An anti-spoofing policy (formerly known as Inbound Lockout) aims to block unwanted inbound spoofed emails. For example, the customerA.com domain receives an email that originates from outside the organization, but the From address is email@example.com. It is unlikely that an internal email is generated from outside customerA's network, and therefore this email is typically considered to be a spoofed email.
Some organizations use external email services to purposefully spoof their domain name as the sender. For example, a fax-to-email service may be configured to transmit messages from the fax service to the internal users at companyA.com, but the From address could be set to firstname.lastname@example.org even though the email originates from the fax service server. In this case, an Anti-Spoofing Bypass policy can be created to allow this traffic, as detailed below.
Prior to adding any anti-spoofing policies, it is important to consider any legitimate spoofed traffic that should be allowed. This could include emails generated from a website where the sender is email@example.com, or a payroll system that generates emails from and to the end user using their internal email address.
A policy option is available to exclude the Mimecast IP ranges (see below). Mimecast recommends using this to decrease the chances of false positive identification of legitimate emails. This feature is available to customers using the latest gateway. In this instance, a bypass policy can be created to allow emails from certain IP addresses or hostnames through even though they may appear as typical spoofed emails. All other spoofed emails can be configured to be blocked and therefore rejected.
If a user has added their own email address or one of the company internal domains to their permitted senders list, emails directed to these users will be rejected, as the lockout policy is applied first.
It is recommended to create an anti-spoofing policy for customers who receive large amounts of spoofed emails. This policy can be created to ensure that traffic originating from the internet, but appearing to come from an internal domain, is not allowed inbound.
What You'll Need
- An Administrator Console logon with access to the Services | Gateway | Policies menu item.
Creating a Policy
Before creating an anti-spoofing policy, create a list of all the IP addresses or hostnames that are allowed to send messages on behalf of your domains. Also consider any web servers that might be sending messages holding your domain name(s).
To create a policy, follow the instructions in the Creating / Changing a Policy article, but using the following options:
|Policy Narrative||Provide a description for the policy to allow you to easily identify it in the future.|
|Select Option||Select whether to apply Anti-Spoofing, Anti-Spoofing (excluding Mimecast IP ranges) or take no action.|
An anti-spoofing policy that is applied from the Return Address (Envelope from Address) can only be negated by a Take No Action policy which is also applied from Return Address (Envelope from Address). This logic also applies to the Message From Address (Header From Address).
Create an Anti-Spoofing Policy to Allow Spoofing Based on IP
- In the Select Option field select Take No Action.
- In the For emails From and For emails To sections, set the Applies From and Applies To fields to Everyone, as IP addresses/Hostnames are going to be used as the source of the emails. For more information on the application of the FROM and TO variables, view the full article on Policy Specificity.
- In the Policy Validity section select the Policy Override option. This will ensure that this Policy is applied before the Block policy. For more information, view the full article on Policy Validity.
- Enter the list of IP addresses (or hostnames) to apply the bypass to in the Source IP Ranges box in CIDR notation.
- Enter the list of hostnames to apply the bypass to in the Hostnames box. The policy only applies, when the hostname matches the IP address used by the sending server. We will confirm when this is the case.
- Select the Save and Exit button.
If a combination of IP addresses and hostnames is specified, the policy is applied if the inbound mail comes from either one of the specified IP addresses or hostnames.
Create an Anti-Spoofing Policy to Block Unwanted Spoofed Emails
- In the Select Option field select Apply Anti-Spoofing. It is recommended to select the Apply Anti-Spoofing (Exclude Mimecast IPs) option.
- In the For Emails From section, select the applicable internal domains that you wish to block spoofs from. For more information on the application of the FROM and TO variables, view the full article on Policy Specificity.
- In the For Emails To section, select the Internal Addresses option.
- Complete the Policy Validity section. Do not check the Policy Override option for this Policy. For more information, view the full article on Policy Validity.
- Select the Save and Exit button.
To ensure that anti-spoofing policies will not block Sender/Callback verification requests that remote MTAs might utilize, you should not configure anti-spoofing policies that apply to messages with the From and To variables set to Internal. The messages that are rejected by the anti-spoofing policy can be found in Monitoring | Rejections, and will have the type set to anti-spoofing lockout.