Policy Settings
This topic describes policy settings. A message must match all of the settings in a policy for the policy to be enforced on the message.
TIP: A policy needs only a single condition to be a valid policy, and no action is required. (Policies with no actions defined are sometimes known as "monitor" policies.) The interface for creating policies allows you to create very narrow conditions to match a very specific set of messages (for example, "From: UserA and To: UserB with a sending IP reputation between -6.7 and -6.6, inclusive"). You can also use the interface to set up very broad conditions, which may match a very large number (or nearly all) of your incoming messages (for example, "Any message whose Trust Score is between 2.2 and 10.0, inclusive"). Use caution when configuring policies so that you do not create policies that are overly broad.
NOTE: Policy settings that are ranges, that is, where you set an upper-bound value and a lower-bound value, are always inclusive ranges. That means that the range includes the upper and lower bounds. In technical terms, this means you define "greater than or equal" and "lesser than or equal" boundaries, not strictly "greater than" and "lesser than," which would not include the boundary values.
Setting | Description | ||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Policy Name | The name should be a good descriptor of what the policy is designed to do. | ||||||||||||||||||||||||||||||||||||||||||||
Action |
Any settings you define here determine any additional actions that will be taken when a message matches the policy. If a message matches multiple policies with different enforcement actions, the Move to Inbox action takes the highest precedence, followed by the Delete action, followed by the label with the highest position in Enforcement Settings. The default action is that any message that matches a policy is recorded in the Policy Log, but the message itself and its intended route are not altered. If you use Office 365 or G Suite as your mail store and have enabled Enforcement (see Configure Enforcement: Office 365 using MS Graph API or Configure Enforcement: G Suite), you can choose to have matching messages deleted or moved out of the inbox and into a designated folder. You can also create a "Allow list" policy by choosing to move messages to the inbox when matching a set of policy conditions. TIP: An enforce action can be used in combination with a notification to the original recipients so that end users could receive a notification every time a Cloud Email Protection moves a message based on a policy condition match. Enforcement actions on a message that matches multiple enforcement policies will occur in the following priority order:
|
||||||||||||||||||||||||||||||||||||||||||||
Message Direction |
Select the message direction you want to match, from:
Some policy settings are available only for some message directions, as indicated by the following table:
|
||||||||||||||||||||||||||||||||||||||||||||
Content | |||||||||||||||||||||||||||||||||||||||||||||
From |
Enter an email address to apply the policy only to messages from that address. The policy matches any From field containing the entered sub-string. |
||||||||||||||||||||||||||||||||||||||||||||
Reply-To |
Enter an email address to apply the policy only to messages from that address. The policy matches any Reply-To field containing the entered sub-string. |
||||||||||||||||||||||||||||||||||||||||||||
Recipient (To/CC/BCC recipients of the message.) |
Address groups will simply look for messages where the Recipient fields exactly matches an entry in the address group, ignoring the Display portion. A policy matching an address group in the Recipient field might commonly be used along with other criteria like a Subject string match and Message Trust Score. For example, your policy conditions might be: To a member of the Finance address group, and Subject contains “Invoice,” and Message Trust Score is 0 - 4.9. Email Address will simply look for messages where the Recipient fields exactly matches the Email Address entry, ignoring the Display portion. |
||||||||||||||||||||||||||||||||||||||||||||
Subject | Enter what you want matched in a message subject line. The policy will look for the entire value anywhere in a subject. For example, if you enter "goo", the policy will match subject lines that include "Google Password Confirmation," "Goo-Goo Dolls tickets," and "Check out this gooey brownie recipe." Or if you enter "red fish blue fish", the policy will match subject lines that include "one fish two fish red fish blue fish" but not subject lines that include "there were fish in the blue sea". | ||||||||||||||||||||||||||||||||||||||||||||
Imposter Target Address Group |
Enter the Address Group(s) containing individuals within your organization for whom you want this policy to detect impostors. The condition will look for the address group members' names in the Display Name (i.e. Friendly From) of the Address Group. If a given Address does not use a Display Name, the condition evaluates the local part of the email address in the address group to see if it matches the email address in the Imposter Target Address. NOTE: The condition will also take into account the authenticity of the message if the Imposter Target address group matches the entered address. For example, consider an address group containing the following address: "John Doe" <jdoe@example.com>
|
||||||||||||||||||||||||||||||||||||||||||||
Sending Domain | Enter a single domain name. This setting looks for matches of the sending domain value of any DKIM records in the message header. | ||||||||||||||||||||||||||||||||||||||||||||
Domains' Tags | Click in the field to select one or more domain tags. The condition will evaluate if any domain contains any of the selected tags. | ||||||||||||||||||||||||||||||||||||||||||||
Attachments | Select how you want this policy to match on message attachments. | ||||||||||||||||||||||||||||||||||||||||||||
IP Address | Enter one or more IP addresses, separated by commas. You can also enter IP address ranges. The condition will evaluate if any IP address in the header matches. | ||||||||||||||||||||||||||||||||||||||||||||
Contains Active Content |
CEP detected the presence of an Active Content in the message. NOTE:
Active Content is only accessible if your organization is configured for Cloud Gateway. |
||||||||||||||||||||||||||||||||||||||||||||
Contains QR Code |
CEP detected the presence of a QR code in the message. NOTE:
QR Code is only accessible if your organization is configured for Cloud Gateway. |
||||||||||||||||||||||||||||||||||||||||||||
Reply-to domain does not match From Address | If selected, policy requires that the messages has a Reply-to address with a domain that is different from the domain used in the From header address. | ||||||||||||||||||||||||||||||||||||||||||||
To Address is Equal to From Address | If selected, policy requires that To email address and the From email address are the same. This is often used in spoofed emails. | ||||||||||||||||||||||||||||||||||||||||||||
Mail From Doesn't Match Sending Domain | If selected, policy requires that the domain in the Mail From (also called Return-Path) is not the same as the domain used in the From header address. | ||||||||||||||||||||||||||||||||||||||||||||
Scoring | |||||||||||||||||||||||||||||||||||||||||||||
Trust Score Range | Use the sliders to define the Trust Score range that the message must have for the policy to be considered. The values you select are included in the range, that is, the range is inclusive. For example, if you select the Trust Score Range boundaries to be 1.0 at the lower end and 2.0 at the upper end, the policy will match messages with a trust score of exactly 1.0 or 2.0. | ||||||||||||||||||||||||||||||||||||||||||||
Attack Types | Click in the field to select one or more attack types that the message must have for the policy to be considered. The policy will be considered if any of the attack types apply to the message. | ||||||||||||||||||||||||||||||||||||||||||||
Authenticity Score Range | Adjust the sliders if you want the policy to match any range other that the default, which is everything in the range. The values you select are included in the range, that is, the range is inclusive. For example, if you select the Domain Reputation Range boundaries to be 1.0 at the lower end and 2.0 at the upper end, the policy will match messages with a domain reputation of exactly 1.0 or 2.0. | ||||||||||||||||||||||||||||||||||||||||||||
Domain Reputation Range | |||||||||||||||||||||||||||||||||||||||||||||
IP Reputation Range | |||||||||||||||||||||||||||||||||||||||||||||
Notification | |||||||||||||||||||||||||||||||||||||||||||||
You can specify who to notify and how to notify them. You can customize the content of notifications users receive. See Customize Policy Notifications for details. | |||||||||||||||||||||||||||||||||||||||||||||
Original Recipient | Enable to send an individual notification to all the original recipients of the message when the policy is triggered. (Note that this could cause bounce messages. For example, it could occur if the sensor parses a message and attempts to send a notification to a non-existent mailbox.) | ||||||||||||||||||||||||||||||||||||||||||||
Administrator | Enter the Email address of the recipients Notify administrators will send either a single notification message for every matching message. Enter the recipient's email address who will receive the notification (One valid email address per line). Select Include attachment with details for all messages, to enable the recipients to receive attachment with the message details. | ||||||||||||||||||||||||||||||||||||||||||||
Digest | Notify the following recipients with a summary hourly digest (One valid email address per line). A single digest notification when the number of messages matching a given policy exceeds a threshold you define. |