Skip to content

EmailSecurityDomain

Source: src/Cloudflare/EmailSecurity/Domain.ts

A Cloudflare Email Security (Area 1) domain’s settings.

Domains cannot be created via the API — they appear when the domain is onboarded to Email Security (MX/BCC/journal or an API integration) in the dashboard. This resource adopts and configures an existing domain: read finds it by name and reports it as unowned, so taking it under management is gated behind --adopt (or adopt(true)).

Destroying this resource offboards the domain from Email Security (the underlying API call is DELETE .../settings/domains/{id}). Mail flow for the domain is no longer scanned afterwards. Plan destroys with care.

Requires the Email Security enterprise add-on; accounts without the entitlement receive the typed EmailSecurityNotEntitled error.

Configuring a Domain

Section titled “Configuring a Domain”

Drop malicious mail before delivery

yield* Cloudflare.EmailSecurityDomain("MailDomain", {
  domain: "example.com",
  dropDispositions: ["MALICIOUS", "SPOOF"],
});

Restrict inbound delivery and require TLS

yield* Cloudflare.EmailSecurityDomain("MailDomain", {
  domain: "example.com",
  ipRestrictions: ["203.0.113.0/24"],
  requireTlsInbound: true,
  requireTlsOutbound: true,
  transport: "mx.example.com",
});