Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

Troubleshoot Email security

Review common troubleshooting scenarios for Cloudflare Email Security.

Email headers and attributes

Email Security identifies threats using detections that result in a final disposition. You can inspect email headers to understand why a specific disposition was applied.

AttributeDescription
CUSTOM_BLOCK_LISTMatches a value defined in your custom block list.
NEW_DOMAIN_SENDERThe email was sent from a newly registered domain.
NEW_DOMAIN_LINKThe email contains links to a newly registered domain.
ENCRYPTEDThe email message is encrypted.
BECThe sender address is in your impersonation registry.

Detections and reclassification

Handle a false positive

A false positive occurs when a legitimate email is incorrectly flagged as malicious or spam.

Solution:

  1. In the Email Security dashboard, go to Investigation.
  2. Find the email and select Submit for reclassification.
  3. Choose the correct disposition (for example, Clean).
  4. To prevent future blocks, add the sender to your Acceptable Senders list.

Handle a false negative

A false negative occurs when a malicious email is not detected by Email Security.

Solution:

  1. Ensure the email actually passed through Email Security by checking for the X-CFEmailSecurity-Disposition header.
  2. Submit the email for reclassification in the dashboard. This is the preferred method for reporting missed detections.

Authentication errors

DMARC failures

Email Security may mark an email as SPAM if it fails DMARC authentication and the sending domain has a p=reject or p=quarantine policy.

Solution:

  • Ask the sender to fix their DMARC/SPF/DKIM records.
  • Configure an Acceptable Sender entry to suppress the failure for that specific sender.

Delivery issues

Emails are delayed or not arriving

If emails are not being delivered or are arriving with significant latency:

  1. Check MX records: Ensure your MX records are correctly configured and pointing to Cloudflare.
  2. Verify connectivity: From your sending mail server, verify you can connect to Cloudflare's mailstream endpoints on port 25.
  3. Check outbound logs: In the dashboard, use the Mail Trace feature to confirm if Email Security successfully delivered the email to your downstream mail server (for example, Google Workspace or Microsoft 365).

How to contact Support

If you cannot resolve the issue, open a support case. Please provide the Message ID or Alert ID for the affected emails, which you can find in the Investigation section of the dashboard.