Monitor detections
Spam and Malicious emails are blocked outright by Email Security, but Suspicious and Spoof dispositions should be monitored. Suspicious messages should be investigated by a security analyst to determine the legitimacy of the message.
PhishGuard (Cloudflare's managed email security service) can review these messages for you and move them from the end user inbox if they are deemed malicious.
Messages that receive a Spoof disposition should be investigated because it signals that the traffic is either non-compliant with your email authentication process SPF ↗, DKIM ↗, DMARC ↗, or has a mismatching Envelope From and Header From value.
In most cases, a Spoof disposition is triggered by a legitimate third-party mail service. If you determine that the Spoofed email is a legitimate business use case, you can either:
- Update your email authentication records.
- Add an acceptable sender allow policy to exempt messages from the Spam, Spoof, or Bulk disposition, but not Malicious or Suspicious, so the content of the message can still be monitored.
Email Security offers a variety of ways for you to better examine and understand your message traffic:
You can search for emails that have been processed by Email Security, whether they are marked with a detection disposition or not.
There are three ways for searching emails:
- Popular screen: A popular screen allows you to view messages based on common pre-defined criteria.
- Regular screen: A regular screen allows you to investigate your inbox by inserting a term to screen across all criteria.
- Advanced screen: The advanced screen criteria gives you the option to narrow message results based on specific criteria. The advanced screen has several options (such as keywords, subject keywords, sender domain, and more) to scan your inbox.
Additional information on search can be found on the Screen criteria documentation.
With Email Security, you can export messages to a CSV file. Via the dashboard, you can export up to 1,000 rows. If you want to export all messages, you can use the API ↗.