From 88e570c0e106c898e193c9a2d795eb121f0fb239 Mon Sep 17 00:00:00 2001 From: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> Date: Tue, 15 Jul 2025 11:46:19 +0100 Subject: [PATCH 1/2] [Email Security] Accept sender disclaimer --- .../email-security/detection-settings/allow-policies.mdx | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx index 1fa60e7f27d3a5b..a9fe2e63fc904fc 100644 --- a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx +++ b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx @@ -30,6 +30,14 @@ To configure allow policies: - **Uploading an allow policy**: Upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes` fields. The first row must be a header row. Refer to [CSV uploads](/cloudflare-one/email-security/detection-settings/allow-policies/#csv-uploads) for an example file. 6. Select **Save**. +:::caution[Accept sender] +If you choose to enable **Accept sender**, ensure that **Sender verification (Recommended)** is turned on at all times. + +Companies such as PayPal, Docusign, and Shopify should not enable **Sender verification (Recommended)** when configuring an allow policy. + +Email Security is able to recognize sender verified emails used for nefarious activity. However, enabling **Accept sender** will cause Email Security to not recognize nefarious activities and therefore create security concerns. +::: + ### CSV uploads You can upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes`. The first row must be a header row. From 6c76e9ed52da135f969167d9b4adc558e09a2f88 Mon Sep 17 00:00:00 2001 From: Maddy <130055405+Maddy-Cloudflare@users.noreply.github.com> Date: Thu, 17 Jul 2025 14:40:32 +0100 Subject: [PATCH 2/2] [Email Security] Update based on wiki --- .../detection-settings/allow-policies.mdx | 53 +++++++++++++++++-- 1 file changed, 48 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx index a9fe2e63fc904fc..e183ed566260369 100644 --- a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx +++ b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx @@ -5,6 +5,8 @@ sidebar: order: 1 --- +import { Example, Details } from "~/components" + Email Security allows you to configure allow policies. An allow policy exempts messages that match certain patterns from normal detection scanning. To configure allow policies: @@ -30,13 +32,54 @@ To configure allow policies: - **Uploading an allow policy**: Upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes` fields. The first row must be a header row. Refer to [CSV uploads](/cloudflare-one/email-security/detection-settings/allow-policies/#csv-uploads) for an example file. 6. Select **Save**. -:::caution[Accept sender] -If you choose to enable **Accept sender**, ensure that **Sender verification (Recommended)** is turned on at all times. +
+ +The following use cases present some use cases that will show you how to properly configure allow policies. + +### Use case 1 + + + This use case can affect companies such as Shopify, PayPal, and Docusign. + + To solve this: + + 1. Submit a [team submission](/cloudflare-one/email-security/email-monitoring/search-email/#team-submissions). + 2. Inform your Cloudflare account about the escalation. + 3. Avoid setting up allow policies, or blocked senders. In this use case, configuring allow policies will create a security gap. Setting up blocked senders will block legitimate emails from providers such as Shopify, PayPal, and Docusign. + + +### Use case 2 + + + + This use case can cause your inbox to receive too many unwanted emails. This use case can affect companies such as Salesforce, Atlassian, and Figma. + + To solve this, when you add an allow policy in the Zero Trust dashboard, ensure that: + + 1. You choose **Accept sender**. + 2. Verify that **Sender verification (recommended)** is turned on. + + + + +### Use case 3 + + + + This use case can affect companies such as Salesforce, Atlassian, and Figma. + + To solve this, when you add an allow policy in the Zero Trust dashboard, ensure that: + + 1. You choose **Accept sender** based on the static IP you own. + 2. Ensure that **Sender verification (recommended)** is turned off. -Companies such as PayPal, Docusign, and Shopify should not enable **Sender verification (Recommended)** when configuring an allow policy. + :::caution + Do not use email addresses or email domains for this case as they can be easily spoofed without **Sender Verification (Recommended)** enabled. + ::: + + -Email Security is able to recognize sender verified emails used for nefarious activity. However, enabling **Accept sender** will cause Email Security to not recognize nefarious activities and therefore create security concerns. -::: +
### CSV uploads