Policies - Anti-Spoofing Header Lockout Resolution

What is Anti-Spoofing Header Lockout?

An Anti-Spoofing Header Lockout occurs when an email is sent from an external server that is spoofing your organization's email domain. This typically happens when the Envelope From address and Header address differ, and the email comes from outside your organization but appears to be an internal communication. Specifically, when emails come from IP addresses not associated with the Mimecast tenant. By default, anti-spoofing policies block such messages to prevent potential email spoofing and phishing attempts.

Common Causes of Anti-Spoofing Header Lockout

There are several reasons why legitimate emails may be rejected by anti-spoofing policies:

• Incorrectly configured anti-spoofing policies.
• Legitimate third-party services sending emails on behalf of your domain.

Mimecast's Anti-Spoofing policies are designed to prevent email spoofing by checking email headers and sender information. Emails can be rejected if they do not meet the configured policy criteria, such as:

1. If the header or envelope From references an internal domain and there is no exemption for the sender, the message will be rejected.
2. The email comes from an unrecognized or suspicious IP address.
3. Anti-spoofing policies should check both the header and envelope From. A failure in either will trigger rejection if the policy is configured according to best practices.

Resolving Anti-Spoofing Header Lockout

To resolve an Anti-Spoofing Header Lockout, you can create an Anti-Spoofing Bypass policy by following these steps:

1. Navigate to Gateway | Policies | Gateway Policies | Anti-Spoofing.
2. Click New Policy.
3. Select Take No Action.
4. Set Addresses Based On to Both.

Anti-spoofing policies should check both the header and envelope From addresses. The Addresses Based On field must reference an internal domain. Policies scoped to external domains will not work. Spoofing can be triggered if the sender IP is external and not exempted.

5. Set Applies From and Applies To to Everyone.
6. Check (enable) the Policy Override box.
7. Add the relevant legitimate sender's IP address(es) to the Source IP Ranges field (use /32 for individual IPs, e.g., 1.1.1.1/32).
8. Save the policy.

For specific cases where emails are being rejected by an Anti-Spoofing Policy, follow these steps:

1. Locate the Default Anti-Spoofing Allow Policy in Gateway | Policies | Anti-Spoofing.
2. Add the specific IP addresses causing the rejection to the Source IP Ranges section.
3. Ensure you add '/32' at the end of each IP address to represent a single IP.
4. Verify the IPs are from the legitimate sending service to prevent unauthorized email spoofing.

Considerations when Creating Anti-Spoofing Policies

When configuring Anti-Spoofing policies, consider the following:

• Mimecast recommends enabling the Default Anti-Spoofing checkbox when adding a new domain to the Mimecast account.
• Anti-Spoofing policies override addresses or domains permitted by users, including messages from Permitted Senders.
• Under normal circumstances, leave the Source IP Ranges and Hostname fields blank.
• All internal domains should be covered by either an Apply Anti-Spoofing policy (exclude Mimecast IPs) or a Take No Action policy to allow legitimate spoofed mail restricted to specific source IPs.
• Anti-Spoofing policies can be applied individually or within a Profile Group.

Troubleshooting Specific Scenarios

If an anti-spoofing policy is not correctly configured, emails from authorized sources may be rejected. For example, emails from a partner's IP address were blocked with a '13045 Anti-Spoofing Header Lockout' error, preventing legitimate communication from being received. In such cases, review and adjust your anti-spoofing policies using the steps outlined above to allow legitimate emails while maintaining security.

Creating an SPF-Based Bypass Policy

Creating an SPF-Based Bypass policy involves identifying the legitimate sender's mail server IP addresses and adding them to an Anti-Spoofing Bypass policy. Ensure you add the correct IP ranges and verify that the policy allows emails from these specific sources while maintaining overall email security protections. Multiple bypasses with overlapping scopes and the override policy option enabled can cause inconsistencies.

Configuration Options for Email Rejection

When dealing with email rejection due to Anti-Spoofing policies, you have several configuration options:

1. Create a 'Take No Action' Anti-Spoofing policy scoped to specific email addresses.
2. Create a 'Take No Action' policy for a profile group containing both sender and recipient email addresses.

Use Take No Action policies for static or limited IPs. For dynamic IPs from large providers, SPF-based bypass is better as it reduces administrative overhead for managing IP changes.

3. Configure policy with specific IP ranges to allow emails from trusted sources.
4. Ensure the policy is appropriately scoped (not too broad or too restrictive) to maintain security while allowing legitimate email communication.