Policies - Managing Blocked Senders and Email Rejections

Introduction to Blocked Senders and Email Rejections

Mimecast's Blocked Senders policy restricts messages to or from specific email addresses or domains, typically used for blocking inbound messages. This policy is a crucial part of Mimecast's security framework, helping to prevent unwanted or potentially harmful emails from reaching your organization. These policies take precedence over Permitted Sender policies, meaning that if a domain is blocked, emails from that domain will be rejected even if a specific email address from that domain is in the Permitted Senders list.

How Blocked Sender Policies Work

Blocked sender policies can operate at the domain level - meaning that when a domain is blocked, all emails from that domain will be rejected, regardless of the specific sender's email address. They can also operate at the sender email address - recipient email address level, providing a robust layer of protection against potentially malicious or unwanted emails.

External emails can be blocked due to Blocked Sender policies, specifically when emails are sent between two external email addresses. This is typically a security measure to prevent unauthorized email relaying. Additionally, emails can be blocked due to external-to-external email relay policies. When emails are sent from external domains that are not part of your authorized relay profile group, they may be automatically blocked as a security measure. The default external-to-external Blocked sender policy ensures that unauthorized relays are blocked unless explicitly added to the relay group.

Troubleshooting Blocked Emails

If you encounter issues with blocked emails, you may see a 'Policy level block list in force' error. This indicates that an email has been automatically blocked by a Mimecast policy, typically based on predefined rules such as sender domains, email groups, or other organizational email policies.

To resolve email delivery issues:

1. In the Administration Console, navigate to Message Center | Rejected and Deferred Messages.
2. Search for the email Sender.
3. Locate the message and review message details.
4. Check the specific Blocked Senders Policy that was triggered.
5. You can then create a Take No Action policy for the Sender. If you need to allow a specific sender from a blocked domain, you must create a 'Take No Action' policy for that specific email address. This allows you to maintain the domain-level block while permitting individual trusted senders.

To Consider when Creating Blocked Sender Policies

When implementing blocked sender policies, keep in mind that emails can be rejected due to policy-level block lists. This can occur when an entire domain is added to a Blocked Senders profile group, which is associated with a Blocked Sender policy. In such cases, all emails from that domain will be automatically blocked, regardless of individual sender settings.

Regularly review your blocked sender policies to ensure they are effectively protecting your organization without impeding legitimate communication. Be prepared to troubleshoot and adjust policies as needed to maintain the right balance between security and functionality.

Introduction to Blocked Senders in Mimecast

In Mimecast, you have two primary options for managing email senders:

1. You can block entire domains using the Managed Senders block list.
2. You can selectively permit specific email addresses through the Permitted Senders Profile Group.

If you want to block a broad domain but allow specific senders from that domain, add the specific email address to your Permitted Senders list. This approach provides granular control over email filtering while maintaining broader domain-level protection.

Creating a Bypass Policy for Blocked Senders

To create a bypass policy for a blocked sender, follow these steps:

1. Navigate to Policies | Gateway Policies | Blocked Senders.
2. Select New Policy.
3. Set the policy with the following configurations:

• • Create a narrative like 'Blocked Senders Bypass'.
  • Set Blocked Sender Policy to Take No Action.
  • Configure Addresses Based On: Both.
  • Set Applies From to Email Domain.
  • Specify the domain.
  • Set Applies To to Individual Email Address.
  • Specify the email address.
  • Enable Policy Override.

4. Save and Exit the policy.

Resolving Blocked Email Issues

To resolve the issue of blocked emails in Mimecast, you can:

1. Check your Managed Senders list in the Administration Console (Email Delivery | Managed Senders).
2. Remove or permit blocked senders by right-clicking the blocked entry and selecting Delete or Permit Sender.
3. If you're an end-user, you can modify your blocked sender list to allow specific email addresses

Resolving Email Rejection

To resolve email rejection, you can take two primary actions:

1. As an end-user, delete or permit the sender in your managed senders list
2. As an administrator, navigate to Email Delivery | Managed Senders in the Administration Console, then search for the specific sender and select 'Delete' or 'Permit Sender'.

Using Permitted Senders Profile Group

To prevent important emails from being held, you can add the sender to your Permitted Senders Profile Group. This allows messages from those email addresses to bypass spam scanning, greylisting, and IP reputation checks. To do this:

1. Navigate to Users & Groups | Profile Groups.
2. Select the Permitted Senders folder.
3. Select Build | Add Email addresses.
4. Add the necessary addresses (one per line).
5. Save & Exit.

Allowing Specific Email Addresses

To allow a specific email address while blocking an entire domain in Mimecast, you can create a Blocked Senders policy with a Take No Action override for the specific sender. Navigate to Policies | Gateway Policies | Blocked Senders, and create a new policy with the following settings:

• Set the Blocked Sender Policy to Take No Action.
• Specify the exact email address you want to allow.
• Define the recipient group.

This ensures that the specific email address is permitted while maintaining the domain-wide block.

Types of Email Rejections

Domain-level Rejections

When an email is rejected due to a domain-level block list, it means the entire domain of the sender has been blocked. In this scenario, no emails from that domain will be delivered. To receive emails from specific senders within a blocked domain, you'll need to add their individual email addresses to your Permitted Senders list. Administrator-defined Permitted Senders policies take precedence over user-level Managed Senders lists.

User-level Rejections

Emails can be rejected due to user-level block lists, specifically when recipients manually block a sender address in their managed senders list or through a digest notification by selecting Block All. This results in a Manual Envelope Rejection of emails from the blocked sender.

Policy-level Rejections

Emails can be rejected due to policy-level block lists. This can occur when an entire domain is added to a Blocked Senders profile group, which is associated with a Blocked Sender policy. This means all emails from that domain will be automatically blocked, regardless of individual sender settings.

Manual Rejections

A Manual Header Rejection occurs when an email is blocked due to being on a user-level block list. This means the recipient has manually blocked the sender, preventing emails from that specific address from being delivered. This can happen when a user chooses to block a sender through their email settings or digest notification options.

Blocked Sender vs Permitted Sender Policies

In Mimecast, Blocked Sender policies are designed to take precedence over Permitted Sender policies. This means that if a domain is blocked, even if a specific email address from that domain is in the Permitted Senders list, the domain-level block will still apply. To allow a specific sender from a blocked domain, you must create a 'Take No Action' policy for that specific email address.

What is a 550 Administrative prohibition error?

A 550 Administrative prohibition error indicates that Mimecast's default security settings are preventing an email from being delivered. This typically occurs when an email is being sent from an external sender to another external recipient, which is blocked by default. To resolve this, you need to add the specific external recipient email address to the Relay profile group to allow the email transmission.

Common causes of 550 errors

550 errors can occur for several reasons, including:

• The recipient's email address being invalid, disabled, or unlicensed.
• Issues with the recipient's email server settings.
• Anti-spoofing policies blocking emails that appear to be spoofed.

It's important to note that this type of error is typically generated by the recipient's email server (in this case, Microsoft) and not by the sending email service.

Types of 550 errors

550 5.0.350 error

NDR errors with 550 5.0.350 status typically occur when anti-spoofing policies block emails that appear to be spoofed. This can happen when:

1. An email is sent from one domain and then forwarded back to the original domain.
2. The email routing does not go through the expected email protection service (like Mimecast).
3. The anti-spoofing policies are too restrictive and do not account for legitimate inter-domain email forwarding.

550 5.7.708 error

This error typically occurs when an email sender reaches their daily sending limit, causing the account to be automatically restricted or quarantined. This can happen due to:

1. Exceeding the maximum number of emails allowed per day.
2. Triggering spam filters.
3. Potential security restrictions on the sender's email account.

To resolve this, check your account's sending limits, ensure you're not sending bulk emails unexpectedly, and contact your email service provider if the restriction persists.

Troubleshooting 550 errors

If you encounter a 550 error, follow these steps:

1. Verify the recipient's email address is correct and active.
2. Check if the recipient's email account is properly licensed and enabled.
3. Investigate potential server-side settings issues.
4. Contact the recipient's email service provider (such as Microsoft O365 support) for further assistance if the problem persists.

When encountering 550 or 451 errors during email relay, you should verify:

1. The sender's email address is a valid, actual email address (not a null sender).
2. Your DNS and MX records are correctly configured.
3. You are using the correct SMTP outbound servers for your email service.
4. The IP address used for sending is authorized and whitelisted by your email service provider.

Resolving SMTP authentication errors

To resolve SMTP authentication errors (error 535: Incorrect authentication data), follow these steps:

1. Create a new email address in your Internal Directories.
2. Set a password that never expires.
3. Enable SMTP Submission for the account.
4. Add the email address to a profile group that allows authentication (such as 'Cloud No 2Fa').
5. Verify that the email credentials are correctly configured in your SMTP server settings.

What is a Hard Bounce?

A hard bounce occurs when an email cannot be delivered to the recipient's inbox due to permanent reasons. This typically happens when the recipient's email address is invalid, no longer exists, or the receiving server has blocked the sender's email.

Causes of Hard Bounces

Hard bounces can be caused by various factors, including:

• Invalid or non-existent email addresses.
• Blocked sender IP addresses.
• Content Examination Policies triggering email deletion.

Content Examination Policies can cause emails to be deleted or not delivered when certain content triggers are detected. Multiple content examination policies can conflict and potentially remove legitimate emails, especially when policies are broadly applied without specific group targeting.

Troubleshooting Hard Bounces

Email Bounce-backs

If you're experiencing email bounce-backs, try the following steps:

1. Verify the current status of Mimecast's outbound IP addresses using blocklist checking tools.
2. Temporarily disable Mimecast outbound and use an alternative email service to confirm the issue.
3. Contact Mimecast support to help delist any blocklisted IPs.
4. Request alternate IP routing while the primary IPs are being addressed.

Emails Not Being Received

When emails seem to be sent but not received, check the following:

1. Verify the email routing through your email service provider (like Mimecast).
2. Check if emails are being processed by the correct server.
3. Investigate whether emails are being routed internally or through a journaling connector.
4. Confirm the recipient's email domain and routing configuration.

Outbound Email Sending Issues

Outbound email sending can be disrupted if Mimecast IP addresses are listed on Real-time Blackhole Lists (RBLs). This can cause email delivery failures and bounce-backs. If you're experiencing consistent email sending issues, check if your Mimecast IP is currently blocklisted and contact Mimecast support for resolution.

General Troubleshooting Steps

When encountering a hard bounce or other email delivery failures, follow these steps:

1. Verify that the recipient's email address is correct and active.
2. Check if the recipient's email account is properly licensed and enabled.
3. Investigate potential server-side settings issues.
4. Contact the recipient's email service provider (such as Microsoft O365 support) for further assistance if the problem persists.
5. Carefully review the non-delivery report (NDR) for specific blocking reasons.
6. Verify the IP address associated with the blocked email.
7. Contact your email service provider to investigate potential blocklisting.
8. Request that they work on delisting the IP or use alternate IP addresses.
9. Ensure your email infrastructure meets current email sending best practices.

Preventing Accidental Email Deletion

To prevent accidental email deletion due to Content Examination Policies, consider these best practices:

1. Minimize the number of active Content Examination Policies.
2. Make policies more specific by applying actions to particular groups using the From and To fields.
3. Use the Hold for Review action instead of delete or bounce. This allows administrators to review potentially flagged emails before permanent removal, ensuring no important communications are lost.

Additional Email Delivery Troubleshooting

For thorough email delivery troubleshooting:

1. Check the mail logs for specific delivery details.
2. Verify the status of both sending and receiving email servers.
3. Cross-check delivery status across different email platforms (like MS365 Exchange).
4. Collect specific details such as TO, FROM, TIME, DATE, and SUBJECT of the failed emails to aid in the investigation.