New Sender

You can manage inbound emails from new senders by using New Sender protection, which identifies emails from senders that users don't regularly receive.

New Sender protection helps users make informed decisions when interacting with emails from unfamiliar senders.

You can configure the actions available to users on these emails through the smart banner, such as allowing the sender, blocking the sender, or reporting the message as spam.

When the New Sender alert doesn't appear

The New Sender alert doesn't appear if the sender's email address, domain, or IP address is already included in an allow list.

• If an administrator adds a sender to the allow list, the New Sender alert doesn't appear for any mailbox in the account.
• If a user adds a sender to their allow list, the New Sender alert doesn't appear for that user's mailbox only.

Configure New Sender protection

Show me how

To configure New Sender protection, do as follows:

1. In your Email Security policy, go to Settings > Inbound > New Sender.
2. Turn on New Sender.
3. Click the Edit icon to modify the New Sender alert.
4. Update the New Sender alert message, if required.

5. Select the actions you want to make available to users. You can choose from the following options:

   • Allow sender

   • Block sender

     Note

     Allow sender and Block sender links appear only if these options are turned on in User Settings. See Allow/Block List.

   • Report spam

6. (Optional) Select Include persistent unanswered senders to treat repeated emails from the same sender as new if the user doesn't respond.

   For information, see Include persistent unanswered senders.

   Note

   For this option to work, your outbound email gateway must route emails through Sophos Email.

7. Save the policy.

New Sender protection is configured. Sophos Email displays a New Sender alert on inbound emails identified as coming from unfamiliar senders.

New Sender alerts with other Sophos banners

If New Sender protection and other Sophos banner features are turned on, their messages can appear together in the same banner on an email message.

The banner displays combined messaging and available actions from all applicable policies. An action appears if it's allowed by at least one enabled policy.

For example, if another Sophos banner allows Report spam and the New Sender alert allows Allow sender, both actions appear in the email.

How New Sender alerts behave

This section describes how the New Sender alert behaves in different delivery and message scenarios.

Messages released from quarantine

When a quarantined message is released, Sophos Email evaluates the message for New Sender protection at the time it's delivered to the mailbox.

If the sender qualifies as a new sender, the New Sender alert appears on the released message.

If the recipient or administrator allows the sender during the release process, the New Sender alert still appears on that message. The allow list entry is applied after delivery, because allow list changes take effect only after the message is delivered.

Subsequent emails from the same sender don't show the New Sender alert because the sender is already included in the allow list.

Messages sent to multiple recipients

When an email is sent to multiple recipients, Sophos Email evaluates each sender and recipient combination separately.

The New Sender alert is applied independently in each recipient's mailbox based on the configured policy and the recipient's sender history.

For example, a New Sender alert may appear for one recipient but not for another if their mailbox histories differ.

Messages sent to aliases

Emails sent to an alias are evaluated using the primary mailbox associated with that alias.

If New Sender protection applies to the primary mailbox, the New Sender alert is also displayed for messages delivered to the alias.

Sender history and policy evaluation for aliases follow the primary mailbox configuration.

Inbound-only domains

For inbound-only domains, persistent unanswered sender behavior doesn't apply.

In this case, the New Sender alert appears only on the first email from a sender. Subsequent emails from the same sender don't display the New Sender alert, regardless of whether Include persistent unanswered senders is turned on.

Inbound-only domains are domains where outbound email isn't routed through Sophos Email.

Forwarded and replied emails

The New Sender alert is removed from the email content when the message is forwarded or replied to.

Include persistent unanswered senders

When Include persistent unanswered senders is turned on, Sophos Email continues to show the New Sender alert for repeated emails from the same sender until the recipient replies or until the learning period ends.

If this option is turned off, the New Sender alert is displayed only once for each sender and recipient combination.

Manage learning period

This section explains how Sophos Email determines whether a sender is new and how the learning period affects New Sender alerts.

How Sophos Email identifies a new sender

The New Sender check is performed at the mailbox level.

Sophos Email tracks the sender history of each mailbox for the past six months. A sender is identified as new if they haven't sent an email to that mailbox within the last six months.

This behavior applies unless the sender is already included in an allow list or excluded by policy.

Learning period behavior

New Sender protection uses a learning period for new Sophos Email accounts and new users.

During the learning period, Sophos Email collects sender information, but the New Sender alert isn't displayed, even if the sender has no prior history in the recipient's mailbox.

You can click Manage Learning Period to change the learning period duration in New Sender Settings. For more information, see Manage new sender settings.