Skip to content

Email Security

Use this policy to apply security settings to email.

The following settings only apply to inbound messages with the exception of Enhanced content and file property scan, which applies to both inbound and outbound messages.

Spam Filtering

Each email message is analyzed and given a spam score. The higher the score the more likely the message is to be spam. Messages with the highest spam scores are rated as Confirmed Spam.

Messages are categorized based on their spam score and you can choose how the categories are processed. Messages are split into:

  • Confirmed Spam: These are messages that conform to known and verified spam patterns.
  • Bulk: These are solicited messages sent using mass mailing, for example newsletters sent to a mailing list.
  • Suspected Spam: These are messages that have been identified as suspicious.

For each category choose an action.

The default settings are:

  • Confirmed Spam: Quarantine
  • Bulk: Quarantine
  • Suspected Spam: Deliver

End-user message settings

When you turn on Smart banners, a banner is displayed at the top of inbound email messages to show if the email is trusted.


Smart banners are only inserted when emails are received from outside the organization. If an internal employee forwards such an email to another internal employee, the banner remains in the forwarded email.

Emails from Sophos, for example Quarantine Summary emails, will not display banners.


We strongly recommend that you route outbound email through Sophos Central before you turn on smart banners. If you don’t, external recipients see the banner in replies or forwarded email and can modify end-user allow and block lists.

You can turn on and off the following banner types:

  • Trusted: The email was sent from an allowed sender and passed DMARC.
  • External: The email was sent from outside your organization.
  • Untrusted: The email was sent from outside your organization and failed DNS authentication (SPF, DKIM, or DMARC).

Quarantine Settings

You can choose to send a quarantine summary message to each protected mailbox. The message contains a table containing spam messages that were quarantined since the last summary message was sent. You can schedule when the messages are sent.

You can only send quarantine summary messages to users. You can't send them to distribution lists or public folders.

Users can release or delete quarantined spam messages by clicking the appropriate link in the quarantine summary message.

To set up quarantine summary messages do as follows:

  1. Turn on Send a quarantine summary email.
  2. Select when you want the messages sent.


    All days are selected by default. Click a day to deselect it.

  3. One time slot is shown by default. You can add up to three more by clicking Add another time. To delete a time slot, click the delete icon next to it.


    The default time slot can't be deleted.

Sender check

Sender checks allow you to verify whether an email originates from where it claims to come from. Email Security uses DMARC, DKIM, and Header anomalies checks to do this. Sender checks are performed in the order they appear in the UI. If an email fails the first sender check, the other checks are not carried out.

You can override the sender checks by adding domains and email addresses to the Allow list.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy and reporting protocol. It builds on the DKIM and SPF protocols to detect and prevent email spoofing. You can control what happens to messages that fail DMARC checks.

DKIM (DomainKeys Identified Mail) is an authentication framework used to sign and validate a message based on the domain of the sender. You can control what happens to messages that fail DKIM checks.

The Header anomalies check identifies email that appears to come from your own domain but originates from an external domain by checking the from header of the email against the recipient domain, and the from address in the envelope.

  • If the domain in the from address matches the recipient's domain, the mail is considered to be spoofed.
  • If the from address in the header is different to the from address in the envelope, the mail is considered to be spoofed.


The header needs to match both the criteria above to trigger the Header anomalies check.

You can control what happens to messages that fail the Header anomalies check.

Enhanced Email Malware Scan

Enhanced content and file property scan: This is our highest level of protection against email malware. It is on by default.

This setting applies to inbound and outbound messages.


If malware is detected in a message, it is always discarded.

Un-scanned emails: You can choose what happens to messages that cannot be scanned. The available actions are:

  • Quarantine
  • Delete
  • Tag subject line

This setting applies to inbound messages only.

Time of Click URL Protection (Email Advanced license only): When Time of Click URL Protection is enabled, URLs contained within inbound messages are rewritten so that they point to Sophos Email instead of the original destination.

When the link is clicked, Sophos Email performs an SXL lookup, and if it is malicious it is blocked. If the URL is clean, the action taken when you click the link will depend on what you have specified in the policy. For example, if you have set medium risk websites as allowed, once the link has been checked and has been classified as not malicious, the link will take you to the original link destination.

The domain name will be displayed at the start of the rewritten URL so that you can see where the link will send you, if allowed. For example

You can select the action you want to take for websites with the following reputation levels:

  • High risk: Includes illegal sites, sites containing malware and phishing sites.
  • Medium risk: Includes sites associated with spam and anonymizing proxies.
  • Unverified: The reputation of the website can't be verified.

You can't allow high risk websites.


URLs you add to the Time of Click allow list are never rewritten at time of click.

You can also control whether URLs are rewritten in plain text messages and within securely signed messages:

  • Plain text messages: refers to emails with no HTML formatting. Without HTML formatting, when URL rewriting is enabled, the entire encoded URL will display in the email. You can bypass URL re-writing in these messages by deselecting the Re-write URLs in plain text messages. option.
  • Securely signed messages: URL rewriting may break the signatures of S/MIME, PGP, and DKIM signed messages. You can bypass URL re-writing in these messages by deselecting the Re-write URLs within securely signed messages. option.


Be careful if you choose to bypass URL re-writes, as URLs in these messages will not be protected.

See Information on the Sophos Extensible List.

Intelix Threat Analysis - (Email Advanced license only): This option sends emails that may contain active malicious content to an isolated virtual environment where they are opened and checked. If emails are found to be malicious, they are removed. SophosLabs Intelix detects threats in messages using static and dynamic analysis. Static Analysis leverages multiple machine learning models, neural networks, global reputation, deep file scanning, and more. Dynamic Analysis detonates a message in a sandbox to reveal its true nature and capabilities of a potential threat.

When Intelix service location is enabled, you can select your preferred location.


Select Let Sophos decide (recommended) to automatically route messages for optimal performance.

Messages that may be malicious will run in a virtual environment for closer inspection.

Messages that are clean are delivered as normal. Messages that contain advanced threats are discarded.

See Sophos Sandstorm.

Impersonation Protection (Email Advanced license only): This feature detects emails that pretend to be from well-known brands, or from very important people (VIPs) in your organization.

Choose the action taken when emails are detected by this feature.

In summary reports, these emails are labeled as advanced threat.

You can add email addresses for VIPs in VIP management.