Understanding Filters

Last updated
Save as PDF

Situation	This guide is to understand what filters are and what options are available to create filters. It answers the questions of What is a Filter? What do I need to know to create one?
Solution	Use this information to understand and help you know what options you have to create a filter.

Summary

Filters define actions that should be taken automatically on inbound or outbound messages that meet defined criteria. Filters can be defined at the company, group or individual user level: filters defined at the user level are applied first, then those defined at the group level, and then those defined at the company level. By default, filters are applied in reverse chronological order, starting with the most recently created filter for that level. However, filter order within a level can be manually adjusted to control the order in which filters are applied.

Filters are made up of conditions and actions. For example, a filter that allows all emails sent from domain.com to be received would have as its condition the sender address (*@domain.com) and as its action “allow”. Similarly, a filter could be used to trigger an alert message to be sent to a specific email address if an email is received that is greater than 5000 KB: the email size is the condition and alerting a technical contact is the action.

Current character limit creating/editing filters is 4096.

Filter examples

The table below presents some uses for filters. Note that these examples are for illustration purposes only: some of them rely on package-specific features.

To...	Create...
Prevent all users in the company from receiving attachments of a particular type.	An inbound condition that identifies the attachment types of concern, with the action of “Quarantine”.
Encrypt all outbound emails that include a credit card number.	An outbound filter with a condition that looks for emails that contain a credit card number and credit card terms, with the action of “Encrypt”. Requires Data Loss Prevention and Email Encryption features to be enabled. Data Loss Prevention available in Business, Advanced and Professional packages. Email Encryption available in Advanced and Professional packages.
Encrypt all emails with “[encrypt]” in their subject line.	An outbound filter with a condition that looks for “[encrypt]” in the subject line, with the actions of “Encrypt” and “Strip Subject Line Encryption Terms”. Requires Email Encryption feature to be enabled. Email Encryption available in Advanced and Professional packages.
Trigger an alert email whenever there is a package delivery notification.	An inbound filter with a condition that looks for emails that contain a delivery tracking code, with the action of "Nothing".
Force all emails to your server to be over TLS.	An outbound filter with a condition that identifies emails with specific domain as the recipient address, and the action of "Nothing" and "Enforce Only TLS on SMTP Delivery".

Filter conditions

A single filter can have multiple conditions. For example, a filter could apply to any email from a specific domain that is also over a certain size.

The first action the condition applies is to send the message to a “destination” (typically, allow, quarantine or “nothing”). The “nothing” action is used when the only action that is necessary is a secondary one, such as notifying a user. Additional actions are also available (stop processing filters, allow release only by a user with the admin role). If an email matches several filters, the destination defined for the first filter is applied, unless the Override Previous Destination option is chosen. To force the first matching filter to take effect, an action of Stop Processing Additional Filters can be used.

Condition	Parameters	Values	Wildcards/inputs
Sender Address	IS IS NOT	Email address Domain (*@domain.dev)	Enter an email address or list of email addresses. Separate multiple entries using commas or semi-colons. Wildcard symbols '' and "?" are supported (e.g., stan?@domain.dev, @domain.dev).
Recipient Address	IS IS NOT	Email address Domain (*@domain.dev)	Enter an email address or list of email addresses. Separate multiple entries using commas or semi-colons. Wildcard symbols '' and "?" are supported (e.g., stan?@domain.dev, @domain.dev).
Email Size (in KB)	IS GREATER THAN IS LESSER THAN	Number	Enter a whole number (e.g. 1024)
Client IP Country	IS IS NOT	Choose from list of possible countries	Begin to typing a country name and a selection list with appear. Add one or more entries.
Email Subject	IS IS NOT CONTAINS ANY OF	Text (words or phrases)	Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.)
Email Headers	CONTAIN(S) ALL OF CONTAIN(S) ANY OF CONTAIN(S) NONE OF	Text (words or phrases)	Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.)
Email Message Content	CONTAIN(S) ALL OF CONTAIN(S) ANY OF CONTAIN(S) NONE OF	Text (words or phrases)	Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.)
Raw Email (Up to 10000 Lines)	CONTAIN(S) ALL OF CONTAIN(S) ANY OF CONTAIN(S) NONE OF	Text (words or phrases)	Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.)
Attachment Type	IS IS NOT	Choose from list of possible types	N/A
Attachment Name	IS IS NOT	File name or list of names, including use of * and ? wildcards	Enter a file name or list of file names separated by commas oe semi-colons. </br> Wildcard symbols '*' and "?" are supported (e.g., stan@domain.dev, #@domain.dev).
Smart Identifier Scan	CONTAIN(S) ANY OF	Choose from list of Smart Identifiers Available if Data Loss Prevention feature is enabled	N/A
Dictionary Scan	CONTAIN(S) ANY OF	Choose which dictionary to apply (financial, personal, or protected health information) Available if Data Loss Prevention feature is enabled	N/A

Proofpoint Essentials Filters does not support Dashes (Alt+0150 "–") character either inserted or copied. It will show formatting code and will not trigger. (ex. =?Windows-1252?Q?). Use Hyphens. Those are the short dashes on the keyboard "-". These will trigger in the rules.

Filter actions

Action	Parameter	Usage/example usage
Allow	None	Skip spam scanning and allow email to be delivered.
Quarantine	None	Direct email to quarantine.
Nothing	None	Do not alter typical email processing. Perform standard spam scanning.
Encrypt	None	Direct email to encryption service. Email Encryption available in Advanced and Professional packages.

Secondary actions

Action	Parameter	Usage/example usage
Alert Tech Contact	None	Send email to the individual named as the Tech Contact for the company.
Alert Specified Users	Email address(es) of the users	Send email to specified email addresses.
Hide Log	None	Prevent email from appearing in quarantine (log) and digest and log for all users (including administrators).
Hide Log from Non-Admin Users	None	Prevent email from appearing in quarantine (log) and digest for all but administrative users.
Stop Processing Additional Filters	None	Prevent other filters from applying to the email.
Require Admin Privileges to Release	None	Prevent quarantined emails from being released by users. Administrators are treated as end-users when they receive their quarantine digest. As a result, an administrator will be unable to release an email that has had this restriction applied. The administrator must use the Logs function to view and release such an email.
Enforce Complete Secure SMTP Delivery	None
Ensure Only TLS on SMTP Delivery	None	Enforce TLS when delivering emails: if TLS not available for recipient system, the email will not be delivered.

Expanded Overview

For an expanded overview of filters, Click here.