Filter messages that spoof internal domains

Select Filter inbound messages that spoof your internal domains to detect spoofed incoming messages that appear to be sent from domains within the policy to recipient domains within the policy. A sender address is considered to be authentic if any of the following conditions are true:

  • The IP address of the sending message transfer agent (MTA) matches any of the outbound connections configured in the policy.
  • The Mail From sending address passes Sender Policy Framework (SPF) authenticity checks.
  • The Mail From sending address passes DomainKeys Identified Mail (DKIM) authenticity checks.

Select “From” address header validation to check that the sender address the message recipient sees (in the “From:” field) matches domains defined in your policies. (By default, the From: address is ignored and authenticity checks are performed only on the envelope sender address if it matches one of your policies.) If you select this option, one of the following happens:

  • If the envelope sender and recipient address both match domains in your policy, the cloud service performs message authenticity checks on the envelope sender only.
  • If the envelope sender address does not match a domain in your policy, but the From: address and recipient domain do match, the cloud service performs message authenticity checks on the From: address instead of the envelope sender address.
    Tip: The envelope sender address is used by mail servers to check where the message originates and where to respond (for example, if there is an error or the message bounces) and often matches the From: address, but not always. For example, the message might come from a mailing list, or from an organization authenticated to send messages on your company’s behalf.

From the drop-down menu, select the action to perform when spoofed internal messages are detected:

  • Quarantine: This is the default option. Spoofed messages are kept in quarantine for up to 30 days.
  • Discard: Spoofed messages are discarded.
  • Tag subject with: The subject line of detected spoofed messages are tagged with “SPOOFED:” or a custom tag that you enter.

Messages detected as spoofing internal domains will be logged as “Spoofed”.

By default, if authentication checks fail to complete, the message is considered spoofed and the selected action is applied. To specify an alternative action when authentication checks fail to complete, select Apply alternative action when spoofed message checks fail to complete. Available options depend upon the action selected for spoofed messages:

  • When the Action is Quarantine or Tag Subject, the alternative option is Tag Subject.
  • When the Action is Discard, the alternative options are Quarantine and Tag Subject.

Select Allow spoofing from these sources to apply an allowlist of allowed domains or IP addresses. Messages originating from these domains or IP addresses are allowed to spoof addresses from domains in this policy. This may be useful if, for example, you use a third-party provider who is allowed to send email messages to your users that appear to come from an internal address.