cloudflare · Maddy-Cloudflare · Jun 4, 2025 · May 9, 2025 · May 9, 2025 · May 9, 2025
@@ -1,61 +1,124 @@
 ---
-title: Setup
+title: Get started
 pcx_content_type: navigation
 sidebar:
+  label: Get started
   order: 11
+  group:
+    label: Setup
 ---
 
-import { DirectoryListing } from "~/components"
+import { Markdown } from "~/components";
 
-You can set up Email Security via:
+## Before you begin
 
-<DirectoryListing />
+Before you start the onboarding process, you will have to:
 
-## Post-delivery deployment
+1. Choose a deployment path: Email Security provides two deployment modes, [post-delivery](/cloudflare-one/email-security/setup/post-delivery-deployment/) for API and BCC/Journaling and [pre-delivery](/cloudflare-one/email-security/setup/pre-delivery-deployment/) for MX/Inline.
+2. Learn about dispositions, impersonation registry, and reclassifications.
+3. Know the steps to configure your email environment correctly.
 
-With post-delivery deployment, Email Security scans emails **after** they reach users' inbox.
+## 1. Choose a deployment
 
-Post-delivery deployment includes [Microsoft Graph API](/cloudflare-one/email-security/setup/post-delivery-deployment/api/) and [BCC](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/)/[Journaling](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/office365-journaling/).
+### Post-delivery deployment
 
-With Microsoft Graph API, you authorize Email Security to scan domains via your email provider credentials. With BCC/Journaling, you send messages to Email Security via BCC or Journaling configurations within your email provider.
+When you choose post-delivery deployment, Cloudflare scans emails **after** they reach a users' inbox.
 
-When you set up Microsoft Graph API, you get access to the following features:
+If you are a Microsoft 365 user, this is done via [Microsoft's Graph API](/cloudflare-one/email-security/setup/post-delivery-deployment/api/office365-api/) or [journaling](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/office365-journaling/).
 
-- Auto-moves.
-- Directory synchronization.
-- Post-delivery response / Phish submission response.
-- Auto pull EMLs for [reclassification](/cloudflare-one/email-security/email-monitoring/search-email/#reclassify-messages) whose disposition is "None".
-- Manually move messages to different inboxes.
+If you are a [Google Workspace](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/) or [Microsoft Exchange](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/bcc-microsoft-exchange/) user, this is done via BCC.
 
-If you set up Email Security via BCC/Journaling and you want to access the features listed above, you will need to [associate an integration](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-auto-moves/).
+#### Why you should consider post-delivery deployment
 
-## Pre-delivery deployment
+Post-delivery deployment is time-efficient, because it does not involve MX changes. Post-delivery deployment does not disrupt mail flow. Post-delivery deployment allows you to enable [auto-move events](/cloudflare-one/email-security/auto-moves/) to hard or soft delete messages, and synchronize your [directory](/cloudflare-one/email-security/directories/) when you use Microsoft Graph API or Google Workspace.
 
-With pre-delivery deployment, Email Security scans emails **before** they reach users' inbox.
+:::note
+When you choose post-delivery deployment:
+- The threat is removed **after** the message has been delivered to the inbox.
+- It requires API scopes, or BCC/Journaling rule configuration.
+- Auto-move is only available in BCC/Journaling if you associate an integration.
+:::
 
-MX/Inline allows you to send messages to Email Security to scan before they reach your users' inbox. You may need to update your MX records.
+### Pre-delivery deployment
 
-With MX/Inline, you will not be able to auto-move emails.
+When you choose pre-delivery deployment, Cloudflare scans emails **before** they reach a users' inbox. The MX record points to Cloudflare.
 
-However, you will need to associate an integration to access the following features:
+#### Why you should consider pre-delivery deployment
 
-- Directory synchronization.
-- Post-delivery response / Phish submission response.
-- Auto pull EMLs for reclassification for disposition "None".
-- Manually move messages.
+Pre-delivery deployment provides you with the highest level of protection. It enforces [text add-ons](/cloudflare-one/email-security/detection-settings/configure-text-add-ons/) or link rewrite at delivery.
 
-### Associate an integration
+Pre-delivery blocks threats in transit, and it adds banners or texts before the user views the email.
 
-To associate an integration:
+:::note
+When you choose pre-delivery deployment:
+- You must edit MX records or create a connector.
+- You can enable auto-move events only once you associate an integration.
+- Cloudflare [egress IPs](/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) are allowed on downstream mail servers.
+:::
 
-1. Log in to [Zero Trust](https://one.dash.cloudflare.com/) > **Email Security**.
-2. Go to **Settings** and locate your domain.
-3. Select the three dots > **Associate an integration**.
-4. Select the integration you want to associate, then select **Associate**.
+## 2. Understand dispositions
 
-To enable post-delivery response and phish submission response:
+Dispositions allow you to configure policies and tune reporting. For example, you can configure a policy to move suspicious emails to your junk folder.
 
-1. Go to **Settings** > **Moves**.
-2. Go to **Auto-moves**, select **View** > **Configure**.
-3. Select **Post-delivery response (Recommended)** and **Phish submission response (Recommended)**.
-4. Select **Save**.
+Refer to [Dispositions](/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to learn more about dispositions.
+
+## 3. Set up the impersonation registry
+
+Most [Business email compromise (BEC)](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/) targets executives or finance roles. You must add addresses of roles who are likely to be impersonated. Refer to [Impersonation registry](/cloudflare-one/email-security/detection-settings/impersonation-registry/) to learn how to add a user to the impersonation registry.
+
+Roles you may want to include in the impersonation registry are:
+
+- C-suites
+- Finance roles
+- HR
+- IT help-desk
+- Legal
+
+You should review your impersonation registry on a quarterly basis as roles change.
+
+## 4. Reclassify messages
+
+A reclassification is a change to an email's disposition **after** initial scanning. It is Cloudflare's built-in feedback loop for correcting false positives/negatives **and** training the detection models to get smarter over time. Refer to [Reclassify messages](/cloudflare-one/email-security/email-monitoring/search-email/#reclassify-messages) to learn how to reclassify a message.
+
+
+### Who can reclassify messages
+
+[Security teams](/cloudflare-one/email-security/email-monitoring/search-email/#team-submissions) and [end users](/cloudflare-one/email-security/email-monitoring/search-email/#user-submissions) can submit a reclassification. 
+
+### Why you should reclassify messages
+
+Reclassifications are critical because:
+
+- **They help improve model accuracy**: Every validated reclassification teaches Cloudflare's machine learning to recognise new lures, language, infrastructure and benign patterns.
+- **They reduce alert fatigue**: Correcting Suspicious or Spam emails that users actually want tailors detections to your organization, cutting noise in the dashboard.
+- **They close the remediation loop**: When a disposition is upgraded to Malicious, Cloudflare auto-moves those emails out of every inbox (Graph API or Google Workspace API integrations).
+- **They can help you log activity taken on any reclassification**: Each reclassification displays a submission ID, details about original, requested and final dispositions, and more. Refer to [Reclassify messages](/cloudflare-one/email-security/email-monitoring/search-email/#reclassify-messages) to learn more about reclassifications.
+
+To make the most of reclassifications:
+
+1. Review reclassifications on a weekly basis.
+2. Ensure you have an integration associated with any MX/Inline deployment. When you associate an integration, you will not need to upload the EMLs every time, and we can use APIs to receive a copy of your email messages.
+3. Investigate any increase in [user submissions](/cloudflare-one/email-security/email-monitoring/search-email/#user-submissions) (users may have found a phish that bypassed filters) and confirm that analyst-final dispositions align with your policies.
+
+A correct use of reclassifications ensures that Email Security delivers a stronger protection with less manual tuning.
+
+## 5. Configuration checklist
+
+Follow the below checklist to ensure your email environment is set up correctly:
+
+| Step                                                                                                    | Post-delivery | Pre-delivery |
+|---------------------------------------------------------------------------------------------------------|---------------|--------------|
+| Authorize integration ([Graph API](/cloudflare-one/email-security/setup/post-delivery-deployment/api/office365-api/#enable-microsoft-integration) or [Google Workspace](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/))                                                | Required[^1]      | Required [^2]     |
+| Associate an integration with an MX/Inline domain                                                       |               | Required     |
+| Add/verify domains                                                                                      | Required      | Required     |
+| [Update MX records/connector](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/), then allow Cloudflare [egress IPs](/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) on downstream mail server |               | Required     |
+| Enable [Post‑delivery response and Phish submission response](/cloudflare-one/email-security/auto-moves/)                                             | Required      | Required     |
+| Populate [impersonation registry](/cloudflare-one/email-security/detection-settings/impersonation-registry/) and [allow](/cloudflare-one/email-security/detection-settings/allow-policies/)/[block](/cloudflare-one/email-security/detection-settings/blocked-senders/) lists                                                 | Required      | Required     |
+| Configure [partner domain TLS](/cloudflare-one/email-security/setup/pre-delivery-deployment/partner-domain-tls/) and admin quarantine                                                              |               | Required     |
+| Configure [text add-ons](/cloudflare-one/email-security/detection-settings/configure-text-add-ons/) and [link actions](/cloudflare-one/email-security/detection-settings/configure-link-actions/)                                                                  |               | Required     |
+| Send a test email and verify it appears in **Monitoring** > [**Email activity**](/cloudflare-one/email-security/email-monitoring/#email-activity) with expected disposition        | Required      | Required     |
+
+[^1]: Associating an integration with BCC/Journaling is required for post-delivery but not for pre-delivery.
+[^2]: Still used for directory/auto‑move insight if desired as well as authorizing free API CASB.
+
+Now that you know which deployment path to choose, you can begin your onboarding process.