This article contains information on Mimecast's policy specificity rules, detailing how policies are prioritized based on specificity levels, exceptions for cumulative policies, and examples of how specificity is determined for email processing.
Mimecast applies policies to messages based on specificity. The more specific a policy is, the higher the priority. For example, a policy specifying a single individual email address is very specific and is favored above a policy applied to everyone (which is the least specific of all).
Each policy performs an action that is applied to messages as they are processed by the Mimecast gateway. In many cases, more than one policy of the same type (e.g., Blocked Sender) is considered for the same message, but only the most specific policy of that type is applied. See the example displayed.
Using Policy Specificity
Mimecast only applies one policy of each type to an email, but many types of policies could apply to a message. For example, only one Stationery Layout is applied to each message, but we will also apply Attachment Management and Content Examination policies if configured.
There are some exceptions to this rule:
- Content Examination
- Content Examination Bypass
- Impersonation Protection
- Impersonation Protection Bypass
- Smart Tag Assignment
These policy types are cumulative. When multiple cumulative policies match the From and To values of a message, all of those cumulative policies are applied to the message, and the appropriate action(s) are taken.
Levels of Specificity
The levels of specificity range from Everyone, which is the least specific of the routing categories, to Individual Email Address, which is the most specific.
The table below lists these levels in order of increasing specificity:
| Specificity Level | Description |
|---|---|
| Everyone | This is the least specific of all from/to options and includes all email addresses. |
| Internal Addresses | All addresses internal to your account are typically found under Users & Groups | Internal Directories. |
| External Addresses | All addresses external to your account are typically found under Users & Groups | External Directories. |
| Email Domain | Enables you to specify one or more domain names to which the policy is applied. |
| Freemail Domains | Only available under the "Email From" section of Impersonation Protection policies. Includes sender domains that are present on a Mimecast list of freemail domains. |
| Address Groups | Enables you to specify a predefined Directory or Profile Group that could hold domain names or individual addresses. See the Specificity within Group Structures section below for further details. |
| Header Display Name | Only available under the "Email From" section of Impersonation Protection policies when the "Addresses Based On" option has been set to "The Message From Address" or "Both". This enables you to specify a Header Display Name. |
| Address Attributes | Enables you to specify a predefined attribute and can only be used when attributes have been configured. |
| Individual Email Address | This is the most specific of all from/to options and relates to a single email address. |
Specificity Within Group Structures
If two policies of the same type (except cumulative policies) apply to different groups and the same member is present in both groups (either directly or via a nested group), additional logic gets applied to find the most specific group:
- Closeness to the Policy: The closer the user is to the group to which the policy has been applied, the more specific the group is. This means that a group where the user is a direct member is more specific than when the user is a member via a nested group.
- Deepest Group: If the "closeness to the policy" logic still results in an equal specificity of the group, the depth of the group will be considered. The deeper the group sits in your directory structure, the more specific it is.
Equal Specificity
For policies (except cumulative policies), where there is equal specificity between two or more policies of the same policy type, the following logic is applied to decide which policy needs to be applied:
- Recipient Trumps Sender: When there is equal specificity, the "Emails To" value receives a slightly higher score. This means the Mimecast Gateway considers the recipient more specific than the sender.
- Conditions: Where there is equal specificity and the "recipient trumps sender" logic does not resolve this, a policy that has a matching "Source IP Range" or matching "Hostname" validity condition is considered more specific.
- Most Recently Created: Where there is equal specificity and the "recipient trumps sender" and "conditions" logic do not resolve this, the most recently created policy is favored. To find the creation date of a policy, you can search the Audit Logs section.
- The "most recently created" specificity rule doesn't apply to Delivery Routing and Stationery policies. For these policy types, where there is equal specificity, the last rule is ignored and the most specific policy is chosen at random. This ensures automated randomization.
- Where Geographical Restrictions apply, the specificity order can change based upon the default behavior of a Permit overriding a Block. This is unique to Geographical-Based Restrictions. See Configuring Geographical Restrictions.
Specificity Examples Based on Messages From / Emails To Details
For all policy types (except the cumulative policies), as described above, a policy is selected based on specificity. In order to determine which policy is the most specific, both the "Emails From" and the "Emails To" settings of policies need to be examined.
Here are some examples that illustrate how policy selection is made based on specificity using the "Emails From" and "Emails To" policy components.
| From | To | More Specific |
|---|---|---|
| Everyone | Email Domain e.g. Domain.com |
Displays the name given to a customized page set when it was configured. This is an internal reference only. |
| Everyone | Individual Email Address e.g. test@domain.com |
√
|
Use the following features to manage any existing customized sets, as listed in the User Awareness Page Sets section:
| From | To | More Specific |
|---|---|---|
| Email Domain e.g. Domain.com |
Everyone | Displays the name given to a customized page set when it was configured. This is an internal reference only. |
| Everyone | Individual Email Address e.g. test@domain.com |
√ |
| From | To | More Specific |
|---|---|---|
| Address Groups e.g. Suppliers |
Email Domain e.g. Domain.com |
√ |
| Email Domain e.g. Domain.com |
Email Domain e.g. Domain.com |
| From | To | More Specific |
|---|---|---|
| Address Groups e.g. Profile Groups > Root > Suppliers |
Email Domain e.g. Domain.com |
|
| Address Groups e.g. Directory Groups > Root > Internal > Domain > Company > Suppliers |
Email Domain e.g. Domain.com |
√
(deepest group)
|
| From | To | More Specific |
|---|---|---|
| Individual Email Address e.g. test@domain.com |
Email Domain e.g. Domain.com |
|
| Email Domain e.g. Domain.com |
Individual Email Address e.g. test@domain.com |
√
(recipient trumps sender)
|
| From | To | More Specific |
|---|---|---|
| Email Domain e.g. Domain.com created 26 April 2021 |
Individual Email Address e.g.test@domain.com |
|
| Email Domain e.g. Domain.com created on 29 October 2021 |
Individual Email Address e.g. test@domain.com |
√
(most recently created)
|
Considerations
- Only a policy's "Policy Override" option can be used to override the specificity model.
- The Mimecast Administration Console always lists policies in order of ascending specificity, from the least specific to the most specific.
- The Mimecast Gateway evaluates the "Emails From" and "Emails To" of the message when making specificity calculations.
- The Mimecast Gateway scores the "Emails From" and "Emails To" settings of the matching policies when making specificity calculations.
- Where multiple policies exist for the same type, only the most specific policy will be applied (except for cumulative policies).
Comments
Please sign in to leave a comment.