Headers for Phishing Protection : Phish Protection

The following headers can be used to filter email messages. A typical use case would be to create transport or mail flow rules to disposition the messages based on the criteria.

Headers are always included with the messages, and the same triggers that apply to these headers have in message body banners also. However, in the message body banners can be disabled by the admin, and may not be visible for every end user. The message headers cannot be disabled and are ideal for triggering quarantine actions in message rules on your email server.

Example mail flow rules for Office 365.

External Messsage Banner

X-PhishProtection-Warning: external_sender

Triggered when an email comes from an external domain. This is probably the simplest example and adds to the existing functionality of services like Office 365. The message is not only tagged as external but the sending domains are incorporated into the warning displayed to the end user:

Impersonation Banner

X-PhishProtection-Warning: domainimp

Triggered when an email is sent from a domain that closely matches your own internal domain. This is flagged as red, as it is more than likely a phishing attempt. This rule may trigger (but can be whitelisted) if you have multiple legitimate top level domains that are on different extensions, like .com and .net.

X-PhishProtection-Warning: senderspoof
X-PhishProtection-Warning: senderimp

Triggered when an email is trying to impersonate the Friendly From: with a name of a user in the organization.

SPF Banner

X-PhishProtection-Warning: spf_soft_fail

Triggered is an email from a server that the sender's IP is not listed in the SPF record for the sending domain. It could be a misconfiguration or a spoofing attempt.

X-PhishProtection-Warning: spf_soft_fail_self

Triggered is an email from a server not listed in your domains SPF record and your SPF record is set to ~all rather than -all. This means that you are receiving emails from your own domain, from a set of servers not explicitly permitted by your SPF policy. This may be spoofing, but because of the SPF policy, we are not rejecting the email.

SPAM Header

X-Spam-Flag=YES

Triggered when an email is classified as spam. Typically this would trigger a subject line prepend *SPAM* however, depending on the configuration of your account, the Subject line change may not be present. The header will always be there if the message is classified as spam.