Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=Sender-Checks

Sender Checks

Sender checks allow you to verify whether an email originates from where it claims to come from. Email Security uses DMARC, SPF, DKIM and Header anomalies checks to do this.

Note

This option is only available if your license includes Sophos Email Security.

Sender checks are performed in the order they appear in the UI. If an email fails the first sender check, the other checks are not carried out. See How Sender Checks work.

For more information on the order in which checks are carried out in different scenarios, see Sequence of Sender Checks.

We recommend you set each sender check category to Quarantine.

You can override the sender checks by allowing domains and email addresses in the Inbound allow list.

For each of the sender checks you can choose to send messages that fail to End User Quarantine.

DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy and reporting protocol. It builds on the DKIM and SPF protocols to detect and prevent email spoofing. You can control what happens to messages that fail DMARC checks.

Select from:

  • Conform to sender policy : What happens to the message depends on what the sender stated in their DMARC policy. (This is the default value.)
  • Tag subject line: Email Security adds a tag to the message's subject line indicating that it is a spoofed message.
  • Quarantine: Message is quarantined.
  • Reject: Message is rejected.
  • Deliver: Message is delivered to the next stage.

SPF

SPF (Sender Policy Framework) allows you to verify that incoming email comes from an IP address authorized by the sending domain's administrators.

Emails from IP addresses marked as "fail" by the sending domain's administrators are rejected.

Spam and phishing emails often use forged addresses. This results in an SPF check rejecting the email.

Select from:

  • Tag subject line: Email Security adds a tag to the message's subject line indicating that it's a spoofed message. This is the default value.
  • Quarantine: Message is quarantined.
  • Reject: Message is rejected.
  • Deliver: Message is delivered to the next stage.

DKIM

DKIM (DomainKeys Identified Mail) is an authentication framework used to sign and validate a message based on the domain of the sender. You can control what happens to messages that fail DKIM checks.

Select from:

  • Tag subject line: Email Security adds a tag to the message's subject line indicating that it's a spoofed message. This is the default value.
  • Quarantine: Message is quarantined.
  • Reject: Message is rejected.
  • Deliver: Message is delivered to the next stage.

Header anomalies

The Header anomalies check identifies email that appears to come from your own domain but originates from an external domain by checking the from header of the email against the recipient domain, and the from address in the envelope.

  • If the domain in the from address matches the recipient's domain, the mail is considered to be spoofed.
  • If the from address in the header is different to the from address in the envelope, the mail is considered to be spoofed.

Note

The header needs to match both the criteria above to trigger the Header anomalies check.

You can control what happens to messages that fail the Header anomalies check.

Select from:

  • Tag subject line: Email Security adds a tag to the message's subject line indicating that it is a spoofed message. (This is the default value.)
  • Quarantine: Message is quarantined.
  • Reject: Message is rejected.
  • Deliver: Message is delivered to the next stage.