Bypass Anti-Spoofing Checks

Situation – Emails from trusted senders are being quarantined as Fraud despite being in the safe sender list.
Solution – Individual domains can be added as exceptions for DMARC, DKIM and/or SPF respectively.

Important: Each Exception List check will be against different domain values

  • DMARC Exceptions & DKIM Exceptions - will check against the "From Header" domain
  • SPF Exceptions - will check against the Envelope Sender domain

For more information on the different domain values, see this article on how DMARC works with Spambrella/Proofpoint.

How To Add A Domain As An Exception

Best Practice: While the exception list allows you to bypass Anti-Spoof checks for specific domains, the best long-term and more permanent solution is to have the owner of the sending domain address any issues they might have with their SPF/DKIM/DMARC records. 

  1. In the sidebar, under Security Settings, navigate to Malicious Content > Anti-Spoofing.
  2. Under the policy you want to bypass (Inbound DMARC, DKIM or SPF) click Manage Exceptions.
  3. This will open a drawer to the right; from here, select + Add Exception.

Screenshot_2021-03-01 Anti Spoofing - Company Settings(1).png

  1. Enter a valid domain into the field and select Add.

Screenshot_2021-03-01 Anti Spoofing - Company Settings(2).png

Note: Only domains are accepted currently. IP Addresses as well as individual email addresses will not work.

  1. The domain is added as an exception and the changes are saved automatically. Close the Exception List.

Note: Changes to the Anti-Spoofing Policies, including exceptions, can take up to 60 minutes.

  1.  Press the Save button so the configuration on this is properly saved.

Just adding in the exceptions does not update the configuration to properly exempt or set these options. You must click Save.

Accounts that use auto-forwarding and send to Spambrella/Proofpoint will change the DMARC, DKIM, and SPF settings and cause these to fail. Creating bypass rules may not be acceptable for the organization as this would need to be done for every domain that sends to the original recipient