Sender check

Sender check helps you confirm whether an email really comes from the sender it claims. It looks at the email's headers and domain details to spot signs of spoofing or suspicious activity.

Email Security uses Header anomaly and Domain anomaly checks to identify these issues and help you decide how to handle affected messages.

Header anomaly

The Header anomaly check protects you from senders spoofing emails from your own domains.

Header anomaly detects messages that use your domain in the From address but originate from an external source. This is done by checking the From header of the email against all domains configured in your Sophos Central account, and comparing it with the MAIL FROM address in the envelope.

• If the domain in the From address matches any domain configured for your organization, the message is considered spoofed.
• If the From address in the header is different from the MAIL FROM address in the envelope, the message is considered spoofed.

You can control what happens to messages that fail the Header anomaly check.

You can select from the following actions:

• Tag subject line: Tag the message's subject line to indicate that it's a spoofed message. This is the default value.
• Quarantine: Place the message in quarantine.
• Reject: Reject the message.
• Deliver: Deliver the message to the next stage.

Domain anomaly

Domain anomaly detects messages that appear to be sent from a domain that has neither an MX record nor an A record.

You can control what happens to messages that fail the Domain anomaly check.

You can select from the following actions:

• Tag subject line: Tag the message's subject line to indicate that it's a spoofed message. This is the default value.
• Quarantine: Place the message in quarantine.
• Reject: Reject the message.
• Deliver: Deliver the message to the next stage.