From edfdf281a35627170e9061f2a7bff9453a6eb4aa Mon Sep 17 00:00:00 2001 From: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> Date: Wed, 7 May 2025 16:51:11 +0100 Subject: [PATCH] [Email Security] Reorder dispositions --- .../email-security/reference/dispositions-and-attributes.mdx | 4 +++- .../email-security/dispositions-and-attributes.mdx | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/email-security/reference/dispositions-and-attributes.mdx b/src/content/docs/cloudflare-one/email-security/reference/dispositions-and-attributes.mdx index 36179bf277ad69c..f859fb3b82d1ed3 100644 --- a/src/content/docs/cloudflare-one/email-security/reference/dispositions-and-attributes.mdx +++ b/src/content/docs/cloudflare-one/email-security/reference/dispositions-and-attributes.mdx @@ -17,10 +17,12 @@ Detection is the process Email Security does to identify what threat an email ma Any traffic that flows through Email Security is given a final disposition, which represents our evaluation of that specific message. Each message will receive only one disposition header, so your organization can take clear and specific actions on different message types. -You can use disposition values when [setting up auto-moves](/cloudflare-one/email-security/auto-moves/). +You can use disposition values when [setting up auto-moves](/cloudflare-one/email-security/auto-moves/). ### Available values +The following disposition values follow an order of maliciousness: + ## Attributes diff --git a/src/content/partials/cloudflare-one/email-security/dispositions-and-attributes.mdx b/src/content/partials/cloudflare-one/email-security/dispositions-and-attributes.mdx index 13536403d383000..2d3d707e1f72691 100644 --- a/src/content/partials/cloudflare-one/email-security/dispositions-and-attributes.mdx +++ b/src/content/partials/cloudflare-one/email-security/dispositions-and-attributes.mdx @@ -1,10 +1,10 @@ - **Malicious**: Traffic associated with active threat campaigns. Malicious messages invoked multiple phishing verdict triggers and met thresholds for bad behavior. - **Recommendation**: Block. -- **Spoof**: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies ([SPF](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-spf-record/), [DKIM](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dkim-record/), [DMARC](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dmarc-record/)) or has mismatching `Envelope From` and `Header From` values. - - **Recommendation**: Block after investigating (can be triggered by third-party mail services). - **Suspicious**: Traffic associated with phishing campaigns (and is under further analysis by our automated systems). - **Recommendation**: Research these messages internally to evaluate legitimacy. - **Spam**: Traffic associated with non-malicious, commercial campaigns. - **Recommendation**: Route to existing Spam quarantine folder. +- **Spoof**: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies ([SPF](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-spf-record/), [DKIM](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dkim-record/), [DMARC](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dmarc-record/)) or has mismatching `Envelope From` and `Header From` values. + - **Recommendation**: Block after investigating (can be triggered by third-party mail services). - **Bulk**: Traffic often associated with newsletters or marketing campaigns. Refer to [Graymail](https://en.wikipedia.org/wiki/Graymail_%28email%29) for more details. - **Recommendation**: Monitor or tag. \ No newline at end of file