Sometimes you'd like certain emails to be classified as Clean, regardless of the content in the body or attachments.
The best way to achieve this is creating an incoming rule in the Compliance Filter module.
Warning: For security reasons, we strongly recommend using these type of rules in case of extreme need only, and for a limited time, whenever possible. While creating one, we recommend as well to use more than one criterion when creating a rule, specially when the action is set to "Tag as clean", because messages matching the rule will be delivered, even if they contain malware or malicious/phishing links.
In this module, you'll have available 3 criteria to choose from:
The types "Header" and "Body" will let you search for 1 text string within the message's header, or body, respectively.
However, the "Advanced" criterion will allow you to define up to 7 parameters to evaluate the incoming email:
The most used parameter is the "Sender" parameter. This will allow us to evaluate a specific sender or a domain (regular expressions are allowed).
Let's suppose that we are expecting emails containing Excel files with macros from a specific user, and we want his mails to be always classified as "Clean".
The rule we must create is as follows:
However, after defining the rule, it could happen that the specified sender's emails are still not classified as clean.
Probably, this is because the address that can be seen in the "From" field of the message (Header-From) is not the same as the Envelope-From address, which is the one used by the "Sender" field.
You can check the Envelope-From address by following the steps described below:
- Locate the email in the Email Live Tracking
- Click on the colored box on the far right of the log
- Click on the Info button
- Go to the Header tab
- Find the line that starts with X-antispameurope-sender:
Normally the "header.from" and the "envelope.from" are the same, but it's common for this addresses to be different when the email is sent from third-party applications like web forms, ticketing or alarm systems, or bulk mail services like SendGrid, Mailchimp, Mailjet, among others.
In other rare scenarios, like in the previous screenshot, you may see "mailer-daemon" within the "X-antispameurope:sender" field. This actually means that the "envelope-from" was completely empty. For this very specific scenario, the usage of the field "Sender" in the rule shouldn't be used.
You can find all the information related with the Compliance Filter module in our Manual
For more information about message headers, please visit this article
*We're planning to clarify further about "header from" and "envelope from" in this Knowledgebase soon (why they exist, when to consider each one of them).
In the meantime, in case you need more information about them, please visit this external article to dmarc.org, or contact Support.