Spoofed Message Detection

Spoofed message detection is used to filter incoming messages where the sender's address has been forged. The service can detect messages that spoof internal domains or external domains.

Messages that spoof internal domains are from forged addresses that appear to come from users within your organization. Internal domain validation uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication, as well as checking the sender's IP address against those configured as outbound routes in the policy.

Messages that spoof external domains are from forged addresses that appear to come from legitimate external organizations. External domain validation uses Domain-based Message Authentication, Reporting and Conformance (DMARC) authentication.

Filter messages that spoof internal domains

Select Filter inbound messages that spoof your internal domains to detect spoofed incoming messages that appear to be sent from domains within the policy to recipient domains within the policy. A sender address is considered to be authentic if any of the following conditions are true:

The IP address of the sending message transfer agent (MTA) matches any of the outbound connections configured in the policy.

The Mail From sending address passes Sender Policy Framework (SPF) authenticity checks.

The Mail From sending address passes DomainKeys Identified Mail (DKIM) authenticity checks.

Select "From" address header validation to check that the sender address the message recipient sees (in the "From:" field) matches domains defined in your policies. (By default, the From: address is ignored and authenticity checks are performed only on the envelope sender address if it matches one of your policies.) If you select this option, one of the following happens:

If the envelope sender and recipient address both match domains in your policy, the cloud service performs message authenticity checks on the envelope sender only.

If the envelope sender address does not match a domain in your policy, but the From: address and recipient domain do match, the cloud service performs message authenticity checks on the From: address instead of the envelope sender address.


	Tip The envelope sender address is used by mail servers to check where the message originates and where to respond (for example, if there is an error or the message bounces) and often matches the From: address, but not always. For example, the message might come from a mailing list, or from an organization authenticated to send messages on your company's behalf.

From the drop-down menu, select the action to perform when spoofed internal messages are detected:

Quarantine. This is the default option. Spoofed messages are kept in quarantine for up to 30 days.

Discard. Spoofed messages are discarded.

Tag subject with. The subject line of detected spoofed messages are tagged with "SPOOFED:" or a custom tag that you enter.

Messages detected as spoofing internal domains will be logged as "Spoofed".

By default, if authentication checks fail to complete, the message is considered spoofed and the selected action is applied. To specify an alternative action when authentication checks fail to complete, select Apply alternative action when spoofed message checks fail to complete. Available options depend upon the action selected for spoofed messages:

When the Action is Quarantine or Tag Subject, the alternative option is Tag Subject.

When the Action is Discard, the alternative options are Quarantine and Tag Subject.

Select Allow spoofing from these sources to apply an allowlist of allowed domains or IP addresses. Messages originating from these domains or IP addresses are allowed to spoof addresses from domains in this policy. This may be useful if, for example, you use a third-party provider who is allowed to send email messages to your users that appear to come from an internal address.

To add the allowlist spoofing sources for a policy:

Select Allow spoofing from these sources, and click the these sources link.

In the panel that appears:

Select the Domains tab to add allowed sender domain names, for example "forcepoint.com".

Select the IP Addresses tab to add allowed sender IP addresses, either as a list of individual addresses, or address blocks in CIDR notation (for example, 10.10.10.8/30). List entries are separated by a line break.

Click Add to enter a new domain or list of IP addresses. You can add multiple domains or addresses, and you can add a combination of domain names and/or IP addresses if required.

For IP addresses or ranges, enter a short description/name to identify the IP addresses.

When you are finished, click Save.

Filter messages that spoof external domains

Select Filter inbound messages that spoof external domains using DMARC to detect spoofed incoming messages that appear to be sent from legitimate external domains, but which fail DMARC validation checks. This option validates both the Mail From sending address and the From address. DMARC is built on SPF and DKIM validation, and allows the owner of a domain to publish a policy (via DNS TXT records) that defines how the receiver should deal with spoofed messages.

From the drop-down menu, select the action to perform when spoofed messages are detected:

Use DMARC policy. This is the default option. Spoofed messages will be quarantined or rejected, depending upon the domain owner's policy.

Quarantine. Spoofed messages are kept in quarantine for up to 30 days.

Discard. Spoofed messages are discarded.

Tag subject with. The subject line of detected spoofed messages are tagged with "SPOOFED:" or a custom tag that you enter.

Messages detected as spoofing external domains will be logged as "Spoofed-External".

When the Action is Use DMARC policy, Quarantine, or Tag Subject, the alternative option is Tag Subject.

When the Action is Discard, the alternative options are Quarantine and Tag Subject.