Sender email address filtering:

Message sender email addresses and domains go through approved sender and blocked sender list filtering. Sender email addresses are evaluated until the first match is found.

See Sender Filter Order of Evaluation.

Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connection level and content-based filtering at the message level for spam detection, and proceed directly to malware detection. Messages from blocked email addresses are blocked.

IP reputation-based filtering at the MTA connection level:

Message sender IP addresses go through IP reputation-based filtering. IP addresses are evaluated until the first match is found.

See IP Reputation Order of Evaluation.

Messages from allowed sender IP addresses bypass IP reputation-based filtering at the MTA connection level and proceed to spam detection. Messages from blocked sender IP addresses are blocked.

Spam detection:

Domain-level policy rules for spam are run. Detected phishing, spam, and social engineering attack messages are marked. Detected graymail messages from sender IP addresses not in the graymail exception list are marked. All messages proceed from spam detection to malware detection.

Malware detection:

All messages are scanned for malware, and other malicious content. Detected messages are marked. All messages proceed from malware detection to content-based policy filtering at the message level.

Content-based filtering at the message level:

Domain-level policy rules for content are run. Administrators configure accounts, targets, and actions for messages. Default rules delete all detected malware, malicious content, phishing, and spam.