Policy Specificity

Document created by user.oxriBaJeN4 Employee on Sep 21, 2015Last modified by user.oxriBaJeN4 Employee on Nov 19, 2018
Version 6Show Document
  • View in full screen mode

Mimecast applies policies to messages based on specificity. The more specific a policy is, the higher the priority. For example, a policy specifying a single individual email address is very specific, and is favored above a policy applied to everyone (which is the least specific of all).

 

policy_specificity.pngEach policy performs an action that is applied to messages as they are processed by the Mimecast gateway. In many cases, more than one policy of the same type (i.e. Blocked Senders) is considered for the same message, but only the most specific policy of that type is applied. See the example displayed.

 

Using Policy Specificity

 

Mimecast only applies one policy of each type to an email at a time, but many types of policies could apply to a message. For example, only one Stationery Layout is applied to each message, but we will also apply Attachment Management and Content Examination policies if configured.

 

There are some exceptions to this rule:

  • Content Examination
  • Content Examination Bypass
  • Impersonation Protection
  • Impersonation Protection Bypass
  • Smart Tag Assignment

 

These policy types are cumulative. When multiple cumulative policies match the From and To (i.e. communication pair) of a message, all those cumulative policies are applied to the message and the appropriate action(s) taken.

 

Levels of Specificity

 

The levels of specificity range from "Everyone", which is the least specific of the routing categories, to "Individual Email Address", which is the most specific. The table below lists these levels in order of increasing specificity.

 

Specificity LevelDescription
EveryoneThis is the least specific of all from / to options, and includes all email addresses.
Internal AddressesAll addresses internal to your account, typically found under Directories > Internal Directories.
External AddressesAll addresses external to your account, typically found under Directories > External Directories.
Email DomainEnables you to specify one or more domain names to which the policy is applied.
Freemail DomainsOnly available under the "Email From" section of Impersonation Protection policies. Includes sender domains that are present on a Mimecast list of freemail domains.
Address GroupsEnables you to specify a predefined Directory or Profile Group which could hold domain names or individual addresses. See the "Specificity within Group structures" section below for further details.
Header Display NameOnly available under the "Email From" section of Impersonation Protection policies when the "Addresses Based On" option has been set to "The Message From Address" or "Both". This enables you to specify a Header Display Name.
Address AttributesEnables you to specify a predefined attribute and can only be used when attributes have been configured.
Individual Email AddressThis is the most specific of all from / to options, and relates to a single email address.

 

When calculating the level of specificity, the Mimecast Gateway:

  • Evaluates the communication pair of the message.
  • Scores the "Emails From" and "Emails To"  settings of the matching policies.

 

Remember only the most specific policy of a policy type will be applied (except for cumulative policies).

The Administration Console always lists policies in order of ascending specificity, from the least specific to the most specific.

Specificity Within Group Structures

 

If two policies of the same type (except cumulative policies) apply to different groups, and the same member is present in both groups (either direct or via a nested group) additional logic gets applied to find the most specific group:

  1. Closeness to the Policy:
    The closer the user is to the group the policy has been applied to, the more specific the group is. This means that a group where the user is a direct member is considered to be more specific than when the user is a member via a nested group.
  2. Deepest Group:

If the “closeness to the policy” logic still results in an equal specificity of the group, the deepness of the group will be taken into account. The deeper the group sits in your directory structure, the more specific it is.

 

Equal Specificity

 

For policies (except cumulative policies), where there is equal specificity between two (or more) policies of the same policy type, the following logic is applied to decide which policy needs to be applied:

  1. Recipient Trumps Sender:
    When there is equal specificity, the "Emails To" value receives a slightly higher score. This means the Mimecast Gateway considers the recipient more specific than the sender.
  2. Conditions:
    Where there is equal specificity, and the "recipient trumps sender" logic does not resolve this, a policy that has a matching "Source IP Range" or matching "Hostname" validity condition is considered to be more specific.
  3. Most Recently Created:
    Where there is equal specificity and the "recipient trumps sender" and "conditions" logic do not resolve this, the most recently created policy is favored. To find the create date of a policy you can search the Audit Logs section.
    The "most recently created" specificity rule doesn't apply to Delivery Routing and Stationery policies. For these policies types, where there is equal specificity, the last rule is ignored and the most specific policy is chosen at random. This ensures automated randomization.

Specificity Examples Based on Messages From / Emails To Details

 

For all policy types (except the cumulative policies) as described above, a policy is selected based on specificity. In order to determine which policy in a type is the most specific, both the "Emails From" and the "Emails To" settings of policies matching the communication pair need to be examined.

See the Policy Editor article for more information on the differences between Header and Envelope addresses.

Here are some examples which illustrate how policy selection is made, based on specificity using the "Emails From" and  "Emails To" policy components. 

From

To

More Specific

Everyone

Email Domain

e.g. Domain.com

 

Everyone

Individual Email Address

e.g. test@domain.com

From

To

More Specific

Email Domain

e.g. Domain.com

Everyone

 

Everyone

Individual Email Address

e.g. test@domain.com

From

To

More Specific

Address Groups

e.g. Suppliers

Email Domain

e.g. Domain.com

Email Domain

e.g. Domain.com

Email Domain

e.g. Domain.com

 

From

To

More Specific

Address Groups

e.g. Profile Groups > Root > Suppliers

Email Domain

e.g. Domain.com

 

Address Groups

e.g. Directory Groups > Root > Internal > Domain > Company > Suppliers

Email Domain

e.g. Domain.com

 

 

(deepest group)

From

To

More Specific

Individual Email Address

e.g. test@domain.com

Email Domain

e.g. Domain.com

 

Email Domain

e.g. Domain.com

Individual Email Address

e.g. test@domain.com

(recipient trumps sender)

From

To

More Specific

Email Domain

e.g. Domain.com

 

created on 26 April 2017

Individual Email Address

e.g. test@domain.com

 

Email Domain

e.g. Domain.com

 

created on 29 October 2017

Individual Email Address

e.g. test@domain.com

 

 

(most recently created)

Validity

 

Alongside specificity, the Mimecast Gateway also uses validity. For a full breakdown of the validity options, review the dedicated Policy Validity article.

A policy's "Policy Override" option can be used to override the specificity model.
11 people found this helpful

Attachments

    Outcomes