Skip to main content
Contact Us
My preferencesSign out
Proofpoint, Inc.

Essentials Filters: Expanded overview

  1. Last updated
  2. Save as PDF
Situation You want to create email filters to manage the flow of messages and information you allow to enter your company. 
Solution Expanded Detailed Overview of the Filter Creation Process, including all Conditions and Rules.

 

Why Custom Filters?

Filters are here to make certain overrides in spam scanning where necessary.

  • Allow certain types of emails through with different header pieces
  • Block specific types of attachments

Please note that filters fall in a certain order throughout our scanning process. Please see this KB for the scan order: Mail Flow Scanning & Filters Order of Processing

Step 1: Start creation

  1. Navigate to Security Settings > Email > Filter Policies.
  2. Select Inbound or Outbound.
  3. Click New Filter.
  4. Enter a name for your filter.
    1. 30 character limit
    2. numbers
    3. letters
    4. dashes
  5. You are presented one more chance to chose inbound or outbound.
  6. Click Continue.

Step 2: Scope (applies only if you are not an end-user)

The scope is who this rule applies for. There can be various selections, including:

  • Entire organization
  • Single user
  • Groups

Step 3: Select IF Conditions

Delimeters

Please note that the fields are delimited by a comma (,) or semi-colon (;).

white space is not a delimiter, and may be part of a string (sentence). 

 

Sender Address string input, list of keywords separated by comma (,) or semi-colon (;)
Recipient Address string input, list of keywords separated by comma (,) or semi-colon (;)
Email Size (KB) A specified size of an email including the attachment to an exact whole number.
Client IP Country Country list; input a country (This is an auto-fill, so start typing the country name.)
Email Subject string input, list of keywords separated by comma (,) or semi-colon (;)
Email Headers string input, list of keywords separated by comma (,) or semi-colon (;)
Email Message Content string input, list of keywords separated by comma (,) or semi-colon (;)
Raw Email (Up to 10000 Lines) string input, list of keywords separated by comma (,) or semi-colon (;)
Attachment Type choose from pre-defined types (see the list of files)
Attachment Name create a rule based upon a file name/type that is not part of the pre-defined type.
Client IP Address This is the IP address the Inbound email is sent FROM
Smart Identifier Scan See this article for more information about this Data Loss Prevention (DLP) product.
Dictionary Scan See this article for more information about the Dictionary Scan DLP product

Step 4: Rule Narrative

  • See below for the full list of narratives to choose from.

Step 5: Add another Condition (for IF)

  • Repeat steps 3 and 4 for adding more than 1 condition.

It is best to limit the number of conditions. Too many conditions may not be easy to troubleshoot. 

Step 6: Select Do Condition

Quarantine put in the quarantine (see below for exception)
Allow does not scan message; will pass to next filter or go onto next scan service.
Nothing scan message as normal; preferred method if wanting to add additional actions.
Encrypt only available on Outbound mail flow and if licensed at the company level.

Step 7: Add another Condition (for DO)

These set of actions are different and is best to limit the number of actions.

Alert Tech Contact an email alert would be relayed to the Tech contact address.
Alert Specified Users Enter an email address or list of email addresses. Separate multiple entries using commas or semi-colons. Wildcard symbols. Email must be on the customer domain.
Hide log Will hide the email from logs/digest from ALL users (except for Proofpoint Support)
Hide log from Non-admin Users Will hide the email from logs/digest from all end-users
Stop processing additional filters Will stop processing any additional filters below this filter
Require admin privileges to release Requires an administrator to release the email
Enforce completely secure SMTP delivery Requires a certificate for TLS delivery (Certificate cannot be self-signed or contain errors, and must match the domain exactly on the certificate, excluding a wild card certificate)
Enforce only TLS on SMTP delivery Does not require a certificate

Override Previous Destination - If selected,this option will ignore the destination that another filter may have applied to this message.This override means we can stop another rule's DO action from performing.

Rule Narrative

Upon selecting a condition, the rule narrative will populate based upon the condition.

RULE

Sender Address – Choose the condition you want to match the sender address to, then enter the string of characters.

  • IS
  • IS NOT

Recipient Address – Choose the condition you want to match the recipient address to match against, then enter the string of character.

  • IS
  • IS NOT

Email Size (KB) – The size of the message is either greater or less than a specified whole number.

  • IS GREATER THAN
  • IS LESSER THAN

Client IP Country – The conditions will compare against the listed country name inputted.

  • IS
  • IS NOT

Email Subject – Choose the condition you want the subject to match against, then enter the string.

  • IS
  • IS NOT
  • CONTAIN(S) ANY OF

Email Headers – Choose the condition you want the header to compare with, then enter the string.

  • CONTAIN(S) ALL OF
  • CONTAIN(S) ANY OF
  • CONTAIN(S) NONE OF

Email Message Content – Choose the condition you want the message body to compare with, then enter the string.

  • CONTAIN(S) ALL OF
  • CONTAIN(S) ANY OF
  • CONTAIN(S) NONE OF

Raw Email (Up To 10000 Lines) – Choose the condition you want the message body to compare with, then enter the string.

  • CONTAIN(S) ALL OF
  • CONTAIN(S) ANY OF
  • CONTAIN(S) NONE OF

Attachment Type – Choose what attachment condition you want

Attachment Name – Choose the condition then enter the string of what you want to proceed with

  • IS
  • IS NOT

Client IP Address – The conditions will compare against the sending IP address.

  • IS
  • IS NOT

Smart Identifier Scan - See linked KB for this DLP product

Dictionary Scan - See linked KB for this DLP product

Rule choices defined:

  • IS - Single case condition, and filter will only act if this condition is met.
  • IS NOT - Single case condition, and filter will only act if this condition is met.
  • IS ANY OF - Multiple case condition; filter will act when any condition listed is met
  • IS NONE OF - Multiple case condition; filter will act if one of the conditions listed is met.
  • CONTAIN(S) ALL OF - All conditions must be met for this filter to work.
  • CONTAIN(S) ANY OF - One of the conditions must be met for this filter to work.
  • CONTAIN(S) NONE OF - This filter will work if any of the conditions are met.
  • IS GREATER THAN - Whole number value is exceeded.
  • IS LESSER THAN - Whole number value must not be exceeded.

Special Notes

  • All text fields have a limit of 5000 characters.
  • Unless specific otherwise, the default language set is the English language. 
  • Exact string matching is done. Please refrain from using short strings.
    • Try using at least a minimum of 5 characters for a string.
    • Any foreign characters added in may convert to an encoded string.
  • TLS delivery - See this KB: How TLS Delivery Occurs
  • PNG - some PNG file formats are not considered image formats, but rather a compressed file format, per the definition: file format that supports lossless data compression. So if a PNG file is blocked not as an image, it may be due to being a compressed file.
  • XML, ZIP, and newer Office docs - from hover over: Zip archives and XML/SGML documents - including OOXML (MS Office 2007+) AND odf (OpenOffice). These are bundled, because OOXML and ODF documents are zipped archives containing XML files and splitting the category is therefore not really possible.
  • "CONTAIN" - indicates can match a string of characters. If a selection does not have 'contain,' then this will do an exact match.
  • For a more detailed list of extensions please view Essentials Filters: File extensions
  • To create a filter to block on a specific extension, look at: How to create a filter to block specific extensions
  • The exceptions to quarantining a message
    • Spam stamp & forward is enabled
    • The over-ride previous destination is set on a later rule