Sender email address filtering:
Message sender email addresses and domains go through approved sender and blocked sender list filtering. Sender email addresses are evaluated until the first match is found.
Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connection level and content-based filtering at the message level for spam detection, and proceed directly to malware detection. Messages from blocked email addresses are blocked.
IP reputation-based filtering at the MTA connection level:
Message sender IP addresses go through IP reputation-based filtering. IP addresses are evaluated until the first match is found.
Messages from allowed sender IP addresses bypass IP reputation-based filtering at the MTA connection level and proceed to spam detection. Messages from blocked sender IP addresses are blocked.
Domain-level policy rules for spam are run. Detected phishing, spam, and social engineering attack messages are marked. Detected graymail messages from sender IP addresses not in the graymail exception list are marked. All messages proceed from spam detection to malware detection.
All messages are scanned for malware, and other malicious content. Detected messages are marked. All messages proceed from malware detection to content-based policy filtering at the message level.
Content-based filtering at the message level:
Domain-level policy rules for content are run. Administrators configure accounts, targets, and actions for messages. Default rules delete all detected malware, malicious content, phishing, and spam.
Hosted Email Security takes action on email messages that pass Email Reputation and custom approved list filtering using the policy rules configured for content-based filters. For example, Hosted Email Security may quarantine an infected email message from an address in the approved sender list if you have configured content-based filtering to quarantine malware threats.
See Configuring a Policy.