Cloudflare Docs
Cloud Email Security (formerly Area 1)
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Deploy and configure Cloud Email Security (formerly Area 1) with with Cisco as MX record

A schematic showing where Cloud Email Security security is in the life cycle of an email received

In this tutorial, you will learn how to configure Cloud Email Security email security with Cisco as MX record. This tutorial is broken down into several steps.

​​ 1. Add a Sender Group for Cloud Email Security Email Protection IPs

To add a new Sender Group:

  1. Go to Mail Policies > HAT Overview.

  2. Select the Add Sender Group button.

  3. Configure the new Sender Group as follows:

    • Name: Area1.
    • Order: Order above the existing WHITELIST sender group.
    • Comment: Cloud Email Security Email Protection egress IP Addresses.
    • Policy: TRUSTED (by default, spam detection is disabled for this mail flow policy).
    • SBRS: Leave blank.
    • DNS Lists: Leave blank.
    • Connecting Host DNS Verification: Leave all options unchecked.
  4. Select Submit and Add Senders, and add the IP addresses mentioned in Egress IPs. If you need to process emails in the EU or India regions for compliance purposes, add those IP addresses as well.

Sender group

​​ 2. Add SMTP route for the Cloud Email Security Email Protection Hosts

To add a new SMTP Route:

  1. Go to Network > SMTP Routes.

  2. Select Add Route.

  3. Configure the new SMTP Route as follows:

    • Receiving Domain: a1s.mailstream
    • In Destination Hosts, select Add Row, and add the Cloud Email Security MX hosts. Refer to the Geographic locations table for more information on what MX hosts to use.

Edit SMTP route

​​ 3. Create Incoming Content Filters

To manage the mail flow between Cloud Email Security and Cisco ESA, you need two filters:

  • One to direct all incoming messages to Cloud Email Security.
  • One to recognize messages coming back from Cloud Email Security to route for normal delivery.

​​ Incoming Content Filter - To Cloud Email Security

To create a new Content Filter:

  1. Go to Mail Policies > Incoming Content Filters.

  2. Select Add Filter to create a new filter.

  3. Configure the new Incoming Content Filter as follows:

    • Name: ESA_to_A1S
    • Description: Redirect messages to Cloud Email Security for anti-phishing inspection
    • Order: This will depend on your other filters.
    • Condition: No conditions.
    • Actions:
      • For Action select Send to Alternate Destination Host.
      • For Mail Host input a1s.mailstream (the SMTP route configured in step 2).

Content filter

​​ Incoming Content Filter - From Cloud Email Security

To create a new Content Filter:

  1. Go to Mail Policies > Incoming Content Filters.

  2. Select the Add Filter button to create a new filter.

  3. Configure the new Incoming Content Filter as follows:

    • Name: A1S_to_ESA
    • Description: Cloud Email Security inspected messages for final delivery
    • Order: This filter must come before the previously created filter.
    • Conditions: Add conditions of type Remote IP/Hostname with all the IP addresses mentioned in Egress IPs. For example:
      OrderConditionRule
      1Remote IP/Hostname52.11.209.211
      2Remote IP/Hostname52.89.255.11
      3Remote IP/Hostname52.0.67.109
      4Remote IP/Hostname54.173.50.115
      5Remote IP/Hostname104.30.32.0/19
      6Remote IP/Hostname158.51.64.0/26
      7Remote IP/Hostname158.51.65.0/26
    • Ensure that the Apply rule: dropdown is set to If one or more conditions match.
    • Actions: Select Add Action, and add the following:
      OrderActionRule
      1Skip Remaining Content Filters (Final Action)skip-filters()

Content filter

​​ 4. Add the Incoming Content Filter to the Inbound Policy table

Assign the Incoming Content Filters created in step 3 to your primary mail policy in the Incoming Mail Policy table. Then, commit your changes to activate the email redirection.

​​ 5. Geographic locations

When configuring the Cloud Email Security (formerly Area 1) MX records, it is important to configure hosts with the correct MX priority. This will allow mail flows to the preferred hosts and fail over as needed.

Choose from the following Cloud Email Security MX hosts, and order them by priority. For example, if you are located outside the US and want to prioritize email processing in the EU, add mailstream-eu1.mxrecord.io as your first host, and then the US servers.

Host
LocationNote
  • mailstream-central.mxrecord.mx
  • mailstream-east.mxrecord.io
  • mailstream-west.mxrecord.io
  • USBest option to ensure all email traffic processing happens in the US.
    mailstream-eu1.mxrecord.ioEUBest option to ensure all email traffic processing happens in Germany, with fallback to US data centers.
    mailstream-bom.mxrecord.mxIndiaBest option to ensure all email traffic processing happens within India. For compliance purposes use this MX record. Note, however, there is no redundancy should something go wrong.
    mailstream-india-primary.mxrecord.mxIndiaSame as mailstream-bom.mxrecord.mx, with fallback to US data centers.
    mailstream-asia.mxrecord.mxIndiaBest option for companies with a broader Asia presence.
    mailstream-syd.area1.cloudflare.netAustralia / New ZealandBest option to ensure all email traffic processing happens within Australia.
    mailstream-australia-primary.area1.cloudflare.netAustralia / New ZealandBest option to ensure all email traffic processing happens in Australia, with India and US data centers as backup.