Frequently asked questions about Symantec's Email Threat Isolation service.
Symantec now recommends that DKIM-signed inbound emails not be excluded from URL rewriting. DKIM validation takes place at the MTA level and not at the endpoint level. This means that DKIM validation can be done before the URL is rewritten so that the rewriting doesn't break the validation. By contrast, because validation for both S/MIME and PGP is done on the endpoint, validation always takes place after rewriting, thus breaking encryption.
Be careful to implement DKIM checking using Email Security.cloud only. You cannot perform DKIM checking on an MTA that is downstream from Email Security.cloud without breaking the signatures for the messages that contain rewritten URLs.
- Protect All Users – Exclude List
The threat isolation feature is enabled for all users, recipients on this list will not have URLs re-written
- Protect Specific Users – Include List
The Threat Isolation feature is disabled by default and enabled for all recipients on the list.
What happens to rewritten URLs if I disable or cancel the service?
The URLs will not be scanned at click time and will just proceed to the original URL
How do I know if the service is working?
- Emails will contain re-written URLs (note that HTML emails will show the original URL text but will point to a re-written URL).
- Statistics about the number of clicks and blocked URLs can be found on the CTP Incidents page and in the summary report.
- Threat Isolation logs can be downloaded from Services > Email Threat Isolation > URL Isolation Report.
What kinds of events appear in the Email Threat Isolation Report?
Any risky URLs that are clicked by end users. Only the ‘top level’ URL will be reported, embedded/child page content.
How long are Isolation logs retained?
The retention time is 30 days
How long does it take the activity to show up in Email Threat Isolation Report logs?
It will take 5 minutes or less.