diff --git a/src/content/docs/cloudflare-one/email-security/setup/index.mdx b/src/content/docs/cloudflare-one/email-security/setup/index.mdx index 66ac30d9e2f1104..ccdf05a260b0476 100644 --- a/src/content/docs/cloudflare-one/email-security/setup/index.mdx +++ b/src/content/docs/cloudflare-one/email-security/setup/index.mdx @@ -1,61 +1,122 @@ --- -title: Setup +title: Before you begin pcx_content_type: navigation sidebar: + label: Before you begin order: 11 + group: + label: Setup --- -import { DirectoryListing } from "~/components" +import { Markdown } from "~/components"; -You can set up Email Security via: +Before you start the onboarding process, you will have to: - +1. Choose a deployment path: Email Security provides two deployment modes, [post-delivery](/cloudflare-one/email-security/setup/post-delivery-deployment/) for API and BCC/Journaling and [pre-delivery](/cloudflare-one/email-security/setup/pre-delivery-deployment/) for MX/Inline. +2. Learn about dispositions, impersonation registry, and reclassifications. +3. Know the steps to configure your email environment correctly. -## Post-delivery deployment +## 1. Choose a deployment -With post-delivery deployment, Email Security scans emails **after** they reach users' inbox. +### Post-delivery deployment -Post-delivery deployment includes [Microsoft Graph API](/cloudflare-one/email-security/setup/post-delivery-deployment/api/) and [BCC](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/)/[Journaling](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/office365-journaling/). +When you choose post-delivery deployment, Cloudflare scans emails **after** they reach a users' inbox. -With Microsoft Graph API, you authorize Email Security to scan domains via your email provider credentials. With BCC/Journaling, you send messages to Email Security via BCC or Journaling configurations within your email provider. +If you are a Microsoft 365 user, this is done via [Microsoft's Graph API](/cloudflare-one/email-security/setup/post-delivery-deployment/api/office365-api/) or [journaling](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/office365-journaling/). -When you set up Microsoft Graph API, you get access to the following features: +If you are a [Google Workspace](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/) or [Microsoft Exchange](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/bcc-microsoft-exchange/) user, this is done via BCC. -- Auto-moves. -- Directory synchronization. -- Post-delivery response / Phish submission response. -- Auto pull EMLs for [reclassification](/cloudflare-one/email-security/email-monitoring/search-email/#reclassify-messages) whose disposition is "None". -- Manually move messages to different inboxes. +#### Why you should consider post-delivery deployment -If you set up Email Security via BCC/Journaling and you want to access the features listed above, you will need to [associate an integration](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-auto-moves/). +Post-delivery deployment is time-efficient, because it does not involve MX changes. Post-delivery deployment does not disrupt mail flow. Post-delivery deployment allows you to enable [auto-move events](/cloudflare-one/email-security/auto-moves/) to hard or soft delete messages, and synchronize your [directory](/cloudflare-one/email-security/directories/) when you use Microsoft Graph API or Google Workspace. -## Pre-delivery deployment +:::note +When you choose post-delivery deployment: +- The threat is removed **after** the message has been delivered to the inbox. +- It requires API scopes, or BCC/Journaling rule configuration. +- Auto-move is only available in BCC/Journaling if you associate an integration. +::: -With pre-delivery deployment, Email Security scans emails **before** they reach users' inbox. +### Pre-delivery deployment -MX/Inline allows you to send messages to Email Security to scan before they reach your users' inbox. You may need to update your MX records. +When you choose pre-delivery deployment, Cloudflare scans emails **before** they reach a users' inbox. The MX record points to Cloudflare. -With MX/Inline, you will not be able to auto-move emails. +#### Why you should consider pre-delivery deployment -However, you will need to associate an integration to access the following features: +Pre-delivery deployment provides you with the highest level of protection. It enforces [text add-ons](/cloudflare-one/email-security/detection-settings/configure-text-add-ons/) or link rewrite at delivery. -- Directory synchronization. -- Post-delivery response / Phish submission response. -- Auto pull EMLs for reclassification for disposition "None". -- Manually move messages. +Pre-delivery blocks threats in transit, and it adds banners or texts before the user views the email. -### Associate an integration +:::note +When you choose pre-delivery deployment: +- You must edit MX records or create a connector. +- You can enable auto-move events only after you associate an integration. +- Cloudflare [egress IPs](/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) are allowed on downstream mail servers. +::: -To associate an integration: +## 2. Understand dispositions -1. Log in to [Zero Trust](https://one.dash.cloudflare.com/) > **Email Security**. -2. Go to **Settings** and locate your domain. -3. Select the three dots > **Associate an integration**. -4. Select the integration you want to associate, then select **Associate**. +Dispositions allow you to configure policies and tune reporting. For example, you can configure a policy to move suspicious emails to your junk folder. -To enable post-delivery response and phish submission response: +Refer to [Dispositions](/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to learn more about dispositions. -1. Go to **Settings** > **Moves**. -2. Go to **Auto-moves**, select **View** > **Configure**. -3. Select **Post-delivery response (Recommended)** and **Phish submission response (Recommended)**. -4. Select **Save**. \ No newline at end of file +## 3. Set up the impersonation registry + +Most [business email compromise (BEC)](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/) targets executives or finance roles. You must add addresses of roles who are likely to be impersonated. Refer to [Impersonation registry](/cloudflare-one/email-security/detection-settings/impersonation-registry/) to learn how to add a user to the impersonation registry. + +Roles you may want to include in the impersonation registry are: + +- C-suites +- Finance roles +- HR +- IT help-desk +- Legal + +You should review your impersonation registry on a quarterly basis as roles change. + +## 4. Reclassify messages + +A reclassification is a change to an email's disposition **after** initial scanning. It is Cloudflare's built-in feedback loop for correcting false positives/negatives **and** training the detection models to get smarter over time. Refer to [Reclassify messages](/cloudflare-one/email-security/email-monitoring/search-email/#reclassify-messages) to learn how to reclassify a message. + + +### Who can reclassify messages + +[Security teams](/cloudflare-one/email-security/email-monitoring/search-email/#team-submissions) and [end users](/cloudflare-one/email-security/email-monitoring/search-email/#user-submissions) can submit a reclassification. + +### Why you should reclassify messages + +Reclassifications are critical because: + +- **They help improve model accuracy**: Every validated reclassification teaches Cloudflare's machine learning to recognise new lures, language, infrastructure, and benign patterns. +- **They reduce alert fatigue**: Correcting Suspicious or Spam emails that users actually want tailors detections to your organization, cutting noise in the dashboard. +- **They close the remediation loop**: When a disposition is upgraded to Malicious, Cloudflare auto-moves those emails out of every inbox (Graph API or Google Workspace API integrations). +- **They can help you log activity taken on any reclassification**: Each reclassification displays a submission ID, details about original, requested and final dispositions, and more. Refer to [Reclassify messages](/cloudflare-one/email-security/email-monitoring/search-email/#reclassify-messages) to learn more about reclassifications. + +To make the most of reclassifications: + +1. Review reclassifications on a weekly basis. +2. Ensure you have an integration associated with any MX/Inline deployment. When you associate an integration, you will not need to upload the EMLs every time; Cloudflare can use APIs to receive a copy of your email messages. +3. Investigate any increase in [user submissions](/cloudflare-one/email-security/email-monitoring/search-email/#user-submissions) (users may have found a phish that bypassed filters) and confirm that analyst-final dispositions align with your policies. + +A correct use of reclassifications ensures that Email Security delivers a stronger protection with less manual tuning. + +## 5. Configuration checklist + +Follow the below checklist to ensure your email environment is set up correctly: + +| Step | Post-delivery | Pre-delivery | +|---------------------------------------------------------------------------------------------------------|---------------|--------------| +| Authorize integration ([Graph API](/cloudflare-one/email-security/setup/post-delivery-deployment/api/office365-api/#enable-microsoft-integration) or [Google Workspace](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/)) | Required[^1] | Required [^2] | +| Associate an integration with an MX/Inline domain | | Required | +| Add/verify domains | Required | Required | +| [Update MX records/connector](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/), then allow Cloudflare [egress IPs](/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) on downstream mail server | | Required | +| Enable [Post‑delivery response and Phish submission response](/cloudflare-one/email-security/auto-moves/) | Required | Required | +| Populate [impersonation registry](/cloudflare-one/email-security/detection-settings/impersonation-registry/) and [allow](/cloudflare-one/email-security/detection-settings/allow-policies/)/[block](/cloudflare-one/email-security/detection-settings/blocked-senders/) lists | Required | Required | +| Configure [partner domain TLS](/cloudflare-one/email-security/setup/pre-delivery-deployment/partner-domain-tls/) and admin quarantine | | Required | +| Configure [text add-ons](/cloudflare-one/email-security/detection-settings/configure-text-add-ons/) and [link actions](/cloudflare-one/email-security/detection-settings/configure-link-actions/) | | Required | +| Send a test email and verify it appears in **Monitoring** > [**Email activity**](/cloudflare-one/email-security/email-monitoring/#email-activity) with expected disposition | Required | Required | + +[^1]: Associating an integration with BCC/Journaling is required for post-delivery but not for pre-delivery. +[^2]: Still used for directory/auto‑move insight if desired as well as authorizing free API CASB. + +Now that you know which deployment path to choose, you can begin your onboarding process. \ No newline at end of file