Skip to content

How Sender Checks work

Sender checks are used to verify the authenticity of an email's origin.

This topic addresses the types of sender checks Sophos Email Security uses to protect you from illegitimate emails.

For more information on the order in which checks are carried out in different scenarios, see Sequence of Sender Checks.


This topic provides a brief explanation about how the sender checks work, however it does not include detailed information such as setting up DNS records (DMARC, DKIM, SPF) as we are focusing on what happens to incoming mail.


Sender Policy Framework (SPF) allows you to verify that incoming email comes from an IP address or sending host authorized by the sending domain's administrators.

The sender creates a SPF record which specifies the hosts, IP addresses and subnets that are authorized to send mail for their domain.

When an email is received by Sophos Email Security, it looks at the address of the sending mail server then compares it to the authorized senders in the SPF record. If these do not match, the SPF check will fail.


DomainKeys Identified Mail (DKIM) is used to authorize an email by verifying its digital signature, which associates a domain name with the email.

The sender decides which part of the email they want signed (header and/or body) and then they configure their mail server to create a hash of those parts. The hash is then encrypted by their private key. They also publish a DKIM record which contains the public key used to decrypt the signature.

When Sophos Email Security sees that an email has a DKIM signature, it does a DNS lookup to find the DKIM record associated with the sending domain. It uses the public key to decrypt the digital signature back to the hash value. It then takes the elements of the message that were signed and creates it's own hash that it compares to the decrypted hash. If these do not match, the DKIM check will fail.



Domain-based Message Authentication, Reporting and Conformance (DMARC) utilizes both DKIM and SPF to validate the authenticity of an email.

The sender creates a DMARC record which instructs the receiver to carry out DMARC checks and contains information about what to do when DMARC fails.

When an email is received, Sophos Email Security carries out a DNS check to find the DMARC record for the domain specified in the emails' from (header) address. The DMARC record tells the receiver (in this case, Sophos Email Security) to check for DMARC and specifies what to do with email that fails DMARC checks. The Sophos Email Security default option for messages that fail DMARC checks is Conform to sender policy, meaning that what happens to the message depends on what is defined in the DMARC record. The domain specified in the from address is checked against the information in the SPF and DKIM records to verify that the domains match. To pass a DMARC check, the message needs to pass validation and alignment checks for SPF or DKIM:

  • For SPF, the domain specified in the MAIL FROM (envelope) address must match one of the IP addresses or subnets specified in the SPF record. DMARC then checks the MAIL FROM address against the from address to make sure they align.
  • For DKIM, the signature must be validated and the domain specified in the from address must match the domain used to create the signature specified in the DNS record.


Header anomalies

The Header anomalies check protects you from senders spoofing emails from your own domain.

It identifies email that appears to come from your own domain but originates from an external domain by checking the from header of the email against the recipient domain, and the MAIL FROM address in the envelope.

  • If the domain in the from address belongs to the same customer as the recipient domain, the mail is considered to be spoofed.
  • If the from address in the header is different to the MAIL FROM address in the envelope, the mail is considered to be spoofed.


The header needs to match both the criteria above to trigger the Header anomalies check.