Antispoofing Checks

The strict outbound message authenticity check performs additional tests on outbound messages processed by the policy. With the option enabled, the service checks that outbound messages originate from an IP address in the policy, or have a valid DKIM signature. Messages that fail the test are quarantined, providing additional protection to prevent your domains being spoofed by a third party.

Select Enable strict outbound message authenticity checks to apply strict checks to all outbound messages for the policy.

With this option enabled, outbound messages must either:

Originate from an IP address defined as an Outbound Route on the Connections tab of the policy, OR:

Have a valid DKIM signature applied by your email provider. (Required for customers that use a hosted service provider such as Microsoft Office 365 or Google Apps.)

Messages that do not meet these criteria will be quarantined as "Spoofed".

Note

Do not enable this option if your policy is used to process messages that legitimately spoof your domains. For example:

If your users are likely to send mail from the networks of other companies (for example, consultancy firms whose employees visit other customer sites).

If your organization uses mailshot companies who are authorized to send email on your behalf.

Allowed signing domains

Where DKIM needs to be used to validate the authenticity of a message (for example, for messages originating from Office 365 or Google Apps), the service checks that the signing domain matches the domain of the message content "From:" header. By default, if the domains do not match, the message will be considered spoofed.

Click Allowed Signing Domains to specify one or more additional DKIM signing domains that will be accepted to validate outbound messages from your hosted provider for sender domains in the policy.

In the panel that appears, add one or more signing domains, and click Save. Messages with a valid DKIM signature from a domain you have added will be treated as authentic.