How To Bypass Anti-Spoofing Checks
Situation | Emails from trusted senders are being quarantined as Fraud despite being in the safe sender list. |
---|---|
Solution | Individual domains can be added as exceptions for DMARC, DKIM and/or SPF respectively. |
Important: Each Exception List check will be against different domain values
DMARC Exceptions & DKIM Exceptions - will check against the "From Header" domain
SPF Exceptions - will check against the Envelope Sender domain
For more information on the different domain values, see this article on how DMARC works with Proofpoint Essentials.
How To Add A domain As An Exception
Best Practice: While the exception list allows you to bypass Anti-Spoof checks for specific domains, the best long-term and more permanent solution is to have the owner of the sending domain address any issues they might have with their SPF/DKIM/DMARC records.
- In the sidebar, under Security Settings, navigate to Malicious Content > Anti-Spoofing.
- Under the policy you want to bypass (Inbound DMARC, DKIM or SPF) click Manage Exceptions.
- This will open a drawer to the right; from here, select + Add Exception.
- Enter a valid domain into the field and select Add.
Note: Only domains are accepted currently. IP Addresses as well as individual email addresses will not work.
- The domain is added as an exception and the changes are saved automatically. Close the Exception List.
Note: Changes to the Anti-Spoofing Policies, including exceptions, can take up to 60 minutes.
- Press the Save button so the configuration on this is properly saved.
Just adding in the exceptions does not update the configuration to properly exempt or set these options. You must click Save.
Accounts that use auto-forwarding and send to Proofpoint Essentials will change the DMARC, DKIM, and SPF settings and cause these to fail. Creating bypass rules may not be acceptable for the organization as this would need to be done for every domain that sends to the original recipient
To understand the other Anti-Spoofing configuration settings, see Configuring Inbound Anti-Spoofing Policies