Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=Sender-Checks-sequence

Sequence of Message Authentication

Find out how the different message authentications are processed in Sophos Email Security.

Message authentication comprises three checks: DMARC, SPF, and DKIM, which are performed in the order that they're listed. The DMARC check depends on the SPF and DKIM checks. DMARC can only be evaluated if the sender has a valid DMARC record in DNS and supports SPF or DKIM checking. To perform the DMARC check, the SPF and the DKIM check are performed, regardless of the failure options configured in the policy. If neither the SPF check nor the DKIM check passes, the DMARC check fails.

If your Email Security policy applies Quarantine or Reject actions to DMARC, SPF, and DKIM checks, and the email passes all of these checks, the header anomaly checks won't be processed and the email will be delivered.

If DMARC, SPF, or DKIM fails, the Quarantine or Reject action will apply and not continue to process.

For more information on these checks, see the following:

Message Authentication flow chart

The following flow chart shows the order in which these message authentications are carried out in different scenarios, and what happens when each message authentication passes or fails.

Note

You can click the image to open a higher resolution version. Use your browser's back arrow to return to this page.

Message authentication flow chart.

Message Authentication decision table

The following decision table shows you the actions taken for every combination of policy setting and check result.

Note

You can click the image to open a higher resolution version. Use your browser's back arrow to return to this page.

Message authentication decision table.