Message Details

In Message History, under the Processed report, click the subject of a message to see its details.

You can click the following tabs for more information about the message.

• Details: Shows general information about the message and a history of events for the message. Event history is grouped by recipients.

• Raw Header: Shows the header details.

  You can click AI Analysis to view an AI-generated summary of SPF, DKIM, and DMARC verdicts. For more information, see AI Analysis.

• Attachments: Shows the name and size of attachments.

• URLs: Shows any URLs in the message.

  We calculate attachment size using the email's MIME-encoding. We don't use the size of the raw files. This means attachment file sizes are often reported as larger than the actual file. See Calculating email attachment file sizes.

For inbound and outbound spam messages, depending on our message analysis, you'll see either Report threat or Report clean. Click either of these options to send the message to SophosLabs and help improve our spam detection.

Blocking

In Message History, you can click the subject of a message you want to block and then view its message details. Next, click Block under SMTP From and select either Block sender or Block sender domain to add the sender's email address or the domain to your block list.

You can also click Block IP Address under IP Address to add the IP address to your block list. Alternatively, you can add email addresses and domains from the Inbound Allow/Block list.

You can add descriptions when blocking a sender's email address, domain, or IP address to specify the reason for each block entry. For example, a description might be "blocked due to spam". You can view and edit these descriptions later on the Inbound Allow/Block list.

For more information, see Inbound Allow/Block.

Recover deleted messages

Outbound messages flagged as spam are deleted. This is because servers downgrade the reputation of Sophos Email delivery IP addresses when they receive spam from Sophos Email. If the Super Admin wants to check whether deleted messages were false positives, they can recover and quarantine them for further inspection. This applies for inbound and outbound messages.

You can recover and send the deleted messages to quarantine in Message History. The only deleted messages you can recover and send back to quarantine are as follows:

• Inbound messages flagged as malware:

  • Virus
  • Intelix threat (unscannable)
  • Intelix threat (malicious)

• Outbound messages flagged as spam

Click the subject of a message to see its details, then click Deleted to start message recovery. You can select Recover for all recipients to recover the message for all recipients, then click Recover.

It may take a few minutes to recover the message to quarantine. When it's recovered to quarantine, you must thoroughly assess the message by using techniques such as submitting the message to Intelix for scanning. You can download the attachments to inspect them for malicious content. You can read the message content to determine whether it's spam. See Quarantined Messages.

Releasing outbound spam harms the reputation of delivery IP addresses of Sophos Email. A compromised reputation may result in delays or rejection of messages for all customers. So, an hourly rate limit is applied to the recovery of deleted outbound spam. In an hour, you can recover a maximum of five messages, each of which may have been addressed to one or more recipients.

The following video shows you how to recover deleted messages to quarantine and configure your users' quarantine as read-only.

Suspected spam messages

Inbound messages are scanned for spam, and then messages are categorized based on scan results. When Sophos Central identifies a suspicious message, it marks it as "Suspected" and adds its spam level.

Sophos Central categorizes the suspected spam messages based on their level. For example, a message corresponding to an L3 spam level will be marked as "Suspected L3" in Message History.

The action will depend on the adjustments you made on the slider. For example, you set the slider to L3 and the action to Quarantine. In that case, suspected spam messages from L1 to L3 will be quarantined, and those from L4 to L5 will be delivered to the recipient.

You can filter the messages by suspected spam level. You can also click the subject of a message to view more details and its suspected spam level. The suspected spam level you configured using the catch rate slider is shown in Reason, and the suspected spam level Sophos Central validated is shown in Sub Category.

You can watch the following video for a step-by-step guide on how to view the suspected spam messages and their corresponding spam levels in Message History.

Multiple recipients

If a message is sent to multiple recipients, in the Details tab, you can do the following actions:

• Scroll through SMTP Recipients and Header Recipients.
• See a list of recipients with their latest delivery status, search events by recipient email address or domain, and expand a message to view all associated events.
• Filter messages by clicking the links under Status Summary.

On-demand clawback

You can manually claw back messages determined to be objectionable from recipients' M365 mailboxes and move them to post-delivery quarantine.

This feature applies to individual recipients, email aliases, and distribution lists. After a successful clawback attempt, the clawback status for distribution lists remains "Clawback Initiated".

Before you perform a clawback, note the following points:

• You can claw back a message only if it's delivered to a M365 mailbox whose domain is connected for post-delivery protection.
• It may take up to 10 minutes to claw back a message from a M365 mailbox.
• A message released from post-delivery quarantine can't be clawed back again.

You can report a message to SophosLabs and claw it back at the same time. Clawback starts after you submit the message to SophosLabs, as long as it was successfully delivered to a supported M365 mailbox.

A detection is sent to MDR if you select a reason during clawback. The reason appears as a suffix in the Detection Rule column on the Detections page in the Threat Analysis Center.

After a successful clawback, the messages are quarantined. You can check the messages in the post-delivery quarantine list and release them if they're non-malicious or legitimate. See Quarantined Messages.

You can also claw back messages from a recipient's inbox using the clawback API. For more information, see Email Management API.

You can perform on-demand clawback in two ways:

• Claw back messages in Message History
• Claw back messages in Message Details

Claw back messages in Message History

You can claw back messages directly from Message History.

Show me how

To do this, do as follows:

1. In Sophos Central, go to Reports > Email Security Logs > Message History.

2. Select the messages you want to claw back. You can select up to 100 messages at once.

   Tip

   • You can use Advanced Search to narrow down your message selection.
   • You can use the checkbox next to the up/down arrow icon to select all messages on the current page. Make sure you're viewing only inbound messages, as only those can be clawed back.
   • You can filter for delivered messages because only messages delivered successfully can be clawed back.

3. Click Initiate clawback.

   The Clawback messages dialog appears.

4. (Optional) Select a reason for clawing back the selected messages from the following options:

   • Spam emails
   • Malware emails
   • Phishing emails
   • Unwanted emails

5. (Optional) If you selected Spam emails, Malware emails, or Phishing emails, you can select Report the emails to SophosLabs to report the messages to SophosLabs.

   This helps us improve our threat detection.

6. Click Confirm to claw back messages from the M365 mailboxes.

Claw back messages in Message Details

You can claw back messages from their message details page.

Show me how

To do this, do as follows:

1. In Sophos Central, go to Reports > Email Security Logs > Message History.
2. Click the subject of a message you want to claw back to view its message details.
3. Click Initiate clawback.
4. Select the recipients from whom you want to claw back the delivered message.

5. Select a reason for clawing back the selected message from the following options:

   • Spam emails
   • Malware emails
   • Phishing emails
   • Unwanted emails

6. (Optional) If you selected Spam emails, Malware emails, or Phishing emails, you can select Report the emails to SophosLabs to report the message to SophosLabs.

   This helps us improve our threat detection.

7. (Optional) Click View Report to view the post-delivery summary report for the messages clawed back. See Post-delivery summary report.

8. Click Clawback to claw back messages from the M365 mailboxes of the selected recipients.

AI Analysis

AI Analysis helps you quickly assess whether a message is suspicious by reviewing its email headers and authentication results.

When you click AI Analysis in the Raw Header tab, you see an AI-generated summary of the email headers. It shows the results of authentication checks such as SPF, DKIM, and DMARC, and highlights issues including domain alignment issues, missing signatures, or failed policies. The summary also shows the overall authentication status of the message based on these results.

Show me how to generate an AI summary of email headers

Instead of manually interpreting long and complex header values, you get a clear explanation of which checks passed or failed, and why the message may be risky.

AI Analysis makes it easier to identify spoofing attempts, forwarding issues, or configuration problems without needing deep email-header expertise.

You can also click Print PDF to print the AI Analysis or save it as a PDF file.