Configuring Inbound Anti-Spoofing Policies
Situation | You want to prevent malicious actors from sending spoofed messages. |
---|---|
Solution |
See below for information on:
|
What are Anti-Spoofing Policies?
Anti-spoofing policies help prevent malicious senders from impersonating trusted domains, like those owned by banks, government, or your suppliers. Proofpoint Essentials uses a combination of SPF, DKIM, and DMARC to detect and stop spoofed messages.
What is SPF?
Sender Policy Framework (SPF) allows mail administrators to publicly identify legitimate sources of messages from their domain. SPF policies consist of a combination of IP addresses, host names, and inclusions of other domains' SPF policies. When Proofpoint Essentials receives a message, it checks to see if an SPF policy is published for the sending domain. If so, it identifies whether or not the sender is authorized to send on the domain's behalf.
What is DKIM?
DomainKeys Identified Mail (DKIM) allows mail administrators to cryptographically sign outbound messages from their domain, which proves that the message originated from the domain owner’s infrastructure and that the message was not materially altered in transit. When Proofpoint Essentials receives a DKIM-signed messages, it retrieves the sending domain's public key using DNS, and validates that the signature is correct and that the message hasn't been tampered with.
What is DMARC?
Domain-based Message Authentication, Reporting & Conformance (DMARC) builds on top of SPF and DKIM protocols, adding the ability specify a recommended policy to receivers and it provides reports back to the domain owner to help them measure the accuracy and completeness of their spoofing policies.
Once this feature is turned on, Only Org administrator's can release emails labeled as Fraud End Users no longer can.
How do I Enable Inbound Anti-Spoofing Policies?
Enable the Anti-Spoofing feature
First you need to enable the Anti-spoofing feature for the organization.
- Navigate to Administration > Account Management > Features
- Check the box labeled 'Enable Anti-Spoofing Policies'
- Click Save
Configure Anti-Spoofing Policy
Once the Feature is enabled, you will need to configure the anti-spoofing policy you wish to apply to the organization.
- Navigate to Security Settings > Malicious Content > Anti-Spoofing
There are three separate policies available to configure.
Inbound DMARC
- Check the option you wish to apply for inbound DMARC policy evaluation.
- The recommended configuration for this policy is "Allow the sending domain's DMARC policy to determine whether or not to block messages.". If the sending domain has a published DMARC policy, this will prevent unauthorized senders from spoofing the foreign domain.
- If "Ignore the sending domain's DMARC policy, but log the result" is chosen, messages that fail the DMARC check will be passed through the system. The result will be logged in logs and in the message's header.
Inbound DKIM
- Check the options you wish to apply for inbound DKIM policy evaluation.
If a DMARC policy is not present for the sending domain, or you have chosen to ignore the DMARC policy, you can choose to evaluate the message to see if it has been signed with DKIM. There are three results which can be acted on:
Condition | Description | Recommended Actions |
Failure | The message has failed the DKIM check. This indicates that the message has been spoofed. | Choose Quarantine |
Temporary Error | An transient error occurred during the retrieval of the foreign domain's DKIM key in DNS. | Choose Take no action |
Permanent Error | An error occurred while parsing the foreign domain's DKIM key in DNS. This means that the record is malformed in some way. | Choose Take no action |
Available actions:
|
---|
Inbound SPF
- Check options you wish to apply for inbound SPF policy evaluation.
If a DMARC policy is not present for the sending domain, or you have chosen to ignore the DMARC policy, you can choose to evaluate the sender's SPF policy (if it exists) and these policies will apply. There are three results which can be acted on:
Condition | Description | Recommended Actions |
Failure | The message has failed the SPF check. This indicates that the message has been spoofed. | Choose Quarantine |
Temporary Error | An transient error occurred during the retrieval of the foreign domain's SPF policy in DNS. | Choose Take no action |
Permanent Error | An error occurred while parsing the foreign domain's SPF policy in DNS. This means that the record is malformed in some way. | Choose Take no action |
Available actions:
|
---|
- Click Save in order to update the policy settings.
In addition, for each Anti-Spoofing policy, a list of exceptions can be created to exclude individual domains from the policies.
N.B. Releasing Emails caught by Anti-Spoof
Whenever an email is caught by Proofpoint Anti-Spoof, this will be marked as Fraud. Only an Admin user (Org Admin, Channel Admin etc) can release this quarantined email. This can only be released and NOT release and approved.
Default configuration
Currently, the Anti-Spoofing policies are not part of the Customer Templates.
The deployed configuration for Anti-Spoofing policies is as below:
DMARC: Allow
DKIM:
- Fail - Quarantine
- Temp Error - Take no Action
- Perm Error - Take no Action
SPF:
- Fail - Quarantine
- Temp Error - Take no Action
- Perm Error - Take no Action