[Email Security] Accept sender disclaimer (#23664)

Maddy-Cloudflare · pedrosousa · web-flow · commit a3bf5c166e1e · 2025-07-18T13:52:35.000+01:00
* [Email Security] Accept sender disclaimer

* [Email Security] Update based on wiki

* Addressing suggestions

* Apply suggestions from code review

Co-authored-by: Pedro Sousa &lt;680496+pedrosousa@users.noreply.github.com&gt;

---------

Co-authored-by: Pedro Sousa &lt;680496+pedrosousa@users.noreply.github.com&gt;
diff --git a/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx b/src/content/docs/cloudflare-one/email-security/detection-settings/allow-policies.mdx
@@ -5,6 +5,8 @@ sidebar:
   order: 1
 ---
 
+import { Example, Details } from "~/components"
+
 Email Security allows you to configure allow policies. An allow policy exempts messages that match certain patterns from normal detection scanning.
 
 To configure allow policies:
@@ -19,7 +21,7 @@ To configure allow policies:
            - **Action**: Select one of the following to choose how Email Security will handle messages that match your criteria:
                - **Trust sender**: Messages will bypass all detections and link following.
                - **Exempt recipient**: Message to this recipient will bypass all detections.
-               - **Accept sender**: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions.
+               - **Accept sender**: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions. Refer to [Allow policy configuration use cases](#use-case-1) for use case examples on how to configure allow policies for accept sender.
        - **Rule type**: Specify the scope of your policy. Choose one of the following:
            - **Email addresses**: Must be a valid email.
            - **IP addresses**: Can only be IPv4. IPv6 and CIDR are invalid entries.
@@ -30,6 +32,56 @@ To configure allow policies:
    - **Uploading an allow policy**: Upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes` fields. The first row must be a header row. Refer to [CSV uploads](/cloudflare-one/email-security/detection-settings/allow-policies/#csv-uploads) for an example file.
 6. Select **Save**.
 
+<Details header="Allow policy configuration use cases">
+    
+The following use cases show how you could configure allow policies for accept sender.
+
+### Use case 1
+
+<Example title="Company receives emails from third-party providers not used internally. These emails are sent from the service provider, and Email Security gives these emails an incorrect disposition.">
+    This use case can affect companies such as Shopify, PayPal, and Docusign.
+
+    To solve this:
+
+    1. Create a [team submission](/cloudflare-one/email-security/email-monitoring/search-email/#team-submissions).
+    2. Inform your Cloudflare contact about the escalation.
+    3. Do not set up allow policies or blocked senders. In this use case, configuring allow policies will create a security gap. Setting up blocked senders will block legitimate emails from providers such as Shopify, PayPal, and Docusign.
+</Example>
+
+### Use case 2
+
+
+<Example title="Company receives emails via third-party providers that are used internally. These emails are sent from the company's custom domain, but Email Security marks these emails as bulk, spam, or spoof.">
+
+  This use case can cause the emails you want to receive to follow the auto-moves rules you set up. This use case affects emails from internal tools (such as Salesforce, Atlassian, and Figma) that are given an incorrect disposition.
+
+  To solve this, when you add an allow policy in the Zero Trust dashboard:
+  
+  1. Choose **Accept sender**.
+  2. Verify that **Sender verification (recommended)** is turned on.
+  
+</Example>
+
+
+### Use case 3
+
+<Example title="Company receives emails via third-party providers that are used internally. These emails are sent from the company's custom domain, but Email Security marks these emails as bulk, spam, or spoof. The custom email domain does not support DMARC, SPF, or DKIM, and would fail Sender Verification.">
+
+  This use case impacts the emails from internal tools (such as Salesforce, Atlassian, and Figma) that are given an incorrect disposition.
+
+  To solve this, when you add an allow policy in the Zero Trust dashboard:
+
+  1. Choose **Accept sender** based on the static IP you own.
+  2. Ensure that **Sender verification (recommended)** is turned off.
+
+  :::caution
+  Do not use email addresses or email domains for this policy as they can be easily spoofed without **Sender Verification (Recommended)** enabled.
+  :::
+ 
+</Example>
+
+</Details>
+
 ### CSV uploads
 
 You can upload a file no larger than 150 KB. The file can only contain `Pattern`, `Pattern Type`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, `Acceptable Sender`, `Notes`. The first row must be a header row.
