From 88e570c0e106c898e193c9a2d795eb121f0fb239 Mon Sep 17 00:00:00 2001
From: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com>
Date: Tue, 15 Jul 2025 11:46:19 +0100
Subject: [PATCH 1/4] [Email Security] Accept sender disclaimer
---
.../email-security/detection-settings/allow-policies.mdx | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
index 1fa60e7f27d3a5b..a9fe2e63fc904fc 100644
--- a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
+++ b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
@@ -30,6 +30,14 @@ To configure allow policies:
- **Uploading an allow policy**: Upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes` fields. The first row must be a header row. Refer to [CSV uploads](/cloudflare-one/email-security/detection-settings/allow-policies/#csv-uploads) for an example file.
6. Select **Save**.
+:::caution[Accept sender]
+If you choose to enable **Accept sender**, ensure that **Sender verification (Recommended)** is turned on at all times.
+
+Companies such as PayPal, Docusign, and Shopify should not enable **Sender verification (Recommended)** when configuring an allow policy.
+
+Email Security is able to recognize sender verified emails used for nefarious activity. However, enabling **Accept sender** will cause Email Security to not recognize nefarious activities and therefore create security concerns.
+:::
+
### CSV uploads
You can upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes`. The first row must be a header row.
From 6c76e9ed52da135f969167d9b4adc558e09a2f88 Mon Sep 17 00:00:00 2001
From: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com>
Date: Thu, 17 Jul 2025 14:40:32 +0100
Subject: [PATCH 2/4] [Email Security] Update based on wiki
---
.../detection-settings/allow-policies.mdx | 53 +++++++++++++++++--
1 file changed, 48 insertions(+), 5 deletions(-)
diff --git a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
index a9fe2e63fc904fc..e183ed566260369 100644
--- a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
+++ b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
@@ -5,6 +5,8 @@ sidebar:
order: 1
---
+import { Example, Details } from "~/components"
+
Email Security allows you to configure allow policies. An allow policy exempts messages that match certain patterns from normal detection scanning.
To configure allow policies:
@@ -30,13 +32,54 @@ To configure allow policies:
- **Uploading an allow policy**: Upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes` fields. The first row must be a header row. Refer to [CSV uploads](/cloudflare-one/email-security/detection-settings/allow-policies/#csv-uploads) for an example file.
6. Select **Save**.
-:::caution[Accept sender]
-If you choose to enable **Accept sender**, ensure that **Sender verification (Recommended)** is turned on at all times.
+
+
+The following use cases present some use cases that will show you how to properly configure allow policies.
+
+### Use case 1
+
+
+ This use case can affect companies such as Shopify, PayPal, and Docusign.
+
+ To solve this:
+
+ 1. Submit a [team submission](/cloudflare-one/email-security/email-monitoring/search-email/#team-submissions).
+ 2. Inform your Cloudflare account about the escalation.
+ 3. Avoid setting up allow policies, or blocked senders. In this use case, configuring allow policies will create a security gap. Setting up blocked senders will block legitimate emails from providers such as Shopify, PayPal, and Docusign.
+
+
+### Use case 2
+
+
+
+ This use case can cause your inbox to receive too many unwanted emails. This use case can affect companies such as Salesforce, Atlassian, and Figma.
+
+ To solve this, when you add an allow policy in the Zero Trust dashboard, ensure that:
+
+ 1. You choose **Accept sender**.
+ 2. Verify that **Sender verification (recommended)** is turned on.
+
+
+
+
+### Use case 3
+
+
+
+ This use case can affect companies such as Salesforce, Atlassian, and Figma.
+
+ To solve this, when you add an allow policy in the Zero Trust dashboard, ensure that:
+
+ 1. You choose **Accept sender** based on the static IP you own.
+ 2. Ensure that **Sender verification (recommended)** is turned off.
-Companies such as PayPal, Docusign, and Shopify should not enable **Sender verification (Recommended)** when configuring an allow policy.
+ :::caution
+ Do not use email addresses or email domains for this case as they can be easily spoofed without **Sender Verification (Recommended)** enabled.
+ :::
+
+
-Email Security is able to recognize sender verified emails used for nefarious activity. However, enabling **Accept sender** will cause Email Security to not recognize nefarious activities and therefore create security concerns.
-:::
+
### CSV uploads
From 02003f0658f883023fc52f415424910e344a13f2 Mon Sep 17 00:00:00 2001
From: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com>
Date: Fri, 18 Jul 2025 11:19:09 +0100
Subject: [PATCH 3/4] Addressing suggestions
---
.../detection-settings/allow-policies.mdx | 29 ++++++++++---------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
index e183ed566260369..5a33f8d82a3e57c 100644
--- a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
+++ b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
@@ -21,7 +21,7 @@ To configure allow policies:
- **Action**: Select one of the following to choose how Email Security will handle messages that match your criteria:
- **Trust sender**: Messages will bypass all detections and link following.
- **Exempt recipient**: Message to this recipient will bypass all detections.
- - **Accept sender**: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions.
+ - **Accept sender**: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions. Refer to [Allow policy configuration use cases](/cloudflare-one/email-security/detection-settings/allow-policies/#use-case-1) for use case examples on how to configure allow policies for accept sender.
- **Rule type**: Specify the scope of your policy. Choose one of the following:
- **Email addresses**: Must be a valid email.
- **IP addresses**: Can only be IPv4. IPv6 and CIDR are invalid entries.
@@ -34,29 +34,30 @@ To configure allow policies:
-The following use cases present some use cases that will show you how to properly configure allow policies.
+The following use cases present some scenarios that will show you how to properly configure allow policies for accept sender.
### Use case 1
-
+
This use case can affect companies such as Shopify, PayPal, and Docusign.
To solve this:
1. Submit a [team submission](/cloudflare-one/email-security/email-monitoring/search-email/#team-submissions).
- 2. Inform your Cloudflare account about the escalation.
- 3. Avoid setting up allow policies, or blocked senders. In this use case, configuring allow policies will create a security gap. Setting up blocked senders will block legitimate emails from providers such as Shopify, PayPal, and Docusign.
+ 2. Inform your Cloudflare contact about the escalation.
+ 3. Do not set up allow policies, or blocked senders. In this use case, configuring allow policies will create a security gap. Setting up blocked senders will block legitimate emails from providers such as Shopify, PayPal, and Docusign.
### Use case 2
-
- This use case can cause your inbox to receive too many unwanted emails. This use case can affect companies such as Salesforce, Atlassian, and Figma.
+
- To solve this, when you add an allow policy in the Zero Trust dashboard, ensure that:
+ This use case can cause the emails you want to receive to follow the auto-moves rules you set up. This use case affects emails from internal tools (such as Salesforce, Atlassian, Figma, and more) that are given an incorrect disposition.
+
+ To solve this, when you add an allow policy in the Zero Trust dashboard:
- 1. You choose **Accept sender**.
+ 1. Choose **Accept sender**.
2. Verify that **Sender verification (recommended)** is turned on.
@@ -64,17 +65,17 @@ The following use cases present some use cases that will show you how to properl
### Use case 3
-
+
- This use case can affect companies such as Salesforce, Atlassian, and Figma.
+ This use case impacts the emails from internal tools (such as Salesforce, Atlassian, Figma, and more) that are given an incorrect disposition.
- To solve this, when you add an allow policy in the Zero Trust dashboard, ensure that:
+ To solve this, when you add an allow policy in the Zero Trust dashboard:
- 1. You choose **Accept sender** based on the static IP you own.
+ 1. Choose **Accept sender** based on the static IP you own.
2. Ensure that **Sender verification (recommended)** is turned off.
:::caution
- Do not use email addresses or email domains for this case as they can be easily spoofed without **Sender Verification (Recommended)** enabled.
+ Do not use email addresses or email domains for this policy as they can be easily spoofed without **Sender Verification (Recommended)** enabled.
:::
From dbbde761e98891fd4ef3370eb9856a357002f959 Mon Sep 17 00:00:00 2001
From: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com>
Date: Fri, 18 Jul 2025 13:38:30 +0100
Subject: [PATCH 4/4] Apply suggestions from code review
Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
---
.../detection-settings/allow-policies.mdx | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
index 5a33f8d82a3e57c..9d80804caa57fa9 100644
--- a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
+++ b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
@@ -21,7 +21,7 @@ To configure allow policies:
- **Action**: Select one of the following to choose how Email Security will handle messages that match your criteria:
- **Trust sender**: Messages will bypass all detections and link following.
- **Exempt recipient**: Message to this recipient will bypass all detections.
- - **Accept sender**: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions. Refer to [Allow policy configuration use cases](/cloudflare-one/email-security/detection-settings/allow-policies/#use-case-1) for use case examples on how to configure allow policies for accept sender.
+ - **Accept sender**: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions. Refer to [Allow policy configuration use cases](#use-case-1) for use case examples on how to configure allow policies for accept sender.
- **Rule type**: Specify the scope of your policy. Choose one of the following:
- **Email addresses**: Must be a valid email.
- **IP addresses**: Can only be IPv4. IPv6 and CIDR are invalid entries.
@@ -34,26 +34,26 @@ To configure allow policies:
-The following use cases present some scenarios that will show you how to properly configure allow policies for accept sender.
+The following use cases show how you could configure allow policies for accept sender.
### Use case 1
-
+
This use case can affect companies such as Shopify, PayPal, and Docusign.
To solve this:
- 1. Submit a [team submission](/cloudflare-one/email-security/email-monitoring/search-email/#team-submissions).
+ 1. Create a [team submission](/cloudflare-one/email-security/email-monitoring/search-email/#team-submissions).
2. Inform your Cloudflare contact about the escalation.
- 3. Do not set up allow policies, or blocked senders. In this use case, configuring allow policies will create a security gap. Setting up blocked senders will block legitimate emails from providers such as Shopify, PayPal, and Docusign.
+ 3. Do not set up allow policies or blocked senders. In this use case, configuring allow policies will create a security gap. Setting up blocked senders will block legitimate emails from providers such as Shopify, PayPal, and Docusign.
### Use case 2
-
+
- This use case can cause the emails you want to receive to follow the auto-moves rules you set up. This use case affects emails from internal tools (such as Salesforce, Atlassian, Figma, and more) that are given an incorrect disposition.
+ This use case can cause the emails you want to receive to follow the auto-moves rules you set up. This use case affects emails from internal tools (such as Salesforce, Atlassian, and Figma) that are given an incorrect disposition.
To solve this, when you add an allow policy in the Zero Trust dashboard:
@@ -65,9 +65,9 @@ The following use cases present some scenarios that will show you how to properl
### Use case 3
-
+
- This use case impacts the emails from internal tools (such as Salesforce, Atlassian, Figma, and more) that are given an incorrect disposition.
+ This use case impacts the emails from internal tools (such as Salesforce, Atlassian, and Figma) that are given an incorrect disposition.
To solve this, when you add an allow policy in the Zero Trust dashboard: