In the event that you as an administrator noticed that there are a lot of spam emails getting through to your users (per day) here are the things you should check on before contacting Technical Support:
1. Spam Filtering settings
2. Sender Check settings
3. MX record
4. Delivery IP
5. Allow list
6. Send samples
For #1, the recommended settings for all is "Quarantine". This is because this the best setting when it comes to making sure that the email does not get to your users in the event that it is indeed malicious. At the same time if the detection is a false positive, the email can still be retrieved and released to the user.
For #2, the recommended settings for all is "Quarantine". (Note: Although sender checks does not directly detect if an email is spam or not, it is meant to help lower the number of spam emails getting through, hence it is included here.) The reason for this is that if the administrator somehow made a mistake in configuring the DNS records (which is usually the only cause for sender checks to have false positive) then atleast they can still release those affected emails to the users later on.
For #3, since the MX record basically dictates which host the sender's email server connects to in order to relay an email to a recipient domain, the recommended settings for this is to ONLY have the Central Email hosts listed there. The reason for this is because you want our product to scan and process the emails before relaying them to your email server. If you have listed hosts other than Central Email's, this gives the spammer ideas on which host to connect to in order to bypass Central Email by just connecting directly to it instead.
For #4, the recommendation is to ONLY have Central Email delivery IPs configured in your email server's receive connector. This is to ensure also that the Central Email cannot be bypassed by the spammer.
For #5, make sure that the sender's domain, host name, IP address, or email address is not part of the Allow list. This is because this list makes emails bypass the Spam filtering and Sender check. So make sure that you carefully consider what you put in it.
For #6 While there are other ways to pro-actively create spam detection we always recommend sending samples to our labs. This is for the reason that the best source of samples would be the ones who are directly affected by the spam issue.
Once all of the above has been checked and confirmed correct, if you have been sending spam samples but the same (or similar) spam emails are still getting through, then we recommend creating a case with technical support.
Please make sure to inform Technical support that you have sent samples already however still have the same issue as this is a crucial historical information that our labs would benefit from when refining the detection.
Below is the URL link explaining on how to submit spam samples:https://support.sophos.com/support/s/article/KB-000033422?language=en_US
Expectations when sending spam samples: