Configuring a Content Filtering Rule

Procedure

1. Go to Policies → Policy Management.
2. Click the Content Filtering Rules tab.
3. Do one of the following:
   • Click Add to create a new rule.
   • Click a rule name to change the settings.
4. Type a rule name.
5. Configure the scanning conditions.
   1. Under Attachment, specify the criteria for attachments.
      For more information, see Scanning Conditions for Attachments.
   2. Under Content, specify one or more keywords or expressions to match in messages.
      For more information, see Adding Keyword Lists or Expressions.
   3. Under Sender Authentication Results, select one or more sender authentication protocols; then, select one or more authentication results from the drop-down list.

      Note For sender authentication result settings in content filtering rules to take effect, go to Administration → Sender Filtering/Authentication and click the tab for the authentication protocol (SPF, DKIM Authentication, or DMARC). Then, enable the authentication protocol and select Insert X-Header into email messages. Deep Discovery Email Inspector matches an email message if an authentication result for each selected sender authentication protocol is matched.

   4. (Optional) Select Apply rule if sender address does not match message header (From) to apply the content filtering rule if the sender address and the address in the message header From field do not match.

      Note This option is not applicable when Deep Discovery Email Inspector is operating in BCC mode.

   5. (Optional) To detect messages with an internal domain but do not originate from a permitted sender address, select Enable internal email spoofing prevention and specify the domain and IP address matching options.
      • Domain matching: Select an option to match the message envelop sender or header FROM address against the internal domains list.
        If a match is found, Deep Discovery Email Inspector continues to check the message sender or source IP address.
      • IP address matching: Select an option to match the message sender IP address, source IP address, or both sender and source IP addresses against the permitted sender address list.
        If a match is not found, Deep Discovery Email Inspector considers this message an internal email spoofing attempt and applies the rule action.

      Note You can configure the internal domains list on the Internal Domains screen and the permitted sender IP addresses on the Limits and Exceptions screen. For more information, see Internal Domains and Configuring Limits and Exceptions.

6. Specify the Action.
   For more information, see Policy Actions.
7. (Optional) To send a blind carbon copy of detected messages to one or more recipients, type the recipient email addresses in the BCC field.

   Note You can specify up to 50 email addresses. Wildcard characters are not supported.

8. (Optional) From the Send notification drop-down list, select a notification message to inform recipients about the applied policy action.

   Important Deep Discovery Email Inspector only sends recipient notifications when you select Send notification and a notification message.

   You can configure notification messages on the Notifications screen (go to Policies → Policy Objects → Notifications).

   For more information, see Configuring Recipient Notification.
9. (Optional) From the Insert stamp drop-down list, select a stamp that you want to insert in to detected messages.
   For more information, see Configuring a Message Stamp.
10. Click Save.
    After adding a rule, you can:

    • Click a rule name to edit the rule settings.
    • Select a rule and click Delete to remove the selected rule.