Skip to content

URL Protection

In URL Protection, you can choose what happens to messages that contain malicious links.

To expedite email processing and prevent delays, the URL protection stops scanning a message when it encounters a large number of URLs. For security reasons, we don't publish the limit we use.

For enhanced security, a message with too many URLs gets quarantined and marked as Unscannable - Excessive URLs. This security measure helps prevent attackers from hiding malicious URLs among a large number of URLs in a message. Given the risk, the Un-scanned emails setting on the Email Security policy configuration and allowed senders can't bypass the URL protection.

If you release one of these messages, it's delivered, and the URLs aren't rewritten.

Malicious URL scan

Messages that contain known and verified threats are separated into those that contain known malware or viruses, and those that contain known malicious links.

In Malicious URL scan, you can choose what to do with messages that contain malicious links.

If you select Include in End User Quarantine, messages can be checked, released, or deleted by your users. See End User Quarantine.

Time of Click URL Protection

This is available with an Email Advanced license only and is turned on by default.

When Time of Click URL Protection is turned on, URLs contained within inbound messages are rewritten to point to Sophos Email Security instead of the original destination.

When you click the link, Sophos Email Security performs an SXL lookup, and if it's malicious, it's blocked. If the URL is clean, the action taken when you click the link depends on what you've specified in your policies. For example, if you've set medium risk websites as allowed, when the link is checked and classified as not malicious, the link takes you to the original link destination.

If you hover over a rewritten link you can see the destination domain name at the start of the rewritten URL, in the format This means you can see where the link goes to.

Here's an example of a rewritten URL, with the domain highlighted after the Sophos server address.

Example rewritten URL.


Sophos Email Security can't re-evaluate an URL after it has been rewritten by another product.

You can select the action you want to take for websites with the following reputation levels:

  • High risk: Includes illegal sites, sites containing malware, and phishing sites.
  • Medium risk: Includes sites associated with spam and anonymizing proxies.
  • Unverified: The reputation of the website can't be verified.

You can't allow high-risk websites.


URLs you add to the Time of Click allow list are never rewritten at time of click.

You can also control whether URLs are rewritten in plain text messages and within securely signed messages:

  • Plain text messages: Refers to emails with no HTML formatting. Without HTML formatting, the entire encoded URL shows in the email when URL rewriting is turned on. You can bypass URL rewriting in these messages by deselecting the Re-write URLs in plain text messages. option.
  • Securely signed messages: URL rewriting may break the signatures of S/MIME, PGP, and DKIM signed messages. You can bypass URL rewriting in these messages by deselecting the Re-write URLs within securely signed messages. option.


    Be careful if you choose not to modify securely signed messages, as those messages would lose protection. The URLs won't be rewritten and smart banners won't be applied to signed messages.

See URL allow list.


If you turn on Time of Click URL Protection, and are using a Google email server, you may see DMARC failures reported for inbound messages.

This might be because Google doesn't consistently process emails from IP addresses in its Gateway IPs list. To check your email settings and find out more, see Restrict delivery to Sophos IP addresses.