Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-message-authentication

Message Authentication

Message authentication allows you to verify whether an email originates from where it claims to come from. Sophos Email Security uses DMARC, SPF, and DKIM to do this.

Message authentication checks are performed in the order they appear in the UI. If an email fails the first sender authentication, the other authentications are not carried out. See How Message Authentication works.

For more information on the order in which authentications are carried out in different scenarios, see Sequence of Message Authentication.

We recommend you to set each message authentication category to Quarantine.

You can override the message authentication by allowing domains and email addresses in the Inbound allow list.

For each message authentication, you can choose to send messages that fail to End User Quarantine.

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication policy and reporting protocol. It builds on the DKIM and SPF protocols to detect and prevent email spoofing. You can control what happens to messages that fail DMARC checks.

Select from:

  • Conform to sender policy : What happens to the message depends on what the sender stated in their DMARC policy. This is the default value.
  • Tag subject line: Email Security adds a tag to the message's subject line indicating that it is a spoofed message.
  • Quarantine: Message is quarantined.
  • Reject: Message is rejected.
  • Deliver: Message is delivered to the next stage.

SPF

Sender Policy Framework (SPF) allows you to verify that incoming email comes from an IP address authorized by the sending domain's administrators.

Hard failure is the default SPF check for which you can configure failure action.

You can also configure for other SPF failure options such as:

  • Unsupported
  • Temporary failure
  • Permanent failure
  • Soft failure
  • Neutral

Spam and phishing emails often use forged addresses.

Select from:

  • Tag subject line: Email Security adds a tag to the message's subject line indicating that it's a spoofed message. This is the default value.
  • Quarantine: Message is quarantined.
  • Reject: Message is rejected.
  • Deliver: Message is delivered to the next stage.

DKIM

DomainKeys Identified Mail (DKIM) is an authentication framework used to sign and validate a message based on the domain of the sender. You can control what happens to messages that fail DKIM checks.

Hard failure is the default DKIM check for which you can configure failure action.

You can also configure for other DKIM failure options such as:

  • Unsupported
  • Temporary failure
  • Permanent failure

Select from:

  • Tag subject line: Email Security adds a tag to the message's subject line indicating that it's a spoofed message. This is the default value.
  • Quarantine: Message is quarantined.
  • Reject: Message is rejected.
  • Deliver: Message is delivered to the next stage.