Select Settings, then go to Detection settings > Allow policies.
On the Detection settings page, select Add a policy.
On the Add an allow policy page, enter the policy information:
Input method: Choose between Manual input, and Uploading an allow policy:
Manual input:
Action: Select one of the following to choose how Email Security will handle messages that match your criteria:
Trust sender: Messages will bypass all detections and link following.
Exempt recipient: Message to this recipient will bypass all detections.
Accept sender: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions. Refer to Allow policy configuration use cases for use case examples on how to configure allow policies for accept sender.
Rule type: Specify the scope of your policy. Choose one of the following:
Email addresses: Must be a valid email.
IP addresses: Can only be IPv4. IPv6 and CIDR are invalid entries.
Domains: Must be a valid domain.
Regular expressions: Must be valid Java expressions. Regular expressions are matched with fields related to the sender email address (envelope from, header from, reply-to), the originating IP address, and the server name for the email.
(Recommended) Sender verification: This option enforces DMARC, SPF, or DKIM authentication. If you choose to enable this option, Email Security will only honor policies that pass authentication.
Notes: Provide additional information about your allow policy.
Uploading an allow policy: Upload a file no larger than 150 KB. The file can only contain Pattern, Pattern Type, Verify Email, Trusted Sender, Exempt Recipient, Acceptable Sender, Notes fields. The first row must be a header row. Refer to CSV uploads for an example file.
Select Save.
Allow policy configuration use cases
The following use cases show how you could configure allow policies for accept sender.
Use case 1
Company receives emails from third-party providers not used internally. These emails are sent from the service provider, and Email Security gives these emails an incorrect disposition.
This use case can affect companies such as Shopify, PayPal, and Docusign.
Inform your Cloudflare contact about the escalation.
Do not set up allow policies or blocked senders. In this use case, configuring allow policies will create a security gap. Setting up blocked senders will block legitimate emails from providers such as Shopify, PayPal, and Docusign.
Use case 2
Company receives emails via third-party providers that are used internally. These emails are sent from the company's custom domain, but Email Security marks these emails as bulk, spam, or spoof.
This use case can cause the emails you want to receive to follow the auto-moves rules you set up. This use case affects emails from internal tools (such as Salesforce, Atlassian, and Figma) that are given an incorrect disposition.
To solve this, when you add an allow policy in the Zero Trust dashboard:
Choose Accept sender.
Verify that Sender verification (recommended) is turned on.
Use case 3
Company receives emails via third-party providers that are used internally. These emails are sent from the company's custom domain, but Email Security marks these emails as bulk, spam, or spoof. The custom email domain does not support DMARC, SPF, or DKIM, and would fail Sender Verification.
This use case impacts the emails from internal tools (such as Salesforce, Atlassian, and Figma) that are given an incorrect disposition.
To solve this, when you add an allow policy in the Zero Trust dashboard:
Choose Accept sender based on the static IP you own.
Ensure that Sender verification (recommended) is turned off.
CSV uploads
You can upload a file no larger than 150 KB. The file can only contain Pattern, Pattern Type, Verify Email, Trusted Sender, Exempt Recipient, Acceptable Sender, Notes. The first row must be a header row.
