Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Enhanced Message Authentication

What’s new – Aug 7, 2023

Your email security is the quintessential to Sophos Email and the product team is constantly listening to your feedback to improve your email security posture. One of the enhancements frequently requested is the support for comprehensive message authentication check options – and, in particular, support for SPF soft failure check option. We believe that with this release, Sophos Email has a complete range of options for message authentication checks. Combined with the Email Security policy, Message Authentication gives you a granular control over the options that you may need to apply to your inbound messages. Furthermore, the new option of Domain Anomaly in Sender Checks boosts your email security against ingenuine sender domains.
Watch the video attached at end of this post to familiarize yourself with the feature.

Applies to the following Sophos products
Sophos Email Advanced

In this post the following sections are covered:
  ● How to configure
      • SPF check
      • DKIM check
      • Domain anomaly
  ● Watch the video

How to configure

Message authentication is configured in Email Security policy, as shown in the screenshot below. To configure for new authentication check failure options introduced in this release, you need to click on Add Rule button.

  1. One of the commonly overlooked requirements of the DMARC check is its dependency on the SPF and DKIM checks. To depict this dependency on the screen, DMARC is placed in a hierarchy to SPF and DKIM.
  2. Also, for clarity, the other sender checks are listed in a separate section.

SPF check

As shown in the screenshot below, you can check for following types of SPF check failures:

  • Soft failure
  • Neutral
  • Unsupported
  • Temporary failure
  • Permanent failure

DKIM check

As shown in the screenshot below, you can check for following types of DKIM check failures:

  • Unsupported
  • Temporary failure
  • Permanent failure

Domain Anomaly

You’ll notice that a new type of sender check, Domain Anomaly, has been introduced. This sender check enhances your email security by detecting emails sent from ingenuine senders. Often spammers send messages from a domain which neither has a MX-record nor has an A-record – not expected of a genuine sender domain.

Watch the video