This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I mark all external mail with an external tag?(like the Bulk tag)

I have been asked to have all external email tagged with an external tag, much as the bulk rule marks messages as bulk. I am not having success building a rule that will accomplish this. The reason for this rule is we are getting external emails that look as if they are coming from the Executives, when they are not. They com through the spam filter as an external address, and no subject, but when they get to the user, they show as having come from the executive and have a subject.  I have tried all the recommendations here that I could find, but no joy. Any help would be appreciated.



This thread was automatically locked due to age.
Parents
  • If you want all your External > Internal e-mail to be tagged as an Internal e-mail, that could be achieved using an Additional Policy.

    Additional Policy > Inbound > New Rule > Watchlist > Main Action > Tag and Deliver

    Just select all the users to which it will apply.

    Make sure this policy stays on the Top so that the e-mails don't bypass this one.

    Let me know if this solves your problem.
Reply
  • If you want all your External > Internal e-mail to be tagged as an Internal e-mail, that could be achieved using an Additional Policy.

    Additional Policy > Inbound > New Rule > Watchlist > Main Action > Tag and Deliver

    Just select all the users to which it will apply.

    Make sure this policy stays on the Top so that the e-mails don't bypass this one.

    Let me know if this solves your problem.
Children
  • Just to add on to Vikas, you may change the action to "Tag and Continue" so it will continue processing through any other policies that are configured; instead of immediately delivering and skipping everything else.

    What do the maillogs say about the "From header"? You can set the watchlist to match anything coming from @yourdomain.tld or even a particular source IP.

    What I would also suggest as a possibility is to add your domain to the Block list. Just keep in mind if you have any external mail servers (eg. Cloud/Office365) that send mail with your domain you will need to allow those hosts in "Allow Hosts" section, which will take precedence. Here are some more detailed steps:

    Remove from Allow List

    Make sure your own domain has not been incorrectly whitelisted as a sender address.  If necessary remove the domain from: Configuration | Policy | Allow/Block Lists | Allowed Hosts/Senders

    Add to Block List

    These steps will block the E-Mail when your domain name has been used in either:

    The MAIL FROM sender in the SMTP conversation
    The 'From' header in the email message
    Add the domain to:  Configuration | Policy | Allow/Block Lists | Block Lists | Blocked Hosts/Senders | Senders
    For example, add: @mydomain.tld

    Note, that global block lists only apply to mail from external hosts.  Outgoing mail will not be affected.

    Other considerations

    Before using this configuration in production, consider whether any legitimate senders need to spoof your domain name.  For example, an external web hosting solution may send you e-mails from postmaster@mydomain.tld.  These hosts must be exempt from the Anti-Spoofing rules using the Allowed Hosts option (Allowed Hosts/Senders take precedence over Blocked Hosts/Senders).

    You should also ensure your list of internal hosts is correctly configured, so outbound ail is not affected.  Enter the IP of any devices that are allowed to send outgoing e-mail in: Configuration | Routing | Internal Hosts