Anti-Spam 101 for Email Security.cloud

book

Article ID: 169884

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

Learn how to troubleshoot issues with the Anti-Spam service for Email Security.cloud.

Resolution

AntiSpam best practice settings

When you are provisioned with the AntiSpam service, the service is disabled by default. We recommend that you evaluate the tagged spam that you receive using these settings, and how these settings work for your organization's mail flow. When you are confident that the service is only detecting spam email, change to the best practice settings found in the following KB article: https://support.symantec.com/en_US/article.HOWTO101610.html

 

Email incorrectly identified as spam (false positive)

Bounceback shows "553 - Sorry, your IP/ Email address has been blacklisted"

The email has been blocked based on an entry in your global Blocked Senders in the Symantec.cloud Management portal, or in an individual user's list.

To resolve this issue

  • Modify the Blocked Senders list as needed.
  •  

Bounceback shows "553 - mail rejected because your IP is in the PBL"

This has been blocked because the sender's IP is in the SpamHaus PBL (Policy Block List).  This is not a spam list, the IP in question has been deisgnated by the ISP as non-mail sending (these are usually Dynamic IPs).

To resolve this issue

  • Add the the sender's email address in the Approved Sender list.
  • Advise the sender that their IP is listed on the Spamhaus Blocklist, in order to have the IP de-listed.
     

Bounceback shows "553 - Message filtered" or "No bounceback", but Track & Trace indicates "Detected by Heuristics."

This has been blocked because it matched on spam signatures or heuristics

To resolve this issue

Spam email not intercepted (false negative)

  • Ensure that the email was scanned by the Symantec.Cloud Infrastructure by checking Track & Trace or the email headers
  • You can enter the address in their Blocked Sender list if you wish to never receive email from that sender again.
  • If you believe the sender has already been added, confirm that you added the Envelope Sender address to the list.  This can be confirmed by looking at the sender as reported in Track & Trace.
  • For full submission details: https://support.symantec.com/en_US/article.TECH222389.html
     

SPF troubleshooting

Use an online SPF lookup tool such as SPF Surveyor to review sender’s SPF Record.

For a full validation test comparing the sending IP against the record, you can use a tool such as SPF Policy Tester.

Note: SPF only applies to the envelope from (SMTP Mail FROM).

If the sender is a customer provisioned on Symantec's services, they should have our SPF entry, even if they normally do not route outbound through us. When an email is sent between customers, we look for that reference.

See Implement SPF records in Email Security.cloud.

 

DMARC troubleshooting

Use an online DMARC lookup tool or DNS Lookup to review sender’s SPF Record. Use a DMARC tool such as https://dmarcian.com/dmarc-inspector/ to obtain the DMARC policy of a domain. For raw lookup, you need to perform a TXT record DNS lookup on the _dmarc subdomain (ie: _dmarc.yahoo.com).

There are two steps for a DMARC check to pass

  • First, the email must pass on an SPF or a DKIM check.
  • Two, it must pass an alignment check.
    • For SPF:
      This means that the Body From domain must match the Mail From domain. This means an email may pass the SPF check, but if the Body From doesn’t match the Envelope From, the email fails DMARC, unless DKIM passes.
    • For DKIM:
      This means the domain in the d=example.com tag in the DKIM Signature header must match the Body From domain. This means an email may pass the DKIM check, but if the Body From doesn’t match the d=example.com domain, the email fails DMARC, unless SPF passes.

For more details about DMARC with the Email Security.cloud service: https://support.symantec.com/en_US/article.HOWTO124382.html