Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Email Policies > Antispoofing tab > Spoofed Message Detection
Spoofed Message Detection
Spoofed message detection is used to filter incoming messages where the sender's address has been forged. The service can detect messages that spoof internal domains or external domains.
*
Messages that spoof internal domains are from forged addresses that appear to come from users within your organization. Internal domain validation uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication, as well as checking the sender's IP address against those configured as outbound routes in the policy.
*
Messages that spoof external domains are from forged addresses that appear to come from legitimate external organizations. External domain validation uses Domain-based Message Authentication, Reporting and Conformance (DMARC) authentication.
Filter messages that spoof internal domains
Select Filter inbound messages that spoof your internal domains to detect spoofed incoming messages that appear to be sent from domains within the policy to recipient domains within the policy. A sender address is considered to be authentic if any of the following conditions are true:
*
*
*
Select "From" address header validation to check that the sender address the message recipient sees (in the "From:" field) matches domains defined in your policies. (By default, the From: address is ignored and authenticity checks are performed only on the envelope sender address if it matches one of your policies.) If you select this option, one of the following happens:
*
*
 
Tip 
From the drop-down menu, select the action to perform when spoofed internal messages are detected:
*
Quarantine. This is the default option. Spoofed messages are kept in quarantine for up to 30 days.
*
Discard. Spoofed messages are discarded.
*
Tag subject with. The subject line of detected spoofed messages are tagged with "SPOOFED:" or a custom tag that you enter.
Messages detected as spoofing internal domains will be logged as "Spoofed".
By default, if authentication checks fail to complete, the message is considered spoofed and the selected action is applied. To specify an alternative action when authentication checks fail to complete, select Apply alternative action when spoofed message checks fail to complete. Available options depend upon the action selected for spoofed messages:
*
When the Action is Quarantine or Tag Subject, the alternative option is Tag Subject.
*
When the Action is Discard, the alternative options are Quarantine and Tag Subject.
Select Allow spoofing from these sources to apply a whitelist of allowed domains or IP addresses. Messages originating from these domains or IP addresses are allowed to spoof addresses from domains in this policy. This may be useful if, for example, you use a third-party provider who is allowed to send email messages to your users that appear to come from an internal address.
To add whitelisted spoofing sources for a policy:
1.
Select Allow spoofing from these sources, and click the these sources link.
2.
*
Select the Domains tab to add allowed sender domain names, for example "forcepoint.com".
*
Select the IP Addresses tab to add allowed sender IP addresses, either as a list of individual addresses, or address blocks in CIDR notation (for example, 10.10.10.8/30). List entries are separated by a line break.
3.
Click Add to enter a new domain or list of IP addresses. You can add multiple domains or addresses, and you can add a combination of domain names and/or IP addresses if required.
4.
5.
Filter messages that spoof external domains
Select Filter inbound messages that spoof external domains using DMARC to detect spoofed incoming messages that appear to be sent from legitimate external domains, but which fail DMARC validation checks. This option validates both the Mail From sending address and the From address. DMARC is built on SPF and DKIM validation, and allows the owner of a domain to publish a policy (via DNS TXT records) that defines how the receiver should deal with spoofed messages.
From the drop-down menu, select the action to perform when spoofed messages are detected:
*
Use DMARC policy. This is the default option. Spoofed messages will be quarantined or rejected, depending upon the domain owner's policy.
*
Quarantine. Spoofed messages are kept in quarantine for up to 30 days.
*
Discard. Spoofed messages are discarded.
*
Tag subject with. The subject line of detected spoofed messages are tagged with "SPOOFED:" or a custom tag that you enter.
Messages detected as spoofing external domains will be logged as "Spoofed-External".
By default, if authentication checks fail to complete, the message is considered spoofed and the selected action is applied. To specify an alternative action when authentication checks fail to complete, select Apply alternative action when spoofed message checks fail to complete. Available options depend upon the action selected for spoofed messages:
*
When the Action is Use DMARC policy, Quarantine, or Tag Subject, the alternative option is Tag Subject.
*
When the Action is Discard, the alternative options are Quarantine and Tag Subject.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Email Policies > Antispoofing tab > Spoofed Message Detection
Copyright 2022 Forcepoint. All rights reserved.