diff --git a/src/assets/email-security/Cisco_to_Cisco_MX_Inline.png b/src/assets/email-security/Cisco_to_Cisco_MX_Inline.png
new file mode 100644
index 00000000000000..173d74c65fa89a
Binary files /dev/null and b/src/assets/email-security/Cisco_to_Cisco_MX_Inline.png differ
diff --git a/src/assets/email-security/Cisco_to_Email_Security_MX_Inline.png b/src/assets/email-security/Cisco_to_Email_Security_MX_Inline.png
new file mode 100644
index 00000000000000..b0ca16f94f4bec
Binary files /dev/null and b/src/assets/email-security/Cisco_to_Email_Security_MX_Inline.png differ
diff --git a/src/assets/email-security/Email_Security_Gmail_MX_Inline.png b/src/assets/email-security/Email_Security_Gmail_MX_Inline.png
new file mode 100644
index 00000000000000..fb64b42c1d35a2
Binary files /dev/null and b/src/assets/email-security/Email_Security_Gmail_MX_Inline.png differ
diff --git a/src/assets/email-security/Email_Security_O365_MXInline.png b/src/assets/email-security/Email_Security_O365_MXInline.png
new file mode 100644
index 00000000000000..305e594683d078
Binary files /dev/null and b/src/assets/email-security/Email_Security_O365_MXInline.png differ
diff --git a/src/assets/images/email-security/deployment/inline-setup/CF_A1S_Deployment_Inline_Diagrams.png b/src/assets/images/email-security/deployment/inline-setup/CF_A1S_Deployment_Inline_Diagrams.png
new file mode 100644
index 00000000000000..7cd838c8b3eb96
Binary files /dev/null and b/src/assets/images/email-security/deployment/inline-setup/CF_A1S_Deployment_Inline_Diagrams.png differ
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips.mdx
new file mode 100644
index 00000000000000..9b10211a50ad78
--- /dev/null
+++ b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips.mdx
@@ -0,0 +1,103 @@
+---
+title: Egress IPs
+pcx_content_type: reference
+sidebar:
+ order: 4
+---
+
+When you set up Email Security using an [MX/Inline deployment](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment/), you need to tell your existing email providers to accept messages coming from Email Security's egress IP addresses.
+
+Refer to this page for reference on what IP subnet mask ranges to use.
+
+:::caution[Additional information for O365]
+
+Office 365 does not support IPv6 addresses nor the following IPv4 subnet mask ranges:
+
+* `104.30.32.0/19`
+* `134.195.26.0/23`
+
+If you use Office 365, you will have to use the broken down `/24` subnet mask IP addresses. Refer to [Office 365 `/24` addresses](#office-365-24-addresses) for a list of supported IPv4 addresses.
+
+
+:::
+
+## United States
+
+For customers in the United States, enter the following IP addresses:
+
+### IPv4
+
+```txt
+52.11.209.211
+52.89.255.11
+52.0.67.109
+54.173.50.115
+104.30.32.0/19
+158.51.64.0/26
+158.51.65.0/26
+134.195.26.0/23
+```
+
+### IPv6
+
+```txt
+2405:8100:c400::/38
+```
+
+## Europe
+
+For customers in Europe, add all our US IP addresses. Additionally, you need to add the following IP addresses for our European data centers:
+
+```txt
+52.58.35.43
+35.157.195.63
+```
+
+## India
+
+For customers in India, add all our US IP addresses.
+
+## Australia / New Zealand
+
+For customers in Australia and New Zealand, add all our US IP addresses.
+
+## Office 365 `/24` addresses
+
+Use these IPv4 addresses for Office 365, instead of the `/19` and `/23` subnets:
+
+```txt
+104.30.32.0/24
+104.30.33.0/24
+104.30.34.0/24
+104.30.35.0/24
+104.30.36.0/24
+104.30.37.0/24
+104.30.38.0/24
+104.30.39.0/24
+104.30.40.0/24
+104.30.41.0/24
+104.30.42.0/24
+104.30.43.0/24
+104.30.44.0/24
+104.30.45.0/24
+104.30.46.0/24
+104.30.47.0/24
+104.30.48.0/24
+104.30.49.0/24
+104.30.50.0/24
+104.30.51.0/24
+104.30.52.0/24
+104.30.53.0/24
+104.30.54.0/24
+104.30.55.0/24
+104.30.56.0/24
+104.30.57.0/24
+104.30.58.0/24
+104.30.59.0/24
+104.30.60.0/24
+104.30.61.0/24
+104.30.62.0/24
+104.30.63.0/24
+134.195.26.0/24
+134.195.27.0/24
+```
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/index.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/index.mdx
new file mode 100644
index 00000000000000..d659ffda51d84f
--- /dev/null
+++ b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/index.mdx
@@ -0,0 +1,14 @@
+---
+title: Pre-delivery deployment
+pcx_content_type: navigation
+sidebar:
+ order: 1
+ group:
+ hideIndex: true
+---
+
+import { DirectoryListing } from "~/components"
+
+
+
+
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup.mdx
new file mode 100644
index 00000000000000..9a6e042009a508
--- /dev/null
+++ b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup.mdx
@@ -0,0 +1,56 @@
+---
+title: Set up MX/Inline deployment
+pcx_content_type: concept
+sidebar:
+ order: 3
+---
+
+To set up MX/Inline:
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+2. Select **Email Security**.
+3. Select **Monitoring**. If you are a first time user, select **Contact sales**. Otherwise, select **Set up**.
+4. Select **MX/Inline**.
+5. To start the MX/Inline configuration, you will need to have completed the prerequisite setup on your email provider's platform. Once you have completed this step, select **I confirm that I have completed all the necessary requirements**. Then, select **Start configuration**.
+
+If you have verified zones on Cloudflare, continue with the following steps:
+
+1. **Connect a domain**: Select your domain. Then, select **Continue**.
+2. **Select position**: This step allows you to choose where Email Security fits into your mail flow and configure position settings:
+ - **Select position**: Choose between:
+ - **Sit first (hop count = 1)**: Email Security is the first server that receives the email. There are no other email scanners or services between the Internet and Cloudflare.
+ - **Sit in the middle (hop count > 1)**: Email Security sits anywhere other than the first position. Other servers receive emails _before_ Email Security. There are other email scanners or email services in between.
+ - **Position settings**: Refine how Email Security receives and forwards emails:
+ - **Forwarding address**: This is your mail flow next hop after Email Security. This value is auto-filled, but you can still change it.
+ - **Outbound TLS**: Choose between:
+ 1. **Forward all messages over TLS** (recommended).
+ 2. **Forward all messages using opportunistic TLS**.
+ - Select **Continue**.
+3. (**Optional**, select **Skip for now** to skip this step) **Configure quarantine policy**: Select dispositions to automatically prevent certain types of incoming messages from reaching a recipient's inbox.
+4. (Optional) **Update MX records**:
+ - Email Security can automatically update MX records for domains that proxy traffic through Cloudflare. Under **Your mail processing location**, select your mail processing location.
+ - You can also choose to allow Cloudflare to update MX records by selecting **I confirm that I allow Cloudflare to update to the new MX records**. When Email Security updates MX records, we replace your original MX records with Email Security MX records.
+ - Select **Continue**.
+5. **Review details**: Review your domain, then select **Go to domains**.
+
+## Users who do not have domains with Cloudflare
+
+If you do not have domains with Cloudflare, the dashboard will display two options:
+
+- Add a domain to Cloudflare.
+- Enter domain manually.
+
+### Add a domain to Cloudflare
+
+Selecting **Add a domain to Cloudflare** will redirect you to a new page where you will connect your domain to Cloudflare. Once you have entered an existing domain, select **Continue**.
+
+Then, follow the steps to [Set up MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/).
+
+### Enter domain manually
+
+1. **Add domains**: Manually enter domain names.
+2. **Review all domains**: Review all your domains, then select **Continue**.
+3. **Verify your domains**: It may take up to 24 hours for your domains to be verified. Select **Done**.
+4. Once your domains have been verified, the dashboard will display a message like this: **You have verified domains ready to connect to Email Security**. This means that you can now set up Email Security via MX/Inline.
+5. Select **Set up**, then select **MX/Inline**.
+6. Follow the steps to [Set up MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/).
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment.mdx
new file mode 100644
index 00000000000000..7d3dc4e9eb02a4
--- /dev/null
+++ b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment.mdx
@@ -0,0 +1,20 @@
+---
+title: MX/Inline deployment
+pcx_content_type: concept
+sidebar:
+ order: 2
+---
+
+With pre-delivery deployment, also known as Inline deployment, Email Security evaluates email messages before they reach a user's inbox.
+
+Email Security becomes a hop in the SMTP processing chain and physically interacts with incoming email messages. Based on your policies, various messages are blocked before reaching the inbox.
+
+When you choose an inline deployment, you get the following benefits:
+
+- Messages are processed and physically blocked before arriving in a user's mailbox.
+- Your deployment is simpler, because any complex processing can happen downstream and without modification.
+- Email Security can modify delivered messages, adding subject or body mark-ups.
+- Email Security can offer high availability and adaptive message pooling.
+- You can set up advanced handling downstream for non-quarantined messages with added X-headers.
+
+
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-email-security-mx.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-email-security-mx.mdx
new file mode 100644
index 00000000000000..81a6015519fbba
--- /dev/null
+++ b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-email-security-mx.mdx
@@ -0,0 +1,55 @@
+---
+title: Cisco - Email Security as MX Record
+pcx_content_type: integration-guide
+sidebar:
+ order: 5
+---
+
+import { Render } from "~/components"
+
+
+
+In this tutorial, you will learn how to configure Cisco IronPort with Email Security as MX record.
+
+
+
+## 1. Add a Sender Group for Email Security Email Protection IPs
+
+To add a new Sender Group:
+
+1. Go to **Mail Policies** > **HAT Overview**.
+
+2. Select **Add Sender Group**.
+
+3. Configure the new Sender Group as follows:
+ - **Name**: `Email Security`.
+ - **Order**: Order above the existing **WHITELIST** sender group.
+ - **Comment**: `Email Security Email Protection egress IP Addresses`.
+ - **Policy**: `TRUSTED` (by default, spam detection is disabled for this mail flow policy).
+ - **SBRS**: Leave blank.
+ - **DNS Lists**: Leave blank.
+ - **Connecting Host DNS Verification**: Leave all options unchecked.
+
+4. Select **Submit and Add Senders** and add the IP addresses mentioned in Egress IPs
+
+## 2. Configure Incoming Relays
+
+You need to configure the Incoming Relays section to tell IronPort to ignore upstream hops, since all the connections are now coming from Email Security. This step is needed so the IronPort can retrieve the original IPs to calculate IP reputation. IronPort also uses this information in the Anti-Spam (IPAS) scoring of messages.
+
+1. To enable the Incoming Relays Feature, select **Network** > **Incoming Relays**.
+2. Select **Enable** and commit your changes.
+3. Now, you will have to add an Incoming Relay. Select **Network** > **Incoming Relays**.
+4. Select **Add Relay** and give your relay a name.
+5. Enter the IP address of the MTA, MX, or other machine that connects to the email gateway to relay incoming messages. You can use IPv4 or IPv6 addresses.
+6. Specify the `Received:` header that will identify the IP address of the original external sender.
+7. Commit your changes.
+
+## 3. Disable SPF checks
+
+Make sure you disable Sender Policy Framework (SPF) checks in IronPort. Because Email Security is acting as the MX record, if you do not disable SPF checks, IronPort will block emails due to an SPF failure.
+
+Refer to [Cisco's documentation](https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117973-faq-esa-00.html) for more information on how to disable SPF checks.
+
+## Next steps
+
+Now that you have completed the prerequisite steps, you can set up [MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) on the Cloudflare dashboard.
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-mx.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-mx.mdx
new file mode 100644
index 00000000000000..236ae26534ec4f
--- /dev/null
+++ b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/cisco-mx.mdx
@@ -0,0 +1,109 @@
+---
+title: Cisco - Cisco as MX Record
+pcx_content_type: integration-guide
+sidebar:
+ order: 6
+---
+
+import { GlossaryTooltip, Render } from "~/components"
+
+
+
+In this tutorial, you will learn how to configure Email Security with Cisco as MX record.
+
+## 1. Add a Sender Group for Email Security Email Protection IPs
+
+To add a new Sender Group:
+
+1. Go to **Mail Policies** > **HAT Overview**.
+
+2. Select the **Add Sender Group** button.
+
+3. Configure the new Sender Group as follows:
+ - **Name**: `Email Security`.
+ - **Order**: Order above the existing **WHITELIST** sender group.
+ - **Comment**: `Email Security Email Protection egress IP Addresses`.
+ - **Policy**: `TRUSTED` (by default, spam detection is disabled for this mail flow policy).
+ - **SBRS**: Leave blank.
+ - **DNS Lists**: Leave blank.
+ - **Connecting Host DNS Verification**: Leave all options unchecked.
+
+4. Select **Submit and Add Senders**, and add the IP addresses mentioned in Egress IPs. If you need to process emails in the EU or India regions for compliance purposes, add those IP addresses as well.
+
+## 2. Add SMTP route for the Email Security Email Protection Hosts
+
+To add a new SMTP Route:
+
+1. Go to **Network** > **SMTP Routes**.
+
+2. Select **Add Route**.
+
+3. Configure the new SMTP Route as follows:
+ - **Receiving Domain**: `a1s.mailstream`
+ - In **Destination Hosts**, select **Add Row**, and add the Email Security MX hosts. Refer to the [Geographic locations](#5-geographic-locations) table for more information on which MX hosts to use.
+
+## 3. Create Incoming Content Filters
+
+To manage the mail flow between Email Security and Cisco ESA, you need two filters:
+
+* One to direct all incoming messages to Email Security.
+* One to recognize messages coming back from Email Security to route for normal delivery.
+
+### Incoming Content Filter - To Email Security
+
+To create a new Content Filter:
+
+1. Go to **Mail Policies** > **Incoming Content Filters**.
+
+2. Select **Add Filter** to create a new filter.
+
+3. Configure the new Incoming Content Filter as follows:
+ - **Name**: `ESA_to_A1S`
+ - **Description**: `Redirect messages to Email Security for anti-phishing inspection`
+ - **Order**: This will depend on your other filters.
+ - **Condition**: No conditions.
+ - **Actions**:
+ - For **Action** select **Send to Alternate Destination Host**.
+ - For **Mail Host** input `a1s.mailstream` (the SMTP route configured in step 2).
+
+### Incoming Content Filter - From Email Security
+
+To create a new Content Filter:
+
+1. Go to **Mail Policies** > **Incoming Content Filters**.
+
+2. Select the **Add Filter** button to create a new filter.
+
+3. Configure the new Incoming Content Filter as follows:
+ - **Name**: `A1S_to_ESA`
+ - **Description**: `Email Security inspected messages for final delivery`
+ - **Order**: This filter must come before the previously created filter.
+ - **Conditions**: Add conditions of type **Remote IP/Hostname** with all the IP addresses mentioned in Egress IPs. For example:
+
+ | Order | Condition | Rule |
+ | ----- | -------------------- | -------------------- |
+ | `1` | `Remote IP/Hostname` | `Remote IP/Hostname` |
+ | `2` | `Remote IP/Hostname` | `52.89.255.11` |
+ | `3` | `Remote IP/Hostname` | `52.0.67.109` |
+ | `4` | `Remote IP/Hostname` | `54.173.50.115` |
+ | `5` | `Remote IP/Hostname` | `104.30.32.0/19` |
+ | `6` | `Remote IP/Hostname` | `158.51.64.0/26` |
+ | `7` | `Remote IP/Hostname` | `158.51.65.0/26` |
+
+ - Ensure that the *Apply rule:* dropdown is set to **If one or more conditions match**.
+ - **Actions**: Select **Add Action**, and add the following:
+ | Order | Action | Rule |
+ | ----- | ----------------------------------------------- | ---------------- |
+ | --1 | `Skip Remaining Content Filters (Final Action)` | `skip-filters()` |
+
+## 4. Add the Incoming Content Filter to the Inbound Policy table
+
+Assign the Incoming Content Filters created in [step 3](#3-create-incoming-content-filters) to your primary mail policy in the Incoming Mail Policy table. Then, commit your changes to activate the email redirection.
+
+## 5. Geographic locations
+
+
+
+## Next steps
+
+Now that you have completed the prerequisite steps, you can set up [MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) on the Cloudflare dashboard.
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/gsuite-email-security-mx.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/gsuite-email-security-mx.mdx
new file mode 100644
index 00000000000000..a766aa2bbca4a6
--- /dev/null
+++ b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/gsuite-email-security-mx.mdx
@@ -0,0 +1,63 @@
+---
+title: Google Workspace as MX Record
+pcx_content_type: integration-guide
+sidebar:
+ order: 4
+---
+
+
+
+In this tutorial, you will learn how to configure Google Workspace with Email Security as MX record.
+
+## Requirements
+
+- Provisioned Email Security account.
+- Access to the Google administrator console ([Google administrator console](https://admin.google.com/) > **Apps** > **Google Workspace** > **Gmail**).
+- Access to the domain nameserver hosting the MX records for the domains that will be processed by Email Security.
+
+## 1. Set up Inbound Email Configuration
+
+Set up [Inbound Email Configuration](https://support.google.com/a/answer/60730?hl=en) with the following details:
+ - In **Gateway IPs**, select the **Add** link, and add the IPs mentioned in [Egress IPs](/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/).
+ - Select **Automatically detect external IP (recommended)**.
+ - Select **Require TLS for connections from the email gateways listed above**.
+ - Select **SAVE**.
+
+## 2. (Optional) Set up an email quarantine
+
+[Set up an email quarantine](https://support.google.com/a/answer/6104172?hl=en#:~:text=Sign%20in%20with%20an%20administrator,t%20access%20the%20Admin%20console.&text=Manage%20quarantines.,Click%20Add%20Quarantine.) with the following details:
+ - **Name**: Email Security Malicious.
+ - **Description**: Email Security Malicious.
+ - For the **Inbound denial consequence**, select **Drop message**.
+ - For the **Outbound denial consequence**, select **Drop message**.
+ - Select **SAVE**.
+
+To access the newly created quarantine, select **GO TO ADMIN QUARANTINE** or access the quarantine directly by pointing your browser to https://email-quarantine.google.com/adminreview.
+
+## 3. (Optional) Create a content compliance filter
+
+Go to **Compliance**, and create a [content compliance filter](https://support.google.com/a/answer/1346934?hl=en#zippy=%2Cstep-go-to-gmail-compliance-settings-in-the-google-admin-console%2Cstep-enter-email-messages-to-affect) to send malicious messages to quarantine. Enter the following details:
+ - **Content compliance**: Add `Quarantine Email Security Malicious`.
+ - **Email messages to affect**: Select **Inbound**.
+ - **Add expressions that describe the content you want to search for in each message**:
+ - Select **Add** to add the condition.
+ - In **Simple content match**, select **Advanced content match**.
+ - In **Location**, select **Full headers**.
+ - In **Match type**, select **Contains text**.
+ - In **Content**, enter `X-EmailSecurity-Disposition: MALICIOUS`.
+ - Select **SAVE** to save the condition.
+ - If the above expression match, do the following, select **Quarantine message** and the **Email Security Malicious** quarantine that was created in the previous step.
+ - Select **SAVE**.
+
+If you would like to quarantine the other dispositions, repeat the above steps and use the following strings for the other dispositions:
+
+- `X-EmailSecurity-Disposition: MALICIOUS`
+- `X-EmailSecurity-Disposition: SUSPICIOUS`
+- `X-EmailSecurity-Disposition: SPOOF`
+- `X-EmailSecurity-Disposition: UCE`
+
+If desired, you can create a separate quarantine for each of the dispositions.
+
+## Next steps
+
+Now that you have completed the prerequisite steps, you can set up [MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) on the Cloudflare dashboard.
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/index.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/index.mdx
new file mode 100644
index 00000000000000..e259e0ad64299f
--- /dev/null
+++ b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/index.mdx
@@ -0,0 +1,14 @@
+---
+title: Prerequisites
+pcx_content_type: navigation
+sidebar:
+ order: 1
+ group:
+ hideIndex: true
+---
+
+import { DirectoryListing } from "~/components"
+
+
+
+
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/office365-email-security-mx.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/office365-email-security-mx.mdx
new file mode 100644
index 00000000000000..e5df409a1b35a9
--- /dev/null
+++ b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/office365-email-security-mx.mdx
@@ -0,0 +1,106 @@
+---
+title: Office 365 as MX Record
+pcx_content_type: integration-guide
+sidebar:
+ order: 3
+---
+
+import { Render, Markdown, GlossaryTooltip } from "~/components"
+
+
+
+In this tutorial, you will learn how to configure Microsoft Office 365 with Email Security as its MX record.
+
+## 1. Add Email Security IP addresses to Allow List
+
+1. Go to the [Anti-spam policies page](https://security.microsoft.com/antispam) > Select **Edit connection filter policy**.
+2. In **Always allow messages from the following IP addresses or address range**, add IP addresses and CIDR blocks mentioned in Egress IPs.
+3. Select **Save**.
+4. Microsoft recommends disabling SPF Hard fail when an email solution is placed in front of it:
+ - Return to the [Anti-spam option](https://security.microsoft.com/antispam).
+ - Select **Default anti-spam policy**.
+ - Select **[Edit spam threshold and properties](https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-complaint-level-bcl-about)** > **Mark as spam** > **SPF record: hard fail**, and ensure it is set to **Off**.
+5. Select **Save**.
+
+## 2. Configure Enhanced Filtering
+
+### Create an inbound connector
+
+1. [Set up a connector](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#1-set-up-a-connector-from-your-email-server-to-microsoft-365-or-office-365).
+2. Select **Partner organization** under **Connection from**.
+ - Provide a name for the connector:
+ - **Name**: ```Email Security Inbound Connector```
+ - **Description**: ```Inbound connector for Enhanced Filtering```
+3. In **Authenticating sent email**, select **By verifying that the IP address of the sending server matches one of the following IP addresses, which belongs to your partner organization.**
+4. Enter all of the egress IPs in the [Egress IPs](/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) page.
+5. In **Security restrictions**, accept the default **Reject email messages if they aren't sent over TLS** setting.
+
+### Enable enhanced filtering
+
+Now that the inbound connector has been configured, you will need to enable the enhanced filtering configuration of the connector.
+
+1. Go to the [Security admin console](https://security.microsoft.com/homepage), and [enable enhanced filtering](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors#use-the-microsoft-defender-portal-to-configure-enhanced-filtering-for-connectors-on-an-inbound-connector).
+2. Select **Automatically detect and skip the last IP address** and **Apply to entire organization**.
+3. Select **Save**.
+
+## 3. Configure anti-spam policies
+
+To configure anti-spam policies:
+
+1. Open the [Microsoft 365 Defender console](https://security.microsoft.com/).
+2. Go to **Email & collaboration** > **Policies & rules**.
+3. Select **Threat policies**.
+4. Under **Policies**, select **Anti-spam**.
+5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox).
+6. In **Actions**, scroll down and select **Edit actions**.
+7. Set the following conditions and actions (you might need to scroll up or down to find them):
+- **Spam**: *Move messages to Junk Email folder*.
+- **High confidence spam**: *Quarantine message*.
+ - **Select quarantine policy**: _AdminOnlyAccessPolicy_.
+- **Phishing**: *Quarantine message*.
+ - **Select quarantine policy**: _AdminOnlyAccessPolicy_.
+- **High confidence phishing**: *Quarantine message*.
+ - **Select quarantine policy**: _AdminOnlyAccessPolicy_.
+- **Retain spam in quarantine for this many days**: Default is 15 days. Email Security recommends 15-30 days.
+ - Select the spam actions in the above step:
+8. Select **Save**.
+
+## 4. Create transport rules
+
+To create the transport rules that will send emails with certain [dispositions](/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email Security:
+
+1. Open the new [Exchange admin center](https://admin.exchange.microsoft.com/#/homepage).
+2. Go to **Mail flow** > **Rules**.
+3. Select **Add a Rule** > **Create a new rule**.
+4. Set the following rule conditions:
+
+ - **Name**: _Email Security Deliver to Junk Email folder_.
+ - **Apply this rule if**: *The message headers* > *includes any of these words*.
+ - **Enter text**: `X-CFEmailSecurity-Disposition` > **Save**.
+ - **Enter words**: ```SUSPICIOUS```, ```BULK``` > **Add** > **Save**.
+ - **Apply this rule if**: Select **+** to add a second condition.
+ - **And**: *The sender* > *IP address is in any of these ranges or exactly matches* > enter the egress IPs mentioned in Egress IPs.
+ - **Do the following** - _Modify the message properties_ > _Set the Spam Confidence Level (SCL)_ > _5_.
+
+5. Select **Next**.
+6. You can use the default values on this screen. Select **Next**.
+7. Review your settings and select **Finish** > **Done**.
+8. Select the rule **Email Security Deliver to Junk Email folder** you have just created, and **Enable**.
+9. Select **Add a Rule** > **Create a new rule**.
+10. Set the following rule conditions:
+
+ - **Name**: *{props.five}*.
+ - **Apply this rule if**: *The message headers* > *includes any of these words*.
+ - **Enter text**: `X-CFEmailSecurity-Disposition` > **Save**.
+ - **Enter words**: `MALICIOUS`, `UCE`, `SPOOF` > **Add** > **Save**.
+ - **Apply this rule if**: Select **+** to add a second condition.
+ - **And**: *The sender* > *IP address is in any of these ranges or exactly matches* > enter the egress IPs in the Egress IPs.
+ - **Do the following**: _Redirect the message to_ > _hosted quarantine_.
+11. Select **Next**.
+12. You can use the default values on this screen. Select **Next**.
+13. Review your settings and select **Finish** > **Done**.
+14. Select the rule *{props.five}* you have just created, and select **Enable**.
+
+## Next steps
+
+Now that you have completed the prerequisite steps, you can set up [MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) on the Cloudflare dashboard.
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/email-security/deployment/mx-deployment-prerequisites.mdx b/src/content/partials/cloudflare-one/email-security/deployment/mx-deployment-prerequisites.mdx
new file mode 100644
index 00000000000000..3ab0775d7f83aa
--- /dev/null
+++ b/src/content/partials/cloudflare-one/email-security/deployment/mx-deployment-prerequisites.mdx
@@ -0,0 +1,45 @@
+---
+{}
+---
+
+## Prerequisites
+
+To ensure changes made in this tutorial take effect quickly, update the Time to Live (TTL) value of the existing MX records on your domains to five minutes. Do this on all the domains you will be deploying.
+
+Changing the TTL value instructs DNS servers on how long to cache this value before requesting an update from the responsible nameserver. You need to change the TTL value before changing your MX records to Cloudflare Email Security (formerly Area 1). This will ensure that changes take effect quickly and can also be reverted quickly if needed. If your DNS manager does not allow for a TTL of five minutes, set it to the lowest possible setting.
+
+To check your existing TTL, open a terminal window and run the following command against your domain:
+
+```sh
+dig mx
+```
+
+```sh output
+
+; <<>> DiG 9.10.6 <<>> mx
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39938
+;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;domain. IN MX
+
+;; ANSWER SECTION:
+. 300 IN MX 5 mailstream-central.mxrecord.mx.
+. 300 IN MX 10 mailstream-east.mxrecord.io.
+. 300 IN MX 10 mailstream-west.mxrecord.io.
+```
+
+In the above example, TTL is shown in seconds as `300` (or five minutes).
+
+If you are using Cloudflare for DNS, you can leave the [TTL setting as **Auto**](/dns/manage-dns-records/reference/ttl/).
+
+Below is a list with instructions on how to edit MX records for some popular services:
+
+- **Cloudflare**: [Set up email records](/dns/manage-dns-records/how-to/email-records/)
+- **GoDaddy**: [Edit an MX Record](https://www.godaddy.com/help/edit-an-mx-record-19235)
+- **AWS**: [Creating records by using the Amazon Route 53 console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html)
+- **Azure**: [Create DNS records in a custom domain for a web app](https://learn.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain)
diff --git a/src/content/partials/cloudflare-one/email-security/deployment/mx-deployment-values.mdx b/src/content/partials/cloudflare-one/email-security/deployment/mx-deployment-values.mdx
new file mode 100644
index 00000000000000..7159d1c82e5849
--- /dev/null
+++ b/src/content/partials/cloudflare-one/email-security/deployment/mx-deployment-values.mdx
@@ -0,0 +1,11 @@
+---
+{}
+
+---
+
+| MX Priority | Host |
+| ----------- | -------------------------------- |
+| `5` | `mailstream-eu1.mxrecord.io` |
+| `10` | `mailstream-central.mxrecord.mx` |
+| `20` | `mailstream-east.mxrecord.io` |
+| `20` | `mailstream-west.mxrecord.io` |
diff --git a/src/content/partials/cloudflare-one/email-security/deployment/mx-geographic-locations.mdx b/src/content/partials/cloudflare-one/email-security/deployment/mx-geographic-locations.mdx
new file mode 100644
index 00000000000000..c4e31a82c6cc98
--- /dev/null
+++ b/src/content/partials/cloudflare-one/email-security/deployment/mx-geographic-locations.mdx
@@ -0,0 +1,18 @@
+---
+{}
+
+---
+
+When configuring the Email Security (formerly Area 1) MX records, it is important to configure hosts with the correct MX priority. This will allow mail flows to the preferred hosts and fail over as needed.
+
+Choose from the following Email Security MX hosts, and order them by priority. For example, if you are located outside the US and want to prioritize email processing in the EU, add `mailstream-eu1.mxrecord.io` as your first host, and then the US servers.
+
+| Host | Location | Note |
+| -------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `mailstream-central.mxrecord.mx` `mailstream-east.mxrecord.io` `mailstream-west.mxrecord.io` | US | Best option to ensure all email traffic processing happens in the US. |
+| `mailstream-eu1.mxrecord.io` | EU | Best option to ensure all email traffic processing happens in Germany, with backup to US data centers. |
+| `mailstream-bom.mxrecord.mx` | India | Best option to ensure all email traffic processing happens within India.
+| `mailstream-india-primary.mxrecord.mx` | India | Same as `mailstream-bom.mxrecord.mx`, with backup to US data centers. |
+| `mailstream-asia.mxrecord.mx` | India | Best option to ensure all email traffic processing happens in India, with Australia data centers as backup.
+| `mailstream-syd.area1.cloudflare.net` | Australia / New Zealand | Best option to ensure all email traffic processing happens within Australia. |
+| `mailstream-australia-primary.area1.cloudflare.net` | Australia / New Zealand | Best option to ensure all email traffic processing happens in Australia, with India and US data centers as backup. |