Setup

Before you start the onboarding process, you will have to choose a deployment path. Email Security provides two deployment modes: post-delivery (for API and BCC/Journaling), and pre-delivery (for MX/Inline).

Post-delivery deployment

How it works

When you choose post-delivery deployment, Cloudflare scans emails after they reach a users' inbox.

If you are a Microsoft 365 user, this is done via Microsoft's Graph API or journaling.

If you are a Google Workspace or Microsoft Exchange user, this is done via BCC.

Why you should consider post-delivery deployment

Post-delivery deployment is time-efficient, because it does not involve MX changes. Post-delivery deployment does not disrupt mail flow. Post-delivery deployment allows you to enable auto-move events, quarantine your messages, and synchronize your directory when you use Microsoft Graph API.

Note

When you choose post-delivery deployment:

• The threat is removed after receipt.
• It requires API scopes, or journaling rule configuration.
• Auto-move is not available in BCC/Journaling paths.

Pre-delivery deployment

How it works

When you choose pre-delivery deployment, Cloudflare scans emails before they reach a users' inbox. The MX record points to Cloudflare.

Why you should consider pre-delivery deployment

Pre-delivery deployment provides you with the highest level of protection. It enforces bannering or link rewrite at delivery.

Pre-delivery blocks threats in transit, and it adds banners or texts before the user views the email.

Note

When you choose pre-delivery deployment:

• You must edit MX records or create a connector.
• You can enable auto-move events only once you associate an integration.
• Cloudflare egress IPs are allowed on downstream servers.

Dispositions

Email traffic that flows through Email Security is given a final disposition, which represents Email Security's evaluation of that specific message. Refer to Dispositions and attributes to learn more.

Dispositions allow you to configure policies and tune reporting. For example, you can configure a policy to move suspicious emails to your junk folder.

Impersonation registry

Most Business email compromise(BEC) ↗ targets executives or finance roles. You must add addresses of roles who are likely to be impersonated. Refer to Impersonation registry to learn how to add a user to the impersonation registry.

Roles you may to include in the impersonation registry are:

• C-suites
• Finance roles
• HR
• IT help-desk.

You should review your impersonation registry on a quarterly basis as roles change.

Reclassifications

A reclassification is a change to an email's disposition after initial scanning. It is Cloudflare's built-in feedback loop for correcting false positives/negatives and training the detection models to get smarter over time. Security teams and end users can make a reclassification. Refer to Reclassify messages to learn more.

Why you should reclassify messages

Reclassifications are critical because:

• They help improve model accuracy: Every validated reclassification teaches Cloudflare's machine learning to recognise new lures, language, infrastructure and benign patterns.
• They reduce alert fatigue: Correcting Suspicious or Spam emails that users actually want tailors detections to your organization, cutting noise in the dashboard.
• They close the remediation loop: When a disposition is upgraded to Malicious, Cloudflare auto-moves those emails out of every inbox (Graph API or Google Workspace API integrations).
• They can help you log activity taken on any reclassification: Each reclassification displays a submission ID, details about original, requested and final dispositions, and more. Refer to Reclassify messages to learn more about reclassifications.

To make the most of reclassifications:

1. Review reclassifications on a weekly basis.
2. Ensure you have an integration associated with any MX/Inline deployment. When you associate an integration, you will not need to upload the EMLs every time, and we can use APIs to receive a copy of your email messages.
3. Investigate any increase in user submissions (users may have found a phish that bypassed filters) and confirm that analyst-final dispositions align with your policies.

A correct use of reclassifications ensures that Email Security delivers a stronger protection with less manual tuning.

Configuration checklist

Step	Post-delivery	Pre-delivery
Authorize integration (Graph API or Google Workspace)1	Required	Required 2
Associate an integration with an MX/Inline domain		Required
Add/verify domains	Required	Required
Update MX records/connector, then allow Cloudflare egress IPs on downstream mail server		Required
Enable Post‑delivery response and Phish submission response	Required	Required
Populate impersonation registry and allow/block lists	Required	Required
Configure partner domain TLS and admin quarantine		Required
Configure text add-ons and link actions		Required
Send a test email and verify it appears in Monitoring > Email activity with expected disposition	Required	Required

Footnotes

1. Alternatively, you can create a service account and add BCC rules. ↩

2. Still used for directory/auto‑move insight if desired as well as authorizing free API CASB ↩