--- title: Before you begin description: Before you begin resources and guides for Email Security. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Before you begin Before you start the onboarding process, you will have to: 1. Choose a deployment path: Email security provides two deployment modes, [post-delivery](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/) for API and BCC/Journaling and [pre-delivery](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/) for MX/Inline. 2. Learn about dispositions, impersonation registry, and submissions. 3. Know the steps to configure your email environment correctly. The following table compares features available across API, BCC/Journaling and MX/Inline: | Feature | Microsoft 365 | Google Workspace | Others (On-prem/Cloud) | | ------------------- | --------------------------------------------------- | --------------------------------- | -------------------------------------------------------- | | Deployment type | API and MX | BCC and MX | MX only | | API integration | Microsoft Graph API | BCC only | None | | BCC/Journaling | Uses a Journal Rule in the Microsoft Purview portal | Uses BCC rules | Uses journaling | | Inline/MX Mode | MX records point to Cloudflare | MX records point to Cloudflare | MX records point to Cloudflare | | Message remediation | Auto-moves through Read/Write API | Auto-moves through Read/Write API | Messages can be blocked, quarantined, or modified inline | Note that: * All email providers support MX/Inline deployment. * Microsoft 365 or Google Workspace users who integrate Email security via API, BCC/Journaling can modify emails primarily through deletion or post-delivery [move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/). * Microsoft 365 or Google Workspace users who integrate Email security via MX/Inline can modify emails via post-delivery [move](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/), [link actions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/) and [text add-ons](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/). ## 1\. Choose a deployment ### Post-delivery deployment When you choose post-delivery deployment, Cloudflare scans emails **after** they reach a users' inbox. If you are a Microsoft 365 user, this is done via [Microsoft's Graph API](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/) or [journaling](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/m365-journaling/). If you are a [Google Workspace](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/gmail-bcc-setup/) or [Microsoft Exchange](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/bcc-microsoft-exchange/) user, this is done via BCC. #### Why you should consider post-delivery deployment Post-delivery deployment is time-efficient, because it does not involve MX changes. Post-delivery deployment does not disrupt mail flow. Post-delivery deployment allows you to enable [auto-move events](https://developers.cloudflare.com/cloudflare-one/email-security/settings/auto-moves/) to hard or soft delete messages, and synchronize your [directory](https://developers.cloudflare.com/cloudflare-one/email-security/directories/) when you use Microsoft Graph API or Google Workspace. Note When you choose post-delivery deployment: * The threat is removed **after** the message has been delivered to the inbox. * It requires API scopes, or BCC/Journaling rule configuration. * Auto-move is only available in BCC/Journaling if you associate an integration. ### Pre-delivery deployment When you choose pre-delivery deployment, Cloudflare scans emails **before** they reach a users' inbox. The MX record points to Cloudflare. #### Why you should consider pre-delivery deployment Pre-delivery deployment provides you with the highest level of protection. It enforces [text add-ons](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/) or link rewrite at delivery. Pre-delivery blocks threats in transit, and it adds banners or texts before the user views the email. Note When you choose pre-delivery deployment: * You must edit MX records or create a connector. * You can enable auto-move events only after you associate an integration. * Cloudflare [egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) are allowed on downstream mail servers. ## 2\. Understand dispositions Dispositions allow you to configure policies and tune reporting. For example, you can configure a policy to move suspicious emails to your junk folder. Refer to [Dispositions](https://developers.cloudflare.com/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to learn more about dispositions. ## 3\. Set up the impersonation registry Most [business email compromise (BEC) ↗](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/) targets executives or finance roles. You must add addresses of roles who are likely to be impersonated. Refer to [Impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) to learn how to add a user to the impersonation registry. Roles you may want to include in the impersonation registry are: * C-suites * Finance roles * HR * IT help-desk * Legal You should review your impersonation registry on a quarterly basis as roles change. ## 4\. Submit messages A submission is a change to an email's disposition **after** initial scanning. It is Cloudflare's built-in feedback loop for correcting false positives/negatives **and** training the detection models to get smarter over time. Refer to [Submit messages for review](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/#submit-messages-for-review) to learn how to reclassify a message. ### Who can reclassify messages [Security teams](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/team-submissions/) and [end users](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/user-submissions/) can perform a submission. ### Why you should submit messages Submissions are critical because: * **They help improve model accuracy**: Every validated submissions teaches Cloudflare's machine learning to recognise new lures, language, infrastructure, and benign patterns. * **They reduce alert fatigue**: Correcting Suspicious or Spam emails that users actually want tailors detections to your organization, cutting noise in the dashboard. * **They close the remediation loop**: When a disposition is upgraded to Malicious, Cloudflare auto-moves those emails out of every inbox (Graph API or Google Workspace API integrations). * **They can help you log activity taken on any submission**: Each submission displays a submission ID, details about original, requested and final dispositions, and more. Refer to [Submit messages for review](https://developers.cloudflare.com/cloudflare-one/email-security/submissions/#submit-messages-for-review) to learn more about submissions. To make the most of submissions: 1. Review submissions on a weekly basis. 2. Ensure you have an integration associated with any MX/Inline deployment. When you associate an integration, you will not need to upload the EMLs every time; Cloudflare can use APIs to receive a copy of your email messages. 3. Investigate any increase in [user submissions](https://developers.cloudflare.com/cloudflare-one/email-security/investigation/search-email/#user-submissions) (users may have found a phish that bypassed filters) and confirm that analyst-final dispositions align with your policies. A correct use of submissions ensures that Email security delivers a stronger protection with less manual tuning. ## 5\. Configuration checklist Follow the below checklist to ensure your email environment is set up correctly: | Step | Post-delivery | Pre-delivery | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | -------------------------------- | | Authorize integration ([Graph API](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/api/m365-api/#enable-microsoft-integration) or [Google Workspace](https://developers.cloudflare.com/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/bcc-setup/gmail-bcc-setup/enable-gmail-integration/)) | Required[1](#user-content-fn-1) | Required [2](#user-content-fn-2) | | Associate an integration with an MX/Inline domain | Required | | | Add/verify domains | Required | Required | | [Update MX records/connector](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/), then allow Cloudflare [egress IPs](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/) on downstream mail server | Required | | | Populate [impersonation registry](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/) and [allow](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/)/[block](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/) lists | Required | Required | | Configure [partner domain TLS](https://developers.cloudflare.com/cloudflare-one/email-security/setup/pre-delivery-deployment/partner-domain-tls/) and admin quarantine | Required | | | Configure [text add-ons](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/) and [link actions](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/configure-link-actions/) | Required | | | Send a test email and verify it appears in **Monitoring** \> [**Email activity**](https://developers.cloudflare.com/cloudflare-one/email-security/monitoring/#email-activity) with expected disposition | Required | Required | Now that you know which deployment path to choose, you can begin your onboarding process. ## Footnotes 1. Associating an integration with BCC/Journaling is required for post-delivery but not for pre-delivery. [↩](#user-content-fnref-1) 2. Still used for directory/auto‑move insight if desired as well as authorizing free API CASB. [↩](#user-content-fnref-2) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/email-security/","name":"Email security"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/email-security/setup/","name":"Before you begin"}}]} ```