The "Spoofing Protection" currently offered by Central Email is much to rigid to support businesses that may use multiple systems to send email messages.
For example, if your business utilizes an email marketing platform or perhaps you send email from your website using @yourofficialcompanyname.com you cannot send email through Sophos Central Email without engaging the Spoofing Protection feature. Whitelisting the sender or domain does not work and is not applicable to how this option is currently configured.
Here is what we received from support on the matter.
With Sophos Central Email you CANNOT override and make whitelists to allow emails through Central email on your behalf – for example if your domain is abc.com and there is an email sent to user@abc.com and FROM notify@abc.com it will be caught as a spoofed message. Spoofing protection is a global (all or nothing setting) so it is either Quarantine, Tag, (I think discard is also an option) or Allow (off). Whitelisting does not trump or allow these emails. If the client has any external MTAs or services sending email on their own domains behalf it will be actioned.
I spoke with dev a while back and they suggest that you TAG all spoofed emails to “Allow” them through and see this as a feature request… Just make sure when you suggest this to clients that end users need to take precautions whenever there is an email tagged for spoof protection that it can be illegitimate.
We have all of the appropriate entries for these services in our SPF record.
I'm a bit disappointed that the response from Sophos support is just, yeah sorry about that, just mark it as a spoof and tell your users to get used to seeing messages marked as spoofed.
Why can't I just turn this off? Here are the options that I have, Quarantined, Deleted, Tagged.
How is anyone else dealing with this? We cannot implement this protection if we have to tell our user base to disregard some part of its protections (disregard tagged spoofed email).
This thread was automatically locked due to age.