Skip to content

Email Security policy

You can apply security settings to your mailboxes using Email Security policies.

Email Security protects against spam. Set up Email Security first, if you haven't already done so. See Email Protection.

Email Security policies are similar to other policies in Sophos Central, for example Endpoint Protection or Device Encryption policies. For general information about how policies work, see Policies.

You can find information specific to Email Security policies here.

You can create custom Email Security policies and apply them to users, groups, or domains.

You can't use custom policies with distribution lists or public folders. Distribution lists and public folders can only use the base policy, which is at the bottom of the priority hierarchy. For information about policy prioritization, see How are policies prioritized?.

You can also clone policies. See Cloning a policy.

Set up Email Security policies

To change or add Email Security policies, do as follows:

  1. Go to My Products > Email Protection > Policies to apply security settings.

    For general information on creating policies, see Create or Edit a Policy.

  2. Edit the Email Security policy, or click Add Policy to create a custom policy.

  3. Enter a name for the policy.
  4. Add Internal users, groups, or domains for the policy. The policy applies to users in any of the users, groups, or domains lists.
  5. Add External users and domains for the policy, if you want to. The policy applies if accounts in the internal users, groups, or domains lists send messages to addresses or domains in your external list. See External users and domains.

    You can hover over an internal user's name to see their email address.

  6. Make sure the policy is enforced.

  7. Click Save.

External users and domains

You can apply policies to external users and domains as well as your own. You can apply the policies to both inbound and outbound messages.

When you create or edit a policy, click EXTERNAL.

You can add individual email addresses or domains, or import them from a file. You can include or exclude your list from the policy.


When we analyze senders and recipients of messages, we use their SMTP envelope sender and recipient addresses, not their from-header and to-header addresses.

Plus addresses

Sophos Email Security protects against malicious messages sent to "plus addresses" available with Microsoft 365 (formerly Office 365) and Google Gmail.


Normal Gmail address:

Plus Gmail address:

Plus addresses are treated in the same way as email aliases. For information on plus addressing (also known as subaddressing), see RFC 5233.


Sophos Email Security supports plus addressing only for inbound messages.


Most email policy settings only apply to inbound messages. There are some exceptions as follows.

  • In the Enhanced Email Malware Scan section, Enhanced content and file property scan can apply to both inbound and outbound messages.
  • In the Enhanced Email Malware Scan section, S/MIME, can apply to either inbound or outbound messages, or both.
  • In SETTINGS, there's also an outbound option to add disclaimer text to the bottom of messages.


If an option is locked, your partner or Enterprise administrator has applied global settings.

You can set up the following options:

Cloning a policy

If you want to make similar changes to a number of users you can clone a policy.

Cloned policies are set to Policy Bypassed by default.

To clone a policy, do as follows.

  1. Go to My Products > Email Protection > Policies.
  2. Select the policy you want to clone.
  3. Click Clone.
  4. In Clone Policy, edit the name of the new policy if you want to, then click Continue.

    The new policy appears.

    When the base policy is cloned, the new policy has no users, groups, or domains. You must select these before using the policy cloned from base policy.

  5. Click Save.

  6. Check that the cloned policy is correct, then click Policy Bypassed > Policy is enforced to turn it on.

By default the cloned policy takes priority over the original policy. You can change the priority. See How are policies prioritized?.

More resources

This video explains how to set up email policies. It covers Email Security policies and then Data control policies.

You can also view this video on the Sophos Techvids page. See Sophos Email: Get Started with Sophos Email.

We also have other videos that take you through setting up Sophos Email Security.