Detection settings best practices
This guide describes how to configure detection settings to mitigate impersonation risks while ensuring legitimate delivery.
Once you configure the impersonation registry to mitigate spoof detections, you can add emails in the impersonation registry as secondary email. Refer to Edit users to learn how to add a secondary email address.
For impersonation events that are caused by systems, Cloudflare recommends that you configure an allow policy to mitigate delivery disruptions.
To maintain a higher security posture, allow policies should be defined with the narrowest possible scope. Start with specific expressions or email addresses that will target the actual sender or system. If the system is sending from a variety of addresses, you can create an expression that is wider while keeping the expression specific. In some situations, it is better to have multiple specific entries than a more generic policy that allows a whole domain.
When you configure an allow policy, you can choose how Email security handles messages that match your criteria.
Allow policies are suitable for services that may spoof people's names.
Use Accept sender with Sender verification (recommended) turned on for systematic traffic. For example, a file shared through Google Drive will create a notification using the name of the user that is sharing the document. However, the underlying email address used will be a Google system address.
Use Trusted Sender for emails that do not require phishing inspections. This will exempt messages from any phishing analysis, including links analysis.
Example use cases:
- Temporary rules (to avoid over-detection)
- Phishing simulations
- Applications that send one time links for verification
- Prioritize static IPs: Use known and owned, static IP addresses for relay servers. Avoid ephemeral IP addresses ↗ as their transient nature can lead to policy degradation.
- Enforce Sender Verification: Always have Sender Verification (Recommended) enabled in the Cloudflare dashboard. It validates the originating system's email authentication records (namely SPF ↗, DKIM ↗, and DMARC ↗) against the domain to ensure authenticity.
- Handle unsanctioned traffic: Unsanctioned traffic is traffic which has not been approved within an organization. This is also known as Shadow IT ↗. If an unsanctioned system generates spam or spoofed content, configure a text add-on to append a tag to the subject line and automatically move the message to the junk folder.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
