This article contains information on configuring Mimecast Anti-Spoofing policies to block unwanted spoof emails, protect internal domains, and allow legitimate spoofed emails from specified sources.
Spoofing is the forgery of email headers, so messages appear to come from someone other than the source. This tactic is used in phishing and spam campaigns, as recipients are more likely to open a message that looks legitimate. Anti-Spoofing policies ensure that external messages appearing to come from an internal domain are blocked.
Best Practice
When a new domain is added to your Mimecast account, it is recommended that the Default Anti-Spoofing checkbox is enabled. This will automatically create an Anti-Spoofing policy that contains the settings below. If this was not done when the domain was registered in Mimecast, you could follow the steps below to apply a Default Anti-Spoofing policy.
All of your Internal Domains should be covered by one of the following:
-
-
- A policy set to Apply Anti-Spoofing (Excluding Mimecast IPs), either individually or within a Profile Group.
- A Take No Action policy/policies to Allow any legitimately spoofed mail restricted to the source IPs.
-
Default Anti-Spoofing Policy (Block Unwanted Spoof Emails)
To configure an Anti-Spoofing policy:
- Log on to the Mimecast Administration Console.
- Navigate to Gateway | Policies.
- Click on Anti-Spoofing. A list of policies is displayed.
- Click on New Policy. For further details on completing the basic policy criteria, see the Mimecast KB article: Policy Basics: From / To / Validity.
- Complete with the following settings:
| Field / Option | Required configuration |
|---|---|
| Policy Narrative | Enter a name for the policy. |
| Select Option | Apply Anti-Spoofing (Exclude Mimecast IPs) |
| Addresses Based On | Both |
| Applies From | Email Domain |
| Specifically | Enter the internal domain that you want to protect from spoofing. |
| Applies To | Internal Addresses |
| Specifically | Applies to all Internal Recipients |
| Enable / Disable | Enable |
| Set policy as perpetual | Always On |
| Date Range | All time |
| Policy Override | Disabled |
| Bi-Directional | Disabled |
| Source IP Ranges (n.n.n.n/x) |
Leave the text box blank. Note: You will never need to specify an IP address when applying Anti-Spoofing checks under normal circumstances. |
| Hostname(s) |
Leave the text box blank. Note: You will never need to specify a Hostname when applying Anti-Spoofing checks under normal circumstances. |
- Click Save and Exit.
Anti-Spoofing Policy to Allow Spoofing (Bypass)
A bypass policy can be created to allow spoofing emails from specified IP addresses or hostnames. All other spoof emails will be blocked if the correct default Anti-Spoofing policies are set up for your internal domains.
Items highlighted in bold are the recommended default setting for most customers.
| Field / Option | Required configuration |
|---|---|
| Policy Narrative | Enter a name for the policy. |
| Select Option | Take No Action |
| Addresses Based On | Both |
| Applies From |
Everyone Note: For additional security, you can be more specific and restrict it to a domain or individual address if you wish. |
| Specifically |
Applies to all Internal Senders Note: Unless you're specifying an individual address or domain. |
| Applies To |
Everyone Note: For additional security, you can be more specific and restrict it to an internal domain or internal email address if you wish. |
| Specifically |
Applies to all Internal Recipients Note: Unless you're specifying an individual address or domain. |
| Enable / Disable | Enable |
| Set policy as perpetual | Always On |
| Date Range | All time |
| Policy Override | Enabled |
| Bi-Directional | Disabled |
| Source IP Ranges (n.n.n.n/x) | Tighten this policy's security by entering the sending server's public IP address or address range in CIDR format. The policy will only trigger when the IP matches. |
| Hostname(s) | Less commonly used; however, you can restrict this policy by utilizing the sending servers' publicly visible hostname. The policy will only trigger when the Hostname matches. |
Usage Considerations
Consider the following before configuring a policy:
-
-
- Anti-Spoofing policies override addresses or domains permitted by users. For example, messages from a Permitted Sender will still be rejected if detected as spoofing.
- For a bypass policy, the action is applied if the inbound mail comes from any of the specified IP addresses or hostnames.
-
Comments
Please sign in to leave a comment.