Email dispositions

Email Security returns five potential verdicts for every email it scans. Review the detections and consider how you would treat them once an auto-move is enabled. Below is an overview of the disposition and recommendation actions by Cloudflare:

Disposition	Description	Recommendation
MALICIOUS	Traffic invoked multiple phishing verdict triggers, met thresholds for bad behavior, and is associated with active campaigns.	Block
SUSPICIOUS	Traffic associated with phishing campaigns (and is under further analysis by our automated systems).	Research these messages internally to evaluate legitimacy.
SPOOF	Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies (SPF ↗, DKIM ↗, DMARC ↗), or have mismatching Envelope From and Header From values.	Block after investigating (can be triggered by third-party mail services).
SPAM	Traffic associated with non-malicious, commercial campaigns.	Route to existing Spam quarantine folder.
BULK	Traffic associated with Graymail ↗, that falls in between the definitions of SPAM and SUSPICIOUS. For example, a marketing email that intentionally obscures its unsubscribe link.	Monitor or tag

Was this helpful?

What did you like?

Accurate

Easy to understand

Solved my problem

Helped me decide to use the product

Other

What went wrong?

Hard to understand

Incorrect information

Missing the information

Other

Thank you for helping improve Cloudflare's documentation!