Skip to main content
Contact Us
My preferencesSign out
Proofpoint, Inc.

KB: How To Bypass Anti-Spoofing Checks

  1. Last updated
  2. Save as PDF

Login to your Proofpoint Essentials account to access help documentation and additional knowledge base articles:

 

Situation

 

Emails from trusted senders are being quarantined as Fraud despite being in the safe sender list. 

Solution

 

Individual domains can be added as exceptions for DMARC, DKIM and/or SPF respectively.

 

Important: Each exception List check will be against different domain values:

  • DMARC Exceptions & DKIM Exceptions - will use the "From Header" domain

  • SPF Exceptions - will use the Envelope Sender domain

How To Add A domain As An Exception

Best Practice: While the exception list allows you to bypass Anti-Spoof checks for specific domains, the best long-term and more permanent solution is to have the owner of the sending domain address any issues they might have with their SPF/DKIM/DMARC records. 

  1. Under Security Settings, click Malicious Content and then Anti-Spoofing.
  2. Under the policy you want to bypass (Inbound DMARC, DKIM or SPF) click Manage Exceptions.
  3. This will open a drawer to the right; from here, click + Add Exception.

Screenshot_2021-03-01 Anti Spoofing - Company Settings(1).png

  1. Enter a valid domain into the field and select Add

Screenshot_2021-03-01 Anti Spoofing - Company Settings(2).png

Only domains are accepted currently. IP Addresses as well as individual email addresses will not work.

  1. The domain is added as an exception and the changes are saved automatically.
  2. Click Close.

Changes to the Anti-Spoofing Policies, including exceptions, can take up to 60 minutes.

  1.  Press the Save button so the configuration on this is properly saved.

Just adding in the exceptions does not update the configuration to properly exempt or set these options. You must click Save.

Accounts that use auto-forwarding and send to Proofpoint Essentials will change the DMARC, DKIM, and SPF settings and cause these to fail. Creating bypass rules may not be acceptable for the organization as this would need to be done for every domain that sends to the original recipient.