Start a conversation

[ZIX ETP]: Email Threat Protection Filter Tips and Better Practices

Zix\AppRiver has complied a list of Email Threat Protection filter tips and better practices to help maximize your Email Threat Protection experience, as well as tighten your filter and ensure that you receive only the emails you want to receive. To follow the best practices:
  • Enable Quarantined Message Reports for all users.
  • Enable Quarantine Alerts to notify you when mail is held from a recent contact.
  • Set the action for both the BULKMAILER and OPTOUT filter tests to Tag Subject With (name). Then, create a mail rule in Outlook to place these messages in their own folder.
  • Avoid adding large or common domains (such as to the Allowed Domain List.
  • Block countries you do not currently do business with.
  • Publish your SPF record and include all sources that could send mail from or as your domain.
  • List all users, groups, resource addresses, etc. in the user list. Also, consider placing your domain in Closed mode (to hold mail for unlisted users) to extend message quarantine from 14 days to 30 days.
  • Consider adding attachments and linked filenames you wish to block not already included in the Global Banned lists.
  • If possible, set the Documents Containing Macros Scan option to Hold.
  • Consider setting the Encrypted Documents from Unknown Senders to Hold.
  • Forward anything that bypasses your filters to so that our threat team can address any issues.
  • Consider blocking any Language Character sets that you do not expect your messages to frequently utilize.
  • Configure your Impersonation Protection to populate display names under the Identity tab, making sure to properly configure exceptions for allowed external addresses. If allowed addresses are unknown, they may be discovered by setting this feature to Tag Subject for a period of time and searching the logs for the subject tag.
  • Configure the Domain Protection feature under the Identity tab. Ensure that you edit exceptions for third parties sending as your domain if applicable.
For more aggressive filtering:
  • Consider setting BULKMAIL to Hold. Be sure to configure mail rules to allow for messages you want to receive that may be caught by the filter.
  • Consider changing the SPFSOFTFAIL test to Hold.
Advanced Email Threat Protection users have additional threat protection options, and should consider the following configurations:
  • Enable the Link Protection feature to add time of click analysis.
  • Configure the Attachment Quarantine feature to enable attachment content disarming and sandboxing. You can remove attachments from messages and send them to quarantine or convert them to PDFs. Additionally, you can set this feature to remove macros from Office documents. Administrators and users can still request to download the original attachments, and Attachment Quarantine will scan and evaluate the messages in the sandbox before the attachments can be downloaded. Attachment Quarantine will store attachments for up to 30 days before removing them.
  • Enable Message Retraction for Office 365. When messages are identified as malicious or suspicious, you can manually retract them from recipients' inboxes either in bulk or individually.
Choose files or drag and drop files
Was this article helpful?
  1. Carlos Rios

  2. Posted