We have reported several issues to the Sophos support but basicly it hasn't been fixed.
The problem is related to impersonating your domain email adresses with malicious urls.
- Base email Security
DMARC and SPF are checked against the Helo email server. When that is using it's own spf and dmarc settings they will not fail as it is not checked against the from email adress, so your domain SPF and DMARC are never taken into account.
So basicly header anomolies is useless.
The response of support was to delete the Base Email Security policy and recreate it instead of fixing their check logic.
Now we found another one. When we block the email server helo name with an add block setting, this is not enforced as they use another from adress. Argh! I have now added their IP adress also and in some cases I had to add whole ranges. An add block IP range would be helpfull.
Frustrated.
Fred
Today I saw another email that was allowed through, but this time our DMARC policy was recorded correctly (quarantine) as the header.from shows our domain but still the Base Email Security Policy was not applied (DMARC Fail Quarantaine, Header Anamolies Reject):
spf=pass smtp.helo=spammer.domain; dkim=none; dmarc=fail (recordpolicy=quarantine) header.from=yourdomain.comReceived-SPF: pass receiver=mx-01-eu-central-1.prod.hydra.sophos.com; client-ip=45.158.14.46; envelope-from=<>; helo=spammer.domain; X-Sophos-Product-Type: GatewayX-Sophos-Email-ID: a3208286e1844ec9ae73fab1a9bd537dReceived: from spammer.domain (45-158-14-46.hostlab.net.tr [45.158.14.46]) by mx-01-eu-central-1.prod.hydra.sophos.com (Postfix) with ESMTP id 4KSjrY28CfzHnHS
the SPF pass is not from yourdomain.com or Sophos does not read it correctly.