Configuring Inbound Anti-Spoofing Policies

Situation	You want to prevent malicious actors from sending spoofed messages.
Solution	See below for information on: What are DMARC, DKIM, and SPF? How do I enable inbound anti-spoofing policies?

What are Anti-Spoofing Policies?

Anti-spoofing policies help prevent malicious senders from impersonating trusted domains, like those owned by banks, government, or your suppliers. Proofpoint Essentials uses a combination of SPF, DKIM, and DMARC to detect and stop spoofed messages.

What is SPF?

Sender Policy Framework (SPF) allows mail administrators to publicly identify legitimate sources of messages from their domain. SPF policies consist of a combination of IP addresses, host names, and inclusions of other domains' SPF policies. When Proofpoint Essentials receives a message, it checks to see if an SPF policy is published for the sending domain. If so, it identifies whether or not the sender is authorized to send on the domain's behalf.

What is DKIM?

DomainKeys Identified Mail (DKIM) allows mail administrators to cryptographically sign outbound messages from their domain, which proves that the message originated from the domain owner’s infrastructure and that the message was not materially altered in transit. When Proofpoint Essentials receives a DKIM-signed messages, it retrieves the sending domain's public key using DNS, and validates that the signature is correct and that the message hasn't been tampered with.

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance (DMARC) builds on top of SPF and DKIM protocols, adding the ability specify a recommended policy to receivers and it provides reports back to the domain owner to help them measure the accuracy and completeness of their spoofing policies.

Once this feature is turned on, Only Org administrator's can release emails labeled as Fraud End Users no longer can.

How do I Enable Inbound Anti-Spoofing Policies?

Enable the Anti-Spoofing feature

First you need to enable the Anti-spoofing feature for the organization.

Navigate to Administration > Account Management > Features
Check the box labeled 'Enable Anti-Spoofing Policies'
Click Save

Configure Anti-Spoofing Policy

Once the Feature is enabled, you will need to configure the anti-spoofing policy you wish to apply to the organization.

Navigate to Security Settings > Malicious Content > Anti-Spoofing

There are three separate policies available to configure.

Inbound DMARC

Check the option you wish to apply for inbound DMARC policy evaluation.
- The recommended configuration for this policy is "Allow the sending domain's DMARC policy to determine whether or not to block messages.". If the sending domain has a published DMARC policy, this will prevent unauthorized senders from spoofing the foreign domain.
- If "Ignore the sending domain's DMARC policy, but log the result" is chosen, messages that fail the DMARC check will be passed through the system. The result will be logged in logs and in the message's header.

Inbound DKIM

Check the options you wish to apply for inbound DKIM policy evaluation.

If a DMARC policy is not present for the sending domain, or you have chosen to ignore the DMARC policy, you can choose to evaluate the message to see if it has been signed with DKIM. There are three results which can be acted on:

Condition	Description	Recommended Actions
Failure	The message has failed the DKIM check. This indicates that the message has been spoofed.	Choose Quarantine
Temporary Error	An transient error occurred during the retrieval of the foreign domain's DKIM key in DNS.	Choose Take no action
Permanent Error	An error occurred while parsing the foreign domain's DKIM key in DNS. This means that the record is malformed in some way.	Choose Take no action

Available actions: Quarantine - prevents the message from being delivered to its intended recipient Take no action - allows the message to continue to be processed *Tag subject line with text* - prepends the supplied text to the message's subject line. Message is Tagged and Logged, but will continue to be processed.

Inbound SPF

Check options you wish to apply for inbound SPF policy evaluation.

If a DMARC policy is not present for the sending domain, or you have chosen to ignore the DMARC policy, you can choose to evaluate the sender's SPF policy (if it exists) and these policies will apply. There are three results which can be acted on:

Condition	Description	Recommended Actions
Failure	The message has failed the SPF check. This indicates that the message has been spoofed.	Choose Quarantine
Temporary Error	An transient error occurred during the retrieval of the foreign domain's SPF policy in DNS.	Choose Take no action
Permanent Error	An error occurred while parsing the foreign domain's SPF policy in DNS. This means that the record is malformed in some way.	Choose Take no action

Available actions: Quarantine - prevents the message from being delivered to its intended recipient Take no action - allows the message to continue to be processed *Tag subject line with text* - pre-pends the supplied text to the message's subject line. Message is Tagged and Logged, but will continue to be processed.

Click Save in order to update the policy settings.

In addition, for each Anti-Spoofing policy, a list of exceptions can be created to exclude individual domains from the policies.

N.B. Releasing Emails caught by Anti-Spoof

Whenever an email is caught by Proofpoint Anti-Spoof, this will be marked as Fraud. Only an Admin user (Org Admin, Channel Admin etc) can release this quarantined email. This can only be released and NOT release and approved.

Default configuration

Currently, the Anti-Spoofing policies are not part of the Customer Templates.

The deployed configuration for Anti-Spoofing policies is as below:

DMARC: Allow

DKIM:

Fail - Quarantine
Temp Error - Take no Action
Perm Error - Take no Action

SPF:

Fail - Quarantine
Temp Error - Take no Action
Perm Error - Take no Action