Skip to content
Last update: 2022-05-04

Email Security Policy

You can apply security settings to your mailboxes using Email Security policies.

This option is only available if your license includes Sophos Email Security.

Email Security protects against spam. Set up Email Security first, if you haven't already done so. See Email Security.

Email Security policies are similar to other policies in Sophos Central, for example Endpoint Protection or Device Encryption policies. For general information about how policies work, see Policies.

You can find information specific to Email Security policies here.

You can create custom Email Security policies and apply them to users, groups, or domains.

You can't use custom policies with distribution lists or public folders. Distribution lists and public folders can only use the base policy, which is at the bottom of the priority hierarchy. For information about policy prioritization, see How are policies prioritized?

To change or add Email Security policies, do as follows:

  1. Go to Email Security > Policies to apply security settings.

    For general information on creating policies, see Create or Edit a Policy.

  2. Edit the Email Security policy or click Add Policy to create a custom policy.

  3. Enter a name for the policy.
  4. Choose the users, groups, or domains for the policy.
  5. Open the policy's Settings tab and configure it.
  6. Make sure the policy is enforced.
  7. Click Save.

Plus addresses

Sophos Email Security protects against malicious messages sent to "plus addresses" available with Microsoft 365 (formerly Office 365) and Google Gmail.


Normal Gmail address:

Plus Gmail address:

Plus addresses are treated in the same way as email aliases.

Settings information

Most email policy settings only apply to inbound messages. The exceptions are in the Enhanced Email Malware Scan section.

They're as follows.

  • Enhanced content and file property scan, which applies to both inbound and outbound messages.
  • S/MIME, which can apply to either inbound or outbound messages, or both.


If an option is locked, your partner or Enterprise administrator has applied global settings.

You can set up the following options:

You can also set up policies that prevent data loss through emails. See Data Loss Prevention policy.

Back to top