Cloudflare One β€Ί Email Security β€Ί Settings πŸ”” 1

Settings READ ONLY

Customize and fine-tune email scanning behavior.

54

Config Health

At risk
6 issues across your detection configuration
! An allow policy exempts your own domain
Review findings β€Ί
Domain management
Domains 5 items βœ“
View, scan, and manage the domains from your authorized integrations.
Partner domain TLS 0 items βœ“
Enforce TLS requirements for partner domains. When enforced, Email Security rejects mail that does not use TLS.
Detection settings
Allow policies 30 items 3 recommendations
Exempt messages that match certain criteria from typical detection scanning.
Trusted domains 2 items βœ“
Automatically flag emails with a lookalike domain unless they are on your Trusted Domain list.
Blocked senders 17 items βœ“
Mark all messages from specific senders with a Malicious disposition.
Impersonation registry 8 items βœ“
Register the users most likely to be impersonated so we can catch display-name and alias spoofing.
Additional detections 3 recommendations
Manage additional configuration settings that impact how traffic is analyzed.
Prototype β€” Config Health for Email Security Β· standalone mock (not Kumo)
Settings β€Ί Detection settings β€Ί Config Health

Detection settings READ ONLY

Modify default detection behavior with policies, rules, and additional settings.

Config Health At risk

Review your detection configuration against Cloudflare's recommended best practices, and fix what's creating a security gap.

πŸ“– Config Health documentation
54
Overall score 54 / 100
Score is a rollup of open findings; each point traces to a finding below.
πŸ•‘ Last updated Jul 10, 2026, 2:20 PM
1 critical2 high Β· 2 medium1 advisory
Findings (6)
acme-corp.com Β· Trusted Sender Β· AP-1
Why this matters

This policy bypasses all detection and link analysis for acme-corp.com β€” one of your onboarded domains. It lets an attacker spoof your internal senders (CEO, finance, IT) and be delivered unscanned, the most common Business Email Compromise vector.

Recommended fix

Remove this allow policy. Internal domains are protected by scanning, never exempted from it.

notifications@paypal.com Β· Accept Sender Β· AP-6
Why this matters

Anyone can send authenticated mail through shared providers like PayPal, DocuSign, or Shopify. Allow-listing them lets an attacker pass Sender Verification and bypass scanning. This is a genuine gap even with verification on.

Recommended fix

Remove this allow policy. If legitimate mail is being misclassified, submit it to Cloudflare instead of allow-listing the provider.

.*@.*vendor.* Β· Accept Sender Β· AP-9
Why this matters

This email/regex policy has Sender Verification turned off, so a spoofer can impersonate the allowed sender and be honored. The pattern is also broad and may match unintended senders.

Recommended fix

Turn Sender Verification on, or scope the policy to a static IP you own. Tighten the expression.

currently 3 days Β· recommended 7 Β· AD-1
Why this matters

Domains younger than your threshold are marked Malicious. At 3 days you miss malicious domains aged 3–7 days β€” a common window for fresh phishing infrastructure.

Recommended fix

Raise the malicious domain age toward 7 days.

currently 21 days Β· recommended 30–45 Β· AD-2
Why this matters

At 21 days you miss suspicious domains aged 21–45 days.

Recommended fix

Set the suspicious domain age to 30–45 days.

HTML attachment email detection Β· AD-5
Why this matters

HTML/HTM attachments are a common phishing vector. This detection is currently disabled.

Recommended fix

Consider enabling HTML attachment detection.

← Back to Settings
Settings β€Ί Detection settings β€Ί Allow policies

Detection settings READ ONLY

Modify default detection behavior with policies, rules, and additional settings.

πŸ’‘
3 recommendations affect your allow policies. View recommendations β†’
ValueRule typeActionSender verify
acme-corp.comDomainTrusted SenderOn
notifications@paypal.comEmailAccept SenderOn
.*@.*vendor.*RegexAccept SenderOff
phish-sim.knowbe4.comDomainTrusted SenderOn
mail.salesforce.comDomainAccept SenderOn
notify.figma.comDomainAccept SenderOn
+ 24 more policies
← Back to Settings
Settings β€Ί Detection settings β€Ί Additional detections

Detection settings READ ONLY

Modify default detection behavior with policies, rules, and additional settings.

πŸ’‘
3 recommendations affect these settings. View recommendations β†’
Malicious domain age
Set the threshold for a Malicious disposition based on domain age.
3 days
Suspicious domain age
Set the threshold for a Suspicious disposition based on domain age.
21 days
Blank email detection On
Detect emails with blank bodies and assign a default disposition.
Assigned to Suspicious
ACH change from free email detection On
Detect payroll inquiries or change requests from free email domains.
Assigned to Malicious
HTML attachment email detection Off
Detect HTM and HTML attachments in emails and assign a default disposition.
← Back to Settings
Settings β€Ί Notification example

β€œAt risk” notification

Sent to Policy Admins when a tenant crosses into the At-risk band (or a new critical appears).