EMAIL SECURITY WIZARD
Step 1 of 8 14%
🛡ī¸

Cloudflare Email Security

Deployment Wizard — protect your organization from phishing, malware, and email threats.

This wizard will guide you through deploying Cloudflare Email Security (formerly Area 1) for your organization. By the end you'll have active email threat scanning and the appropriate delivery controls for your chosen deployment method.

ℹī¸
Before you begin You need an active Cloudflare Zero Trust account with Email Security enabled. If you haven't purchased Email Security, visit the Cloudflare dashboard → Zero Trust → Email Security to start a trial or purchase. Docs

What this wizard covers

  • Deployment method selection — MX/Inline, API, or BCC/Journaling Docs
  • Email provider prerequisites — Microsoft 365, Google Workspace, or Exchange Docs
  • Deployment configuration — provider-specific setup steps Docs
  • Quarantine policy — transport rules and Auto-move actions (MX/Inline only) Docs
  • MX record update — point inbound mail to Cloudflare (MX/Inline only) Docs
  • Deployment verification Docs
⏱ī¸
Estimated time: 30–90 minutes depending on deployment type. DNS propagation may add up to 24–72 hours.

Which email provider does your organization use?

This determines which prerequisites you need to complete before deploying Email Security.

📘

Microsoft 365 Docs

Exchange Online / Outlook. Most common enterprise setup. Supports all deployment modes.

📗

Google Workspace Docs

Gmail for business. Supports MX/Inline and BCC deployment modes.

đŸ–Ĩī¸

Microsoft Exchange Docs

On-premise Exchange Server. BCC/Journaling deployment recommended.

Choose your deployment method

Each method has different tradeoffs between protection level, speed of deployment, and mail-flow impact.

Email Flow Overview

📨 Internet
Sender
→
🛡ī¸ Email Security
(MX/Inline)
→
đŸ“Ŧ M365 / Gmail
Inbox

Pre-delivery: Email Security sits in front of your mail server as the MX record

RECOMMENDED
🔒

MX / Inline Docs

Pre-delivery. Highest protection. Blocks threats before they reach the inbox. Requires MX record changes.

FAST DEPLOY
🔗

API (Graph) Docs

Post-delivery. Scans after delivery via Microsoft Graph API. No MX changes needed. M365 only.

ALL PROVIDERS
📤

BCC / Journaling Docs

Post-delivery. Emails copied to Cloudflare via BCC. No MX changes. Supports M365, Gmail, Exchange.

Configure Email Security

Follow these steps in the Cloudflare Zero Trust dashboard.

Configure Quarantine Policy

Tell Email Security what to do with each threat disposition. This step is optional but strongly recommended.

ℹī¸
Where to find this: Cloudflare Zero Trust → Email Security → Settings → Quarantine Policy Docs

Email Threat Dispositions Docs

DispositionDescriptionRecommended Action
MALICIOUS Confirmed active threat campaign. Multiple phishing indicators triggered. 🔴 Admin Quarantine (block from inbox)
SUSPICIOUS Likely phishing, under further automated analysis. 🟠 Admin Quarantine or Junk Folder
SPOOF Fails SPF/DKIM/DMARC or has mismatching Envelope/Header From. 🟡 Admin Quarantine or Junk Folder
SPAM / UCE Unsolicited commercial email / spam. 🟡 User-Managed Quarantine or Junk
BULK Mass commercial mail (newsletters, marketing). đŸŸĸ Junk Email Folder
CLEAN No threats detected. ✅ Deliver to Inbox
⚠ī¸
Inline-only features: URL rewriting (link isolation) and Subject/Body text injection are only available with MX/Inline deployment. These features are not possible with API or BCC deployments.
🎉

Verify Your Deployment

Almost done! Complete these final checks to confirm Email Security is active and scanning.

1

Check domain status

In Cloudflare Zero Trust, go to Email Security → Settings → Domain Management → Domains. Select View next to your domain. Confirm the Status shows Active.

2

Verify MX record propagation (Inline only)

Use an online DNS lookup tool (e.g., dig yourdomain.com MX or MXToolbox) to confirm your MX records now point to Cloudflare Email Security servers. DNS propagation can take up to 24–72 hours.

# Verify from terminal
dig yourdomain.com MX +short

# Expected output (Cloudflare MX servers)
10 mx1.cloudflare-email.com
20 mx2.cloudflare-email.com
3

Send a test phishing simulation

In Cloudflare Zero Trust, go to Email Security → Phishing Risk Assessment. You can trigger a test message or send a benign test email to confirm it appears in the Email Security dashboard with a disposition.

4

Review the Email Security dashboard

Navigate to Email Security → Overview. After emails begin flowing, you'll see metrics for detected threats, dispositions, and top targeted users. A live email stream can take 15–30 minutes to appear after setup.

✅
Deployment complete! Your organization is now protected by Cloudflare Email Security. Monitor the dashboard regularly to review detected threats, refine Auto-move policies, and expand coverage to additional domains as needed.

Useful next steps

  • Set up Allow/Block lists — Email Security → Settings → Allow / Block
  • Configure Link Isolation (MX/Inline only) to rewrite suspicious URLs
  • Enable or tune Auto-move actions for post-delivery remediation
  • Connect CASB integration for broader SaaS security visibility
  • Add additional protected domains in Domain Management
  • Set up email alerts for high-volume threat detections