This article explains the order in which Symantec Email Security.cloud scans inbound email.
Email traffic entering the Symantec.cloud infrastructure is checked and scanned in the following order:
|Connection Management||01. SMTP Traffic shaping|
|02. SMTP Heuristics|
|03. Address Validation/Registration|
|04. AntiSpam Approved Senders|
|05. AntiSpam Blocked Senders|
|06. SPF, DKIM, DMARC|
|Anti-spam||07. AntiSpam Public DNS block lists (PBL)|
|08. AntiSpam Signaturing System|
|Anti-malware||09. AntiVirus Skeptic|
|10. AntiVirus Signaturing|
|11. Cynic Sandbox (requires ETDR)|
|12. IOCs (requires ETDR)|
|Anti-spam||13. Antispam Heuristics|
|14. Image Control|
|15. Impersonation Control|
|16. Data Protection|
|17. URL Rewriting (requires ETDR)|
|18. URL/Attachment Isolation (add-on for ETDR)|
Note: The AntiSpam scanning order will only apply when enabled according to the AntiSpam best practice settings. When not following best practices, weaker actions such as 'Tag Subject' or 'Redirect to Admin' will mean that any scanner further down the order will potentially be triggered and their action taken. This is to ensure your protection from harmful or malicious phishing emails.
ETDR stands for Email Threat Detection and Response, previously known as ATP Advanced Threat Protection.