console.
@@ -0,0 +1,35 @@
+---
+title: Create service account
+pcx_content_type: how-to
+sidebar:
+  order: 4
+---
+
+import { Render } from "~/components"
+
+1. On the [Google Cloud Console](https://console.cloud.google.com/welcome/new), select **Credentials**.
+2. Select **CREATE CREDENTIALS** > **Service account**.
+3. Fill in the details to create a service account:
+    - **Service account name**: Enter `Message Retraction Service Account`.
+    - **Service account ID**: Enter `message-retraction-service-acc`.
+    - **Service account description**: Enter `Email Security Message Retraction`.
+    - Select **CREATE AND CONTINUE**.
+4. In **Grant this service account access to project**, select **Select a role** > Choose **Owner**. Select **CONTINUE**, then **DONE**.
+5. Go back to **Credentials**, and select your service account under **Service Accounts**. In **Details**, take note of the **Unique ID**.
+6. Select **Advanced settings** > **VIEW GOOGLE WORKSPACE ADMIN CONSOLE**, then enter your password.
+7. On the sidebar, select **Security** > **Access and data control** > **API controls** > Select **MANAGE DOMAIN WIDE DELEGATION**.
+8. Select **Add new** > Add a new client ID:
+    - **Client ID**: Enter the **Unique ID** you took note of.
+    - **OAuth scopes**: Enter the following URLs:
+
+      ```txt
+      https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.alias.readonly, https://www.googleapis.com/auth/gmail.labels, https://mail.google.com/
+      ```
+    - Select **AUTHORIZE**.
+
+9. Go back to the sidebar > **Service Accounts**.
+10. Select the three dots > **Manage keys** > **ADD KEY** > **Create new key** > Select **JSON** > Select **CREATE**. This downloads a `.json` file which you will use at a later stage.
+
+## Next steps
+
+Now that you have created a service account, you need to [add retractions](/email-security/deployment/api/setup/gsuite-bcc-setup/add-retraction/) to your email.
@@ -0,0 +1,10 @@
+---
+title: Geographic locations
+pcx_content_type: reference
+sidebar:
+  order: 6
+---
+
+import { Render } from "~/components"
+
+<Render file="deployment/bcc-table-geographic-locations" />
@@ -0,0 +1,31 @@
+---
+title: Gmail BCC setup
+pcx_content_type: integration-guide
+sidebar:
+  order: 1
+head:
+  - tag: title
+    content: Setup Gmail  with Email Security (formerly
+      Area 1)
+
+---
+
+import { Render, Details } from "~/components"
+
+:::caution[Area 1 has been renamed]
+
+<Render file="rename-area1-to-ces" />
+
+:::
+
+For customers using Gmail, setting up Email Security via BCC is quick and easy. All you need to do is create a content compliance filter to send emails to Email Security through BCC. The following email flow shows how this works:
+
+![Email flow when setting up a phishing assessment risk for Gmail with Email Security.](~/assets/images/email-security/deployment/api-setup/gmail/gmail-bcc-flow.png)
+
+To set up Gmail with Email Security:
+
+1. [Find your BCC address and add a domain](/email-security/deployment/api/setup/gsuite-bcc-setup/add-domain/).
+2. [Add BCC rules](/email-security/deployment/api/setup/gsuite-bcc-setup/bcc-rules-to-area1/).
+3. [Create a project on Google Cloud Console](/email-security/deployment/api/setup/gsuite-bcc-setup/create-project-gcp/).
+4. [Create a service account](/email-security/deployment/api/setup/gsuite-bcc-setup/create-service-account/).
+5. [Add retraction](/email-security/deployment/api/setup/gsuite-bcc-setup/add-retraction/).