Cloudflare Docs
Cloud Email Security (formerly Area 1)
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Dispositions and attributes

Cloud Email Security uses a variety of factors to determine whether a given email message, domain, URL, or packet is part of a phishing campaign. These small pattern assessments are dynamic in nature and — in many cases — no single pattern will determine the final verdict.

Based on these patterns, Cloud Email Security may add X-Headers to each email message that passes through our system.

​​ Dispositions

Any traffic that flows through Cloud Email Security is given a final disposition, which represents our evaluation of that specific message. Each message will only receive one disposition header so your organization can take clear and specific actions on different message types.

You can use disposition values when creating your quarantine policy or setting up auto-retract.

​​ Available values

DispositionDescriptionRecommendation
MALICIOUSTraffic invoked multiple phishing verdict triggers, met thresholds for bad behavior, and is associated with active campaigns.Block
SUSPICIOUSTraffic associated with phishing campaigns (and is under further analysis by our automated systems).Research these messages internally to evaluate legitimacy.
SPOOFTraffic associated with phishing campaigns that is either non-compliant with your email authentication policies (SPF, DKIM, DMARC) or has mismatching Envelope From and Header From values.Block after investigating (can be triggered by third-party mail services).
SPAMTraffic associated with non-malicious, commercial campaigns.Route to existing Spam quarantine folder.
BULK (dashboard only)Traffic associated with Graymail, that fall in between the definitions of SPAM and SUSPICIOUS. For example, a marketing email that intentionally obscures its unsubscribe link.Monitor or tag

​​ Header structure

When Cloud Email Security adds a disposition header to an email message, that header matches the following format:

X-Area1Security-Disposition: [Value]

Note that emails with a disposition of SPAM will be tagged with UCE (unsolicited commercial emails) in their headers:

X-Area1Security-Disposition: UCE

​​ Attributes

Traffic that flows through Cloud Email Security can also receive one or more Attributes, which indicate that a specific condition has been met.

​​ Available values

AttributeNotes
CUSTOM_BLOCK_LISTThis message matches a value you have defined in your custom block list.
NEW_DOMAIN_SENDER=<REGISTRATION_DATE>Alerts to mail from a newly registered domain. Formatted as yyyy-MM-dd HH:mm:ss ZZZ.
NEW_DOMAIN_LINK=<REGISTRATION_DATE>Alerts to mail with links pointing out to a newly registered domain. Formatted as yyyy-MM-dd HH:mm:ss ZZZ.
ENCRYPTEDEmail message is encrypted.
EXECUTABLEEmail message contains an executable file.
BECIndicates that email address was contained in your business email compromise (BEC) list. Associated with MALICIOUS or SPOOF dispositions.

​​ Header structure

When Cloud Email Security adds a disposition header to an email message, that header matches the following format.

X-Area1Security-Attribute: [Value]
X-Area1Security-Attribute: [Value2]