allow_policies
Creates, updates, deletes, gets or lists an allow_policies resource.
Overview
| Name | allow_policies |
| Type | Resource |
| Id | cloudflare.email_security.allow_policies |
Fields
The following fields are returned by SELECT queries:
- get
- list
Allow policy details
| Name | Datatype | Description |
|---|---|---|
id | string (uuid) | Allow policy identifier (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
comments | string | (example: Trust all messages send from test@example.com) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
is_acceptable_sender | boolean | Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. |
is_exempt_recipient | boolean | Messages to this recipient will bypass all detections |
is_recipient | boolean | Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026. |
is_regex | boolean | |
is_sender | boolean | Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026. |
is_spoof | boolean | Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026. |
is_trusted_sender | boolean | Messages from this sender will bypass all detections and link following |
last_modified | string (date-time) | Deprecated, use modified_at instead. End of life: November 1, 2026. (example: 2014-01-01T05:20:00.12345Z) |
modified_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
pattern | string | (example: test@example.com) |
pattern_type | string | Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. (EMAIL, DOMAIN, IP, UNKNOWN) (example: EMAIL) |
verify_sender | boolean | Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. |
List of allow policies
| Name | Datatype | Description |
|---|---|---|
id | string (uuid) | Allow policy identifier (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
comments | string | (example: Trust all messages send from test@example.com) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
is_acceptable_sender | boolean | Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions. |
is_exempt_recipient | boolean | Messages to this recipient will bypass all detections |
is_recipient | boolean | Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026. |
is_regex | boolean | |
is_sender | boolean | Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026. |
is_spoof | boolean | Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026. |
is_trusted_sender | boolean | Messages from this sender will bypass all detections and link following |
last_modified | string (date-time) | Deprecated, use modified_at instead. End of life: November 1, 2026. (example: 2014-01-01T05:20:00.12345Z) |
modified_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
pattern | string | (example: test@example.com) |
pattern_type | string | Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. (EMAIL, DOMAIN, IP, UNKNOWN) (example: EMAIL) |
verify_sender | boolean | Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | account_id, policy_id | Retrieves details for a specific allow policy including its pattern, dispositions that are exempted, and whether it applies to all detections. | |
list | select | account_id | page, per_page, search, order, direction, is_exempt_recipient, is_trusted_sender, is_acceptable_sender, verify_sender, pattern_type, pattern | Returns a paginated list of email allow policies. These policies exempt matching emails from security detection, allowing them to bypass disposition actions. Supports filtering by pattern type and policy attributes. |
create | insert | account_id, id, created_at, last_modified | Creates a new allow policy that exempts matching emails from security detections. Use with caution as this bypasses email security scanning. Policies can match on sender patterns and apply to specific detections or all detections. | |
edit | update | account_id, policy_id, id, created_at, last_modified | Updates an existing allow policy. Only provided fields will be modified. Changes take effect for new emails matching the pattern. | |
delete | delete | account_id, policy_id | Removes an allow policy. After deletion, emails matching this pattern will be subject to normal security scanning and disposition actions. | |
batch | exec | account_id, deletes, patches, puts, posts | Execute multiple operations atomically. All four operation arrays (deletes, patches, puts, posts) are required and executed in order. Send empty arrays for unused operations. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
account_id | string | The Cloudflare account ID. |
policy_id | string | The Access policy ID. |
direction | string | The sorting direction. |
is_acceptable_sender | boolean | Filter to show only policies where messages from the sender are exempted from Spam, Spoof, and Bulk dispositions (not Malicious or Suspicious). |
is_exempt_recipient | boolean | Filter to show only policies where messages to the recipient bypass all detections. |
is_trusted_sender | boolean | Filter to show only policies where messages from the sender bypass all detections and link following. |
order | string | Field to sort by. |
page | integer | Current page within paginated list of results. |
pattern | string | |
pattern_type | string | |
per_page | integer | The number of results per page. Maximum value is 1000. |
search | string | Search term for filtering records. Behavior may change. |
verify_sender | boolean | Filter to show only policies that enforce DMARC, SPF, or DKIM authentication. |
SELECT examples
- get
- list
Retrieves details for a specific allow policy including its pattern, dispositions that are exempted, and whether it applies to all detections.
SELECT
id,
comments,
created_at,
is_acceptable_sender,
is_exempt_recipient,
is_recipient,
is_regex,
is_sender,
is_spoof,
is_trusted_sender,
last_modified,
modified_at,
pattern,
pattern_type,
verify_sender
FROM cloudflare.email_security.allow_policies
WHERE account_id = '{{ account_id }}' -- required
AND policy_id = '{{ policy_id }}' -- required
;
Returns a paginated list of email allow policies. These policies exempt matching emails from security detection, allowing them to bypass disposition actions. Supports filtering by pattern type and policy attributes.
SELECT
id,
comments,
created_at,
is_acceptable_sender,
is_exempt_recipient,
is_recipient,
is_regex,
is_sender,
is_spoof,
is_trusted_sender,
last_modified,
modified_at,
pattern,
pattern_type,
verify_sender
FROM cloudflare.email_security.allow_policies
WHERE account_id = '{{ account_id }}' -- required
AND page = '{{ page }}'
AND per_page = '{{ per_page }}'
AND search = '{{ search }}'
AND order = '{{ order }}'
AND direction = '{{ direction }}'
AND is_exempt_recipient = '{{ is_exempt_recipient }}'
AND is_trusted_sender = '{{ is_trusted_sender }}'
AND is_acceptable_sender = '{{ is_acceptable_sender }}'
AND verify_sender = '{{ verify_sender }}'
AND pattern_type = '{{ pattern_type }}'
AND pattern = '{{ pattern }}'
;
INSERT examples
- create
- Manifest
Creates a new allow policy that exempts matching emails from security detections. Use with caution as this bypasses email security scanning. Policies can match on sender patterns and apply to specific detections or all detections.
INSERT INTO cloudflare.email_security.allow_policies (
comments,
is_acceptable_sender,
is_exempt_recipient,
is_recipient,
is_regex,
is_sender,
is_spoof,
is_trusted_sender,
pattern,
pattern_type,
verify_sender,
account_id
)
SELECT
'{{ comments }}',
{{ is_acceptable_sender }},
{{ is_exempt_recipient }},
{{ is_recipient }},
{{ is_regex }},
{{ is_sender }},
{{ is_spoof }},
{{ is_trusted_sender }},
'{{ pattern }}',
'{{ pattern_type }}',
{{ verify_sender }},
'{{ account_id }}'
RETURNING
errors,
messages,
result,
success
;
# Description fields are for documentation purposes
- name: allow_policies
props:
- name: account_id
value: "{{ account_id }}"
description: Required parameter for the allow_policies resource.
- name: comments
value: "{{ comments }}"
- name: is_acceptable_sender
value: {{ is_acceptable_sender }}
description: |
Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.
- name: is_exempt_recipient
value: {{ is_exempt_recipient }}
description: |
Messages to this recipient will bypass all detections
- name: is_recipient
value: {{ is_recipient }}
description: |
Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026.
- name: is_regex
value: {{ is_regex }}
- name: is_sender
value: {{ is_sender }}
description: |
Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026.
- name: is_spoof
value: {{ is_spoof }}
description: |
Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026.
- name: is_trusted_sender
value: {{ is_trusted_sender }}
description: |
Messages from this sender will bypass all detections and link following
- name: pattern
value: "{{ pattern }}"
- name: pattern_type
value: "{{ pattern_type }}"
description: |
Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.
valid_values: ['EMAIL', 'DOMAIN', 'IP', 'UNKNOWN']
- name: verify_sender
value: {{ verify_sender }}
description: |
Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.
UPDATE examples
- edit
Updates an existing allow policy. Only provided fields will be modified. Changes take effect for new emails matching the pattern.
UPDATE cloudflare.email_security.allow_policies
SET
comments = '{{ comments }}',
is_acceptable_sender = {{ is_acceptable_sender }},
is_exempt_recipient = {{ is_exempt_recipient }},
is_recipient = {{ is_recipient }},
is_regex = {{ is_regex }},
is_sender = {{ is_sender }},
is_spoof = {{ is_spoof }},
is_trusted_sender = {{ is_trusted_sender }},
pattern = '{{ pattern }}',
pattern_type = '{{ pattern_type }}',
verify_sender = {{ verify_sender }}
WHERE
account_id = '{{ account_id }}' --required
AND policy_id = '{{ policy_id }}' --required
RETURNING
errors,
messages,
result,
success;
DELETE examples
- delete
Removes an allow policy. After deletion, emails matching this pattern will be subject to normal security scanning and disposition actions.
DELETE FROM cloudflare.email_security.allow_policies
WHERE account_id = '{{ account_id }}' --required
AND policy_id = '{{ policy_id }}' --required
;
Lifecycle Methods
- batch
Execute multiple operations atomically. All four operation arrays (deletes, patches, puts, posts) are required and executed in order. Send empty arrays for unused operations.
EXEC cloudflare.email_security.allow_policies.batch
@account_id='{{ account_id }}' --required
@@json=
'{
"deletes": "{{ deletes }}",
"patches": "{{ patches }}",
"posts": "{{ posts }}",
"puts": "{{ puts }}"
}'
;