In the event that you as an administrator noticed that there are a lot of spam emails getting through to your users (per day) here are the things you should check on before contacting Technical Support:
1. Spam Filtering settings
2. Sender Check settings
3. MX record
4. Delivery IP
5. Allow list
6. Send samples
For #1, the recommended settings for all is "Quarantine". This is because this the best setting when it comes to making sure that the email does not get to your users in the event that it is indeed malicious. At the same time if the detection is a false positive, the email can still be retrieved and released to the user.
For #2, the recommended settings for all is "Quarantine". (Note: Although sender checks does not directly detect if an email is spam or not, it is meant to help lower the number of spam emails getting through, hence it is included here.) The reason for this is that if the administrator somehow made a mistake in configuring the DNS records (which is usually the only cause for sender checks to have false positive) then atleast they can still release those affected emails to the users later on.
[for Gateway mode] Since the MX record dictates which host the sender's email server connects to, the recommended setting for this is ONLY to have the Sophos Email hosts listed there. This is because you want our product to scan and process the emails before relaying them to your email server. If you have listed hosts other than Sophos Email's, this gives the spammer ideas on which host to connect to, to bypass Sophos Email by just connecting directly to it instead.
[for Mailflow mode] Since this type of deployment involves M365 initially accepting emails first and then passing the email to our Sophos Email servers for processing, the MX record should be pointed to M365 and not to Sophos Email hosts.
For #4, the recommendation is to ONLY have Sophos Email delivery IPs configured in your email server's receive connector. This is to ensure also that the Sophos Email cannot be bypassed by the spammer.
For #5, make sure that the sender's domain, host name, IP address, or email address is not part of the Allow list. This is because this list makes emails bypass the Spam filtering and Sender check. So make sure that you carefully consider what you put in it.
For #6 While there are other ways to pro-actively create spam detection we always recommend sending samples to our labs. This is for the reason that the best source of samples would be the ones who are directly affected by the spam issue.
Once all of the above has been checked and confirmed correct, if you have been sending spam samples but the same (or similar) spam emails are still getting through, then we recommend creating a case with technical support.
Please make sure to inform Technical support that you have sent samples already however still have the same issue as this is a crucial historical information that our labs would benefit from when refining the detection.
Below is the URL link explaining on how to submit spam samples:https://support.sophos.com/support/s/article/KB-000033422?language=en_US
Expectations when sending spam samples: