Use this policy to apply security settings to email.
Each email message is analyzed and given a spam score. The higher the score the more likely the message is to be spam. Messages with the highest spam scores are rated as Confirmed Spam.
Messages are categorized based on their spam score and you can choose how the categories are processed. Messages are split into:
Confirmed Spam: These are messages that conform to known and verified spam patterns.
Bulk: These are solicited messages sent using mass mailing, for example newsletters sent to a mailing list.
Suspected Spam: These are messages that have been identified as suspicious.
For each category choose an action.
The default settings are:
Confirmed Spam: Quarantine
Suspected Spam: Deliver
End-user message settings
When you turn on Smart banners, a banner is displayed at the top of inbound email messages to show if the email is trusted.
Smart banners are only inserted when emails are received from outside the organization. If an internal employee forwards such an email to another internal employee, the banner remains in the forwarded email.
Emails from Sophos, for example Quarantine Summary emails, will not display banners.
We strongly recommend that you route outbound email through Sophos Central before you turn on smart banners. If you don’t, external recipients see the banner in replies or forwarded email and can modify end-user allow and block lists.
You can turn on and off the following banner types:
Trusted: The email was sent from an allowed sender and passed DMARC.
External: The email was sent from outside your organization.
Untrusted: The email was sent from outside your organization and failed DNS authentication (SPF, DKIM, or DMARC).
You can choose to send a quarantine summary message to each protected mailbox. The message contains a table containing spam messages that were quarantined since the last summary message was sent. You can schedule when the messages are sent.
You can only send quarantine summary messages to users. You can't send them to distribution lists or public folders.
Users can release or delete quarantined spam messages by clicking the appropriate link in the quarantine summary message.
To set up quarantine summary messages do as follows:
Turn on Send a quarantine summary email.
Select when you want the messages sent.
All days are selected by default. Click a day to deselect it.
One time slot is shown by default. You can add up to three more by clicking Add another time. To delete a time slot, click the delete icon next to it.
The default time slot can't be deleted.
Sender checks allow you to verify whether an email originates from where it claims to come from. Email Security uses DMARC, DKIM, and Header anomalies checks to do this. Sender checks are performed in the order they appear in the UI. If an email fails the first sender check, the other checks are not carried out.
You can override the sender checks by adding domains and email addresses to the Allow list.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy and reporting protocol. It builds on the DKIM and SPF protocols to detect and prevent email spoofing. You can control what happens to messages that fail DMARC checks.
DKIM (DomainKeys Identified Mail) is an authentication framework used to sign and validate a message based on the domain of the sender. You can control what happens to messages that fail DKIM checks.
The Header anomalies check identifies email that appears to come from your own domain but originates from an external domain by checking the from header of the email against the recipient domain, and the from address in the envelope.
If the domain in the from address matches the recipient's domain, the mail is considered to be spoofed.
If the from address in the header is different to the from address in the envelope, the mail is considered to be spoofed.
The header needs to match both the criteria above to trigger the Header anomalies check.
You can control what happens to messages that fail the Header anomalies check.
Enhanced Email Malware Scan
Enhanced content and file property scan: This is our highest level of protection against email malware. It is on by default.
This setting applies to inbound and outbound messages.
If malware is detected in a message, it's always discarded.
Un-scanned emails: You can choose what happens to messages that cannot be scanned. The available actions are:
Tag subject line
This setting applies to inbound messages only.
Time of Click URL Protection (Email Advanced license only): When Time of Click URL Protection is enabled, URLs contained within inbound messages are rewritten to point to Sophos Email instead of the original destination.
When you click the link Sophos Email performs an SXL lookup, and if it's malicious, it's blocked. If the URL is clean, the action taken when you click the link depends on what you've specified in the policy. For example, if you've set medium risk websites as allowed, when the link is checked and classified as not malicious, the link takes you to the original link destination.
The domain name is displayed at the start of the rewritten URL so that you can see where the link will send you, if allowed. For example
You can select the action you want to take for websites with the following reputation levels:
High risk: Includes illegal sites, sites containing malware, and phishing sites.
Medium risk: Includes sites associated with spam and anonymizing proxies.
Unverified: The reputation of the website can't be verified.
You can't allow high-risk websites.
URLs you add to the Time of Click allow list are never rewritten at time of click.
You can also control whether URLs are rewritten in plain text messages and within securely signed messages:
- Plain text messages: refers to emails with no HTML formatting. Without HTML formatting, the entire encoded URL shows in the email when URL rewriting is turned on. You can bypass URL re-writing in these messages by deselecting the Re-write URLs in plain text messages. option.
- Securely signed messages: URL re-writing may break the signatures of S/MIME, PGP, and DKIM signed messages. You can bypass URL re-writing in these messages by deselecting the Re-write URLs within securely signed messages. option.
Be careful if you choose to bypass URL re-writes, as URLs in these messages won't be protected.
Intelix Threat Analysis - (Email Advanced license only): This option sends emails that may contain active malicious content to an isolated virtual environment where they are opened and checked. If emails are found to be malicious, they are removed. SophosLabs Intelix detects threats in messages using static and dynamic analysis. Static Analysis leverages multiple machine learning models, neural networks, global reputation, deep file scanning, and more. Dynamic Analysis detonates a message in a sandbox to reveal its true nature and capabilities of a potential threat.
When Intelix service location is turned on, you can select your preferred location.
Select Let Sophos decide (recommended) to automatically route messages for optimal performance.
Messages that may be malicious will run in a virtual environment for closer inspection.
Messages that are clean are delivered as normal. Messages that contain advanced threats are discarded.
See Sophos Sandstorm.
Impersonation Protection (Email Advanced license only): This feature detects emails that pretend to be from well-known brands, or from very important people (VIPs) in your organization.
Choose the action taken when this feature detects emails.
In summary reports, these emails are labeled as advanced threat.
You can add email addresses for VIPs in VIP management.