Skip to content
Cloudflare API
Start here
API Reference
Email Security
Settings
Allow Policies

Create email allow policy

client.emailSecurity.settings.allowPolicies.create(AllowPolicyCreateParams { account_id, is_acceptable_sender, is_exempt_recipient, 9 more } params, RequestOptionsoptions?): AllowPolicyCreateResponse { id, created_at, last_modified, 12 more }
POST/accounts/{account_id}/email-security/settings/allow_policies

Creates a new allow policy that exempts matching emails from security detections. Use with caution as this bypasses email security scanning. Policies can match on sender patterns and apply to specific detections or all detections.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Cloud Email Security: Write
ParametersExpand Collapse
params: AllowPolicyCreateParams { account_id, is_acceptable_sender, is_exempt_recipient, 9 more }
account_id: string

Path param: Identifier.

maxLength32
is_acceptable_sender: boolean

Body param: Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: boolean

Body param: Messages to this recipient will bypass all detections

is_regex: boolean

Body param

is_trusted_sender: boolean

Body param: Messages from this sender will bypass all detections and link following

pattern: string

Body param

maxLength1024
minLength1
pattern_type: "EMAIL" | "DOMAIN" | "IP" | "UNKNOWN"

Body param: Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:
"EMAIL"
"DOMAIN"
"IP"
"UNKNOWN"
verify_sender: boolean

Body param: Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

comments?: string | null

Body param

maxLength1024
Deprecatedis_recipient?: boolean

Body param: Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026.

Deprecatedis_sender?: boolean

Body param: Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026.

Deprecatedis_spoof?: boolean

Body param: Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026.

ReturnsExpand Collapse
AllowPolicyCreateResponse { id, created_at, last_modified, 12 more }

An email allow policy

id: string

Allow policy identifier

formatuuid
created_at: string
formatdate-time
Deprecatedlast_modified: string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
comments?: string | null
maxLength1024
is_acceptable_sender?: boolean

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient?: boolean

Messages to this recipient will bypass all detections

Deprecatedis_recipient?: boolean

Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026.

is_regex?: boolean
Deprecatedis_sender?: boolean

Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026.

Deprecatedis_spoof?: boolean

Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026.

is_trusted_sender?: boolean

Messages from this sender will bypass all detections and link following

modified_at?: string
formatdate-time
pattern?: string
maxLength1024
minLength1
pattern_type?: "EMAIL" | "DOMAIN" | "IP" | "UNKNOWN"

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:
"EMAIL"
"DOMAIN"
"IP"
"UNKNOWN"
verify_sender?: boolean

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

Create email allow policy

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

const allowPolicy = await client.emailSecurity.settings.allowPolicies.create({
  account_id: '023e105f4ecef8ad9ca31a8372d0c353',
  is_acceptable_sender: false,
  is_exempt_recipient: false,
  is_regex: false,
  is_trusted_sender: true,
  pattern: 'test@example.com',
  pattern_type: 'EMAIL',
  verify_sender: true,
});

console.log(allowPolicy.id);
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "created_at": "2014-01-01T05:20:00.12345Z",
    "last_modified": "2014-01-01T05:20:00.12345Z",
    "comments": "Trust all messages send from test@example.com",
    "is_acceptable_sender": false,
    "is_exempt_recipient": false,
    "is_recipient": false,
    "is_regex": false,
    "is_sender": true,
    "is_spoof": false,
    "is_trusted_sender": true,
    "modified_at": "2014-01-01T05:20:00.12345Z",
    "pattern": "test@example.com",
    "pattern_type": "EMAIL",
    "verify_sender": true
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "created_at": "2014-01-01T05:20:00.12345Z",
    "last_modified": "2014-01-01T05:20:00.12345Z",
    "comments": "Trust all messages send from test@example.com",
    "is_acceptable_sender": false,
    "is_exempt_recipient": false,
    "is_recipient": false,
    "is_regex": false,
    "is_sender": true,
    "is_spoof": false,
    "is_trusted_sender": true,
    "modified_at": "2014-01-01T05:20:00.12345Z",
    "pattern": "test@example.com",
    "pattern_type": "EMAIL",
    "verify_sender": true
  }
}