Start a conversation

Configuring Inbound Anti-Spoofing Policies

Situation You want to prevent malicious actors from sending spoofed messages.
Solution

See below for information on:

  • What are DMARC, DKIM, and SPF?
  • How do I enable inbound anti-spoofing policies?

 

What Are Anti-Spoofing Policies?

Anti-spoofing policies help prevent malicious senders from impersonating trusted domains, like those owned by banks, government, or your suppliers. Proofpoint Essentials uses a combination of SPF, DKIM, and DMARC to detect and stop spoofed messages.

What Is SPF?

Sender Policy Framework (SPF) allows mail administrators to publicly identify legitimate sources of messages from their domain. SPF policies consist of a combination of IP addresses, host names, and inclusions of other domains' SPF policies. When Proofpoint Essentials receives a message, it checks to see if an SPF policy is published for the sending domain. If so, it identifies whether or not the sender is authorized to send on the domain's behalf.

What Is DKIM?

DomainKeys Identified Mail (DKIM) allows mail administrators to cryptographically sign outbound messages from their domain, which proves that the message originated from the domain owner’s infrastructure and that the message was not materially altered in transit. When Proofpoint Essentials receives a DKIM-signed messages, it retrieves the sending domain's public key using DNS, and validates that the signature is correct and that the message hasn't been tampered with.

What Is DMARC?

Domain-based Message Authentication, Reporting & Conformance (DMARC) builds on top of SPF and DKIM protocols, adding the ability specify a recommended policy to receivers and it provides reports back to the domain owner to help them measure the accuracy and completeness of their spoofing policies.

How Do I Enable Inbound Anti-Spoofing Policies?

Enable The Anti-Spoofing Feature

First you need to enable the Anti-spoofing feature for the organization. 

  1. Navigate to Administration > Account Management > Features
  2. Check the box labeled 'Enable Anti-Spoofing Policies'
  3. Click Save

Configure Anti-Spoofing Policy

Once the Feature is enabled, you will need to configure the anti-spoofing policy you wish to apply to the organization.

  1. Navigate to Security Settings > Malicious Content > Anti-Spoofing

There are three separate policies available to configure.

Inbound DMARC

  1. Check the option you wish to apply for inbound DMARC policy evaluation

The recommended configuration for this policy is "Allow the sending domain's DMARC policy to determine whether or not to block messages.". If the sending domain has a published DMARC policy, this will prevent unauthorized senders from spoofing the foreign domain.

If "Ignore the sending domain's DMARC policy, but log the result" is chosen, messages that fail the DMARC check will be passed through the system. The result will be logged in logs and in the message's header. 

Inbound DKIM

  1. Check the options you wish to apply for inbound DKIM policy evaluation.

If a DMARC policy is not present for the sending domain, or you have chosen to ignore the DMARC policy, you can choose to evaluate the message to see if it has been signed with DKIM. There are three results which can be acted on:

Condition Description Recommended Actions
Failure The message has failed the DKIM check. This indicates that the message has been spoofed. Choose Quarantine
Temporary Error An transient error occurred during the retrieval of the foreign domain's DKIM key in DNS. Choose Take no action
Permanent Error An error occurred while parsing the foreign domain's DKIM key in DNS. This means that the record is malformed in some way. Chohose Take no action

 

Available Actions:

  • Quarantine - prevents the message from being delivered to its intended recipient

  • Take no action - allows the message to continue to be processed

  • Tag subject line with text - prepends the supplied text to the message's subject line

Inbound SPF

  1. Check options you wish to apply for inbound SPF policy evaluation.

If a DMARC policy is not present for the sending domain, or you have chosen to ignore the DMARC policy, you can choose to evaluate the sender's SPF policy (if it exists) and these policies will apply. There are three results which can be acted on:

Condition Description Recommended Actions
Failure The message has failed the SPF check. This indicates that the message has been spoofed. Choose Quarantine
Temporary Error An transient error occurred during the retrieval of the foreign domain's SPF policy in DNS. Choose Take no action
Permanent Error An error occurred while parsing the foreign domain's SPF policy in DNS. This means that the record is malformed in some way. Choose Take no action

 

  1. Click Save

In addition, for each Anti-Spoofing policy, a list of exceptions can be created to exclude individual domains from the policies.

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Carlos Rios

  2. Posted
  3. Updated

Comments