Skip to content

Email Security Policy

You can apply security settings to your mailboxes using Email Security policies.

This option is only available if your license includes Sophos Email Security.

Email Security protects against spam. Set up Email Security first, if you haven't already done so. See Email Security.

Email Security policies are similar to other policies in Sophos Central, for example Endpoint Protection or Device Encryption policies. For general information about how policies work, see Policies.

You can find information specific to Email Security policies here.

You can create custom Email Security policies and apply them to users, groups, or domains.

You can't use custom policies with distribution lists or public folders. Distribution lists and public folders can only use the base policy, which is at the bottom of the priority hierarchy. For information about policy prioritization, see How are policies prioritized?.

Set up Email Security policies

To change or add Email Security policies, do as follows:

  1. Go to Email Security > Policies to apply security settings.

    For general information on creating policies, see Create or Edit a Policy.

  2. Edit the Email Security policy or click Add Policy to create a custom policy.

  3. Enter a name for the policy.
  4. Choose the users, groups, or domains for the policy.

    You can add external users and domains to policies, not just those of your organization. See External users and domains.

  5. Open the policy's Settings tab and configure it.

  6. Make sure the policy is enforced.
  7. Click Save.

External users and domains

You can apply policies to external users and domains as well as your own. You can apply the policies to both inbound and outbound messages.

When you create or edit a policy, click the External tab.

You can add individual email addresses or domains, or import them from a file. You can include or exclude your list from the policy. The default is Include all.


When we analyze senders and recipients of messages, we use their SMTP envelope sender and recipient addresses, not their from-header and to-header addresses.

Plus addresses

Sophos Email Security protects against malicious messages sent to "plus addresses" available with Microsoft 365 (formerly Office 365) and Google Gmail.


Normal Gmail address:

Plus Gmail address:

Plus addresses are treated in the same way as email aliases.

Settings information

Most email policy settings only apply to inbound messages. The exceptions are in the Enhanced Email Malware Scan section.

They're as follows.

  • Enhanced content and file property scan, which applies to both inbound and outbound messages.
  • S/MIME, which can apply to either inbound or outbound messages, or both.


If an option is locked, your partner or Enterprise administrator has applied global settings.

You can set up the following options:

You can also set up policies that prevent data loss through emails. See Data control policy.

More resources

This video explains how to set up email policies. It covers Email Security policies and then Data control policies.

You can also view this video on the Sophos Techvids page. See Sophos Email: Get Started with Sophos Email.

We also have other videos that take you through setting up Sophos Email Security.