Settings READ ONLY
Customize and fine-tune email scanning behavior.
Config Health
At riskDetection settings READ ONLY
Modify default detection behavior with policies, rules, and additional settings.
Review your detection configuration against Cloudflare's recommended best practices, and fix what's creating a security gap.
π Config Health documentationThis policy bypasses all detection and link analysis for acme-corp.com β one of your onboarded domains. It lets an attacker spoof your internal senders (CEO, finance, IT) and be delivered unscanned, the most common Business Email Compromise vector.
Remove this allow policy. Internal domains are protected by scanning, never exempted from it.
Anyone can send authenticated mail through shared providers like PayPal, DocuSign, or Shopify. Allow-listing them lets an attacker pass Sender Verification and bypass scanning. This is a genuine gap even with verification on.
Remove this allow policy. If legitimate mail is being misclassified, submit it to Cloudflare instead of allow-listing the provider.
This email/regex policy has Sender Verification turned off, so a spoofer can impersonate the allowed sender and be honored. The pattern is also broad and may match unintended senders.
Turn Sender Verification on, or scope the policy to a static IP you own. Tighten the expression.
Domains younger than your threshold are marked Malicious. At 3 days you miss malicious domains aged 3β7 days β a common window for fresh phishing infrastructure.
Raise the malicious domain age toward 7 days.
At 21 days you miss suspicious domains aged 21β45 days.
Set the suspicious domain age to 30β45 days.
HTML/HTM attachments are a common phishing vector. This detection is currently disabled.
Consider enabling HTML attachment detection.
Detection settings READ ONLY
Modify default detection behavior with policies, rules, and additional settings.
Detection settings READ ONLY
Modify default detection behavior with policies, rules, and additional settings.
βAt riskβ notification
Sent to Policy Admins when a tenant crosses into the At-risk band (or a new critical appears).
Hi Acme Corp team,
We detected configuration issues that may be leaving you exposed. Top items to fix:
- Critical β An allow policy exempts your own domain (acme-corp.com). Fix β
- High β A shared-infrastructure sender (PayPal) is allow-listed. Review β
- Medium β Malicious domain age (3d) is below the recommended 7d. Adjust β
Applying fixes requires the Email Security Policy Admin role. Youβre receiving this because you manage Email Security policies for this account.