Email monitoring
Once you have chosen a domain to scan, Email Security allows you to monitor the traffic scanned from your email inboxes.
To monitor your inbox:
- Log in to Zero Trust ↗.
- Select Email Security.
- Under Email Security, select Monitoring.
The dashboard will display the following metrics:
- Email activity
- Disposition evaluation
- Detection details
- Impersonations
- Phish submissions
- Auto-move events
- Detection settings metrics
Email activity
Section titled “Email activity”Email activity aggregates statistics about emails scanned and dispositions assigned (the number of email flagged due to a detection) within a given timeframe.
To view the live number of email scanned and dispositions scanned, enable Live mode.
Disposition evaluation
Section titled “Disposition evaluation”Email traffic that flows through Email Security is given a final disposition, which represents Email Security's evaluation of that specific message.
Disposition evaluation displays the following dispositions:
- Malicious: Traffic associated with active threat campaigns. Malicious messages invoked multiple phishing verdict triggers and met thresholds for bad behavior.
- Recommendation: Block.
- Spoof: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies (SPF ↗, DKIM ↗, DMARC ↗) or has mismatching
Envelope FromandHeader Fromvalues.- Recommendation: Block after investigating (can be triggered by third-party mail services).
- Suspicious: Traffic associated with phishing campaigns (and is under further analysis by our automated systems).
- Recommendation: Research these messages internally to evaluate legitimacy.
- Spam: Traffic associated with non-malicious, commercial campaigns.
- Recommendation: Route to existing Spam quarantine folder.
- Bulk: Traffic often associated with newsletters or marketing campaigns. Refer to Graymail ↗ for more details.
- Recommendation: Monitor or tag.
Detection details
Section titled “Detection details”Detection details displays information about:
- Malicious disposition:
- Email threat types: Top malicious threat types, and their number relative to the total amount of malicious threats received.
- Targeted users: Top number of emails targeted, and their number relative to the total amount of malicious targets.
- Malicious links: A graph displaying the total number of malicious links and their distribution throughout the month.
- Malicious attachments: Number of malicious attachments, and the top types of malicious files received.
- Suspicious disposition:
- Suspicious threat types: Top suspicious threat types, and their number relative to the total amount of threats received.
- Suspicious targets: Top number of emails targeted, and their number relative to the total amount of malicious targets.
- Suspicious links: A graph displaying the total number of suspicious links and their distribution throughout the month.
- Spoof disposition:
- Spoof users (impersonated names): Top number of impersonated names, and their number relative to the total number of detection received.
- Spoof targets: Top number of targeted emails.
- Sender v. envelope mismatch: This field indicates the number of mismatches between the email address the message was sent from, and the email address the message was actually sent from.
Impersonations
Section titled “Impersonations”Impersonations are a form of phishing attack where the actor pretends to be someone else to steal sensitive information.
Impersonations displays the number of targeted users, and a chart describing the total number of impersonation attempts.
- To view all targeted users, select View all targeted users.
- To view all impersonation emails, select View all impersonation emails.
- To view impersonated users, select View impersonated users.
Refer to Trusted domains to add a trusted domain, and Impersonation registry to add a user to the impersonation registry.
Phish submissions
Section titled “Phish submissions”Phishing is a type of attack that involves stealing sensitive information with the aim of using and selling the information.
A phish submission happens when a user or an administrator reports a phishing attack. Refer to Phish submissions to learn how to submit a phish.
Phish submissions displays the following information:
- All submissions: The total number of phish submissions.
- User submissions: The number of phish submissions reported by your users.
- Admin submissions: The number of phish submissions reported by an administrator.
Select Review submissions to review a filtered list of phish submissions reported by your team.
Auto-move events
Section titled “Auto-move events”Auto-move events are emails moved to different inboxes based on the disposition Email Security assigned.
This panel shows you the total number of auto-moves and the source folder from which these retractions are originating from.
Refer to Auto-moves to configure auto-move events.
Detection settings metrics
Section titled “Detection settings metrics”Detection settings metric displays information about:
- Allowed traffic: Traffic that Email Security will exempt emails that match certain patterns from normal detection scanning. Allowed traffic shows metrics on emails that were allowed to go through user inboxes.
- Blocked traffic: Traffic that Email Security automatically blocks from senders. Blocked traffic shows metrics on emails that were blocked from user inboxes.
- Domain age: The number of days since domain registration.
Select Configure to configure policy and rules for allowed traffic, blocked traffic and domain age.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark