| Situation | You want to prevent malicious actors from sending spoofed messages. |
|---|---|
| Solution | See below for information on:
|
What Are Anti-Spoofing Policies?
Anti-spoofing policies help prevent malicious senders from impersonating trusted domains, like those owned by banks, government, or your suppliers. Proofpoint Essentials uses a combination of SPF, DKIM, and DMARC to detect and stop spoofed messages.
What Is SPF?
Sender Policy Framework (SPF) allows mail administrators to publicly identify legitimate sources of messages from their domain. SPF policies consist of a combination of IP addresses, hostnames, and inclusions of other domains' SPF policies. When Proofpoint Essentials receives a message, it checks to see if an SPF policy is published for the sending domain. If so, it identifies whether or not the sender is authorized to send on the domain's behalf.
What Is DKIM?
DomainKeys Identified Mail (DKIM) allows mail administrators to cryptographically sign outbound messages from their domain, which proves that the message originated from the domain owner’s infrastructure and that the message was not materially altered in transit. When Proofpoint Essentials receives a DKIM-signed messages, it retrieves the sending domain's public key using DNS, and validates that the signature is correct and that the message hasn't been tampered with.
What Is DMARC?
Domain-based Message Authentication, Reporting & Conformance (DMARC) builds on top of SPF and DKIM protocols, adding the ability specify a recommended policy to receivers and it provides reports back to the domain owner to help them measure the accuracy and completeness of their spoofing policies.
How Do I Enable Inbound Anti-Spoofing Policies?
Each domain that sends email can be individually configured to sign outbound messages with DKIM. To enable the feature, you will need to create a new signing key, add the public key to your DNS zone, and verify that its been added correctly.
Enabling The Anti-Spoofing Module
- Navigate to Administration > Account Management > Features
- Check the box labeled 'Enable Anti-Spoofing Policies'.
- Proofpoint's best practice anti-spoofing policies are automatically enabled.
How Do I Change Inbound Anti-Spoofing Policies?
Under Security Settings > Malicious Content > Anti-Spoofing, there are three separate policies available to configure. For each policy a list of exceptions can be created to exclude individual domains from anti-spoofing policies.
Inbound DMARC
The default policy is "Allow the sending domain's DMARC policy to determine whether or not to block messages. (Recommended)". If the sending domain has a published DMARC policy, this will prevent unauthorized senders from spoofing the foreign domain.
If "Ignore the sending domain's DMARC policy, but log the result" is chosen, messages that fail the DMARC check will be passed through the system. The result will be logged in the Mail Log and in the message's header.
Inbound SPF And Inbound DKIM
If a DMARC policy is not present, but an SPF policy exists or a message has been signed with DKIM, these policies will apply. There are three results which can be acted on:
| Condition | Description | Default Action |
| Failure | The message has failed the SPF or DKIM check. This indicates that the message has been spoofed. | Quarantine |
| Temporary Error | An transient error occurred during the retrieval of the foreign domain's SPF policy or DKIM key in DNS. | Take no action |
| Permanent Error | An error occurred while parsing the foreign domain's SPF policy or DKIM key in DNS. This means that the record is malformed in some way. | Quarantine |
Three actions are available:
- Quarantine - prevents the message from being delivered to its intended recipient
- Take no action - allows the message to continue to be processed
- Tag subject line with text - prepends the supplied text to the message's subject line
NEW INFORMATION AS OF 2021-02-23 below |
What happens to those messages caught by the AntiSpoofing system?
Messages will be caught as "FRAUD"
Those messages can only be released by someone with Admin Privileges
You can search the message log and filter by type:
IOnside the message log, when you click on the details link, you will see on fraudulent emails what category caught it (ie: DKIM, DMARC, SPF) example:
THREAT DASHBOARD
The starting dashboard will now reflect the number of messages caught by the Anti-Spoofing mechanism categorized by hit type (SPF/DMARC/DKIM) in addition to Malicious Attachments and Viruses caught.
OVERALL ANTISPOOFING BEHAVIOR (DMARC vs SPF/DKIM)
The Anti-Spoofing feature will fall back to oonsidering individual SPF & DKIM results (following customer-specified action) when:
- Remote sender's DMARC policy is p=none
- Local customer's DMARC setting is "Ignore DMARC" (but SPF checking and DKIM checking is active)
DEFAULT SETTINGS when Anti-Spoofing policies feature is enabled
| POLICY | Default value |
| DMARC | Enabled |
| inbound DKIM -> Failure | Quarantine |
| Inbound DKIM -> Temporary Error | Take no Action |
| Inbound DKIM -> Permanent Error | Take no Action |
| Inbound SPF -> Failure | Quarantine |
| Inbound SPF -> Temporary Error | Take no Action |
| Inbound SPF -> Permanent error | Take no Action |
Note that the above settings are the Vircom recommended settings.