Skip to main content
My preferencesSign out
Proofpoint, Inc.

Understanding Filters

 

Situation

This guide is to understand what filters are and what options are available to create filters. It answers the questions of What is a Filter? What do I need to know to create one? 

Solution Use this information to understand and help you know what options you have to create a filter. 

 

Summary

Filters define actions that should be taken automatically on inbound or outbound messages that meet defined criteria. Filters can be defined at the company, group or individual user level: filters defined at the user level are applied first, then those defined at the group level, and then those defined at the company level. By default, filters are applied in reverse chronological order, starting with the most recently created filter for that level. However, filter order within a level can be manually adjusted to control the order in which filters are applied.

Filters are made up of conditions and actions. For example, a filter that allows all emails sent from domain.com to be received would have as its condition the sender address (*@domain.com) and as its action “allow”. Similarly, a filter could be used to trigger an alert message to be sent to a specific email address if an email is received that is greater than 5000 KB: the email size is the condition and alerting a technical contact is the action.

Current character limit creating/editing filters is 4096. 

Filter examples

The table below presents some uses for filters. Note that these examples are for illustration purposes only: some of them rely on package-specific features.

To... Create...

Prevent all users in the company from receiving attachments of a particular type.

An inbound condition that identifies the attachment types of concern, with the action of “Quarantine”.

Encrypt all outbound emails that include a credit card number.

An outbound filter with a condition that looks for emails that contain a credit card number and credit card terms, with the action of “Encrypt”.

Requires Data Loss Prevention and Email Encryption features to be enabled.

Data Loss Prevention available in Business, Advanced and Professional packages.

Email Encryption available in Advanced and Professional packages.

Encrypt all emails with “[encrypt]” in their subject line.

An outbound filter with a condition that looks for “[encrypt]” in the subject line, with the actions of “Encrypt” and “Strip Subject Line Encryption Terms”.

Requires Email Encryption feature to be enabled.

Email Encryption available in Advanced and Professional packages.

Trigger an alert email whenever there is a package delivery notification.

An inbound filter with a condition that looks for emails that contain a delivery tracking code, with the action of "Nothing".

Force all emails to your server to be over TLS.

An outbound filter with a condition that identifies emails with specific domain as the recipient address, and the action of "Nothing" and "Enforce Only TLS on SMTP Delivery".

 

Filter conditions

A single filter can have multiple conditions. For example, a filter could apply to any email from a specific domain that is also over a certain size.

The first action the condition applies is to send the message to a “destination” (typically, allow, quarantine or “nothing”). The “nothing” action is used when the only action that is necessary is a secondary one, such as notifying a user. Additional actions are also available (stop processing filters, allow release only by a user with the admin role). If an email matches several filters, the destination defined for the first filter is applied, unless the Override Previous Destination option is chosen. To force the first matching filter to take effect, an action of Stop Processing Additional Filters can be used.

Condition

Parameters

Values

Wildcards/inputs

Sender Address

  • IS
  • IS NOT
Enter an email address or list of email addresses. Separate multiple entries using commas or semi-colons. Wildcard symbols '*' and "?" are supported (e.g., stan?@domain.dev, *@domain.dev). 

Recipient Address

  • IS
  • IS NOT
Enter an email address or list of email addresses. Separate multiple entries using commas or semi-colons. Wildcard symbols '*' and "?" are supported (e.g., stan?@domain.dev, *@domain.dev). 

Email Size (in KB)

  • IS GREATER THAN
  • IS LESSER THAN
  • Number
Enter a whole number (e.g. 1024)

Client IP Country

  • IS
  • IS NOT
  • Choose from list of possible countries
Begin to typing a country name and a selection list with appear. Add one or more entries. 

Email Subject

  • IS
  • IS NOT
  • CONTAINS ANY OF
  • Text (words or phrases)
Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.)

Email Headers

  • CONTAIN(S) ALL OF
  • CONTAIN(S) ANY OF
  • CONTAIN(S) NONE OF
  • Text (words or phrases)
Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.)

Email Message Content

  • CONTAIN(S) ALL OF
  • CONTAIN(S) ANY OF
  • CONTAIN(S) NONE OF
  • Text (words or phrases)
Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.)

Raw Email (Up to 10000 Lines)

  • CONTAIN(S) ALL OF
  • CONTAIN(S) ANY OF
  • CONTAIN(S) NONE OF
  • Text (words or phrases)
Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.)

Attachment Type

  • IS
  • IS NOT
  • Choose from list of possible types
N/A

Attachment Name

  • IS
  • IS NOT
  • File name or list of names, including use of * and ? wildcards
Enter a file name or list of file names separated by commas oe semi-colons. </br> Wildcard symbols '*' and "?" are supported (e.g., stan@domain.dev, #@domain.dev).

Smart Identifier Scan

  • CONTAIN(S) ANY OF
N/A

Dictionary Scan

  • CONTAIN(S) ANY OF
  • Choose which dictionary to apply (financial, personal, or protected health information)
  • Available if Data Loss Prevention feature is enabled
N/A

Proofpoint Essentials Filters does not support Dashes (Alt+0150 "–") character either inserted or copied. It will show formatting code and will not trigger. (ex. =?Windows-1252?Q?). Use Hyphens. Those are the short dashes on the keyboard "-". These will trigger in the rules.

Filter actions

Action Parameter Usage/example usage
Allow None Skip spam scanning and allow email to be delivered.
Quarantine None Direct email to quarantine.
Nothing None Do not alter typical email processing. Perform standard spam scanning.
Encrypt None

Direct email to encryption service.

Email Encryption available in Advanced and Professional packages.

Secondary actions

Action

Parameter

Usage/example usage

Alert Tech Contact

None

Send email to the individual named as the Tech Contact for the company.

Alert Specified Users

Email address(es) of the users

Send email to specified email addresses.

Hide Log

None

Prevent email from appearing in quarantine (log) and digest and log for all users (including administrators).

Hide Log from Non-Admin Users

None

Prevent email from appearing in quarantine (log) and digest for all but administrative users.

Stop Processing Additional Filters

None

Prevent other filters from applying to the email.

Require Admin Privileges to Release

None

Prevent quarantined emails from being released by users.

Administrators are treated as end-users when they receive their quarantine digest. As a result, an administrator will be unable to release an email that has had this restriction applied. The administrator must use the Logs function to view and release such an email.

Enforce Complete Secure SMTP Delivery

None

Ensure Only TLS on SMTP Delivery

None

Enforce TLS when delivering emails: if TLS not available for recipient system, the email will not be delivered.

 

Expanded Overview

For an expanded overview of filters, Click here