Email Security Manual

Overview & How It Works

Key Characteristics

Easy and Quick to Deploy

Very easy and quick to set-up – simply:

  1. Add domain name
  2. [optional] Customise filter settings and features
  3. Configure your firewall to allow mail from us
  4. Update MX records

Domain Wide Settings

All settings are domain wide which means you don’t need to create user accounts (although you can create logins for customer administrators). The system uses call out verification to query the destination server before accepting mail – if the user is accepted by the destination server, the mail is processed by the scanning system. The result of the call out verification is cached to reduce load on the destination server.

Admin Level Quarantine

  • Domain level quarantine management can be delegated to one or more customer admins – see Creating a login for Account Administrators.
  • A daily or weekly quarantine digest email listing all emails held in the quarantine, can be configured so that it is sent to one or more email addresses.
  • Quarantined emails can be released from the digest email.

User Level Quarantine

  • A daily or weekly digest email can be sent to users and they can release emails directly from the email without needing a login to the system. This reduces set-up time and complexity.
  • Only users who have quarantined items will receive the digest email – if nothing had been quarantined, they will not receive the digest.

Never Silently Discards Emails

  • At no stage does the system silently discard emails – it will always issue an NDR or place blocked emails into a quarantine.
  • This avoids uncertainty about ‘lost’ emails and means you can focus energies in other areas when debugging mail routing issues.

Key Features

The filtering system provides exceptional levels of protection and is continuously being updated to respond to the ever changing threat landscape.

  • Incoming and Outgoing Spam and Virus filtering
  • Spam filtering accuracy improves the more you use it as the system learns the unique email patterns of your domain.
  • Anti Spoofing with impersonation protection to protect against spear fishing attacks
  • Zero Day Virus defence via near real time updates from a globally distributed network of reporting sources
  • Always-on email continuity providing 30 day mail queuing as standard
  • In-place, instant upgrade for enhanced continuity protection

Product Versions

FailSafe Standard Edition

Included as standard. in the event that we are unable to deliver emails to your server(s) we will automatically queue your incoming emails for up to 30 days. As soon as your server(s) are back online we will deliver the queued email to them.

FailSafe Professional Edition

Just like with FailSafe Standard, we will automatically queue your emails for up to 30 days in the event your server goes offline. However, with FailSafe Professional you also get the option of enabling FailSafe Webmail in an emergency (or just before a planned downtime event). After you have enabled it, we’ll deliver a copy of each new email from that point onwards to the FailSafe mailboxes allowing your users to carry on working whilst your server is fixed. Emails sent from the FailSafe mailboxes will automatically be sent back to your server when it comes back online.

NB FailSafe Professional mailboxes only remain active whilst your server is offline and are deleted within 24 hours after the downtime event has finished.

FailSafe Enterprise Edition

Just like with FailSafe Standard, we will automatically queue your emails for up to 30 days in the event your server goes offline. Except, with FailSafe Enterprise we will also deliver a copy of each new email into the FailSafe Webmail system. FailSafe mailboxes each store a rolling 30 days of emails and are live at all times thereby providing a constant archive of incoming emails which your users can access at any time, not just when your server is down.

NB You should aim to set-up the FailSafe Enterprise mailboxes as soon as possible so that we can start sending copies of incoming emails there.

How It Works - System Details

Spam Classifications

The anti spam system works by automatically analysing incoming emails for signs that they are spam using a range of sophisticated checks.

A score is assigned to each email to represent the probability of it being spam. The higher the score, the higher the likelihood an email is spam. You may use this score in order to process spam emails according to what best suits your particular way of working.

NB Viruses are always quarantined.

Understanding the Mail Queues

MX Queue

After scanning for spam and viruses, we’ll place emails people send you in this queue ready for delivery to your server. If we can’t deliver to your server for some reason, we store the undelivered email in the FailSafe Queue. For this reason, this queue is mostly empty, containing only the emails which are on their way to your destination server(s).

FailSafe Queue

Emails are queued on this separate FailSafe Queue if we weren’t able to to deliver them to any of the listed Destination Servers. At the same time a copy of each undelivered email is placed into the FailSafe Mailbox Queue (see below). The FailSafe Queue stores undelivered items for 30 days.

Our systems keep track of the availability status of each Destination Server to avoid the need to continuously retry for every new email which arrives. As soon as one email is successfully delivered to a Destination Server, our systems will deliver all new mail to that server and will start to deliver queued mail. A number of factors affect how quickly queued emails are delivered: How busy our servers are and the Destination server is and how many emails are in the queue. Further, if our systems start to deliver queued email and then detect additional delivery failures, they will halt the process and reduce the priority of future delivery.  For these reasons it is not unusual for queued email to take some hours to be delivered.

Evidence of the above can be seen by reviewing the Log File viewer.

FailSafe Mailbox Queue

If we are unable to deliver mail to your server a copy of the emails will be added to this queue. Undelivered items remain in this queue for 7 days even after normal delivery has resumed.

To read undelivered emails from the FailSafe Mailbox Queue, create corresponding FailSafe Mailboxes, aliases or distribution lists and then enable the delivery. The undelivered items in the FailSafe Mailbox Queue will be delivered to the FailSafe Webmail system. Mail addressed to non-existent addresses on the FailSafe Webmail system will be redirected as bounces to a catchall mailbox automatically created on the FailSafe Webmail system.

SMTP Envelope From address

All emails you receive have two email ‘from’ addresses – the one you see in your email client and the one which is used by email systems to route an email. They may not be the same and it’s important to understand the differences.

The email ‘from’ displayed in your email client can easily be forged and therefore can’t be relied upon, particularly if you want to create a white or black list entry. It could also be very misleading and can result in fraud against you. Protection from impersonation can be configured – see the Impersonation Protection features for more information.

To identify the SMTP Envelope address view the email headers of the email sent to you. See Understanding Email Headers.

Outbound Email Rate limits & Email Sizes

Read more about rate limits

Administrators & User Access

Creating a login for Account Administrators

Creating an account admin is useful if you wish to delegate quarantine management or management of the entire service for a particular Account.

First, login to the Control Panel and switch to the Account for which the user should have access. Then select Team – from there you can invite the new user simply by adding their name and email address.

TIP Search for the customer name, click on the ‘gear’ icon and select ‘Team’.

Team members are able to manage all settings, products and sub Accounts for the Account in which they exist. For example if you created the user called Bill under the Account called ACME Services Ltd, then Bill would be able to manage all settings, products and sub Accounts of ACME Services.

User access to the system

End users do not generally require access to the system.

The only user accessible feature is the user level quarantine which, if enabled, sends a daily digest email containing quarantined emails which they user can release directly from the email – no login is required.

Provision, Upgrade & Cancel

Information you’ll need

  • IP address / host name and port for each destination server you want to deliver scanned mail to
  • Login details for the Firewall where the destination server(s) is hosted
  • Login details for the destination server(s) and any additional spam or virus filtering systems
  • Login details for the DNS Control Panel where the domain name(s) zone files are hosted
  • If you are configuring FailSafe Professional or Enterprise, you will need details of the users who will be provided with FailSafe Webmail access – specifically their full name, primary email address, plus Aliases and distribution list memberships. You’ll also need an address to redirect bounced email (for addresses which won’t exist on the FailSafe system) and a valid email address at the destination domain for testing purposes.

How to Provision

We suggest you read How It Works – System Details so that you know what to expect from the product.

  1. To provision, login to the Control Panel and simply click on Add Product and proceed with the Add Product wizard.
  2. The service will be active and chargeable immediately after the wizard has completed.
  3. At the end of the process, you’ll be provided with instructions for next steps.

NB: You’ll always be able to review these steps at any time by clicking on the ‘first steps’ link which is inside the product configuration area.

How to upgrade an existing subscription

Upgrading to different FailSafe versions or adding users is possible at any time.

To upgrade to a different FailSafe version

Simply navigate to the Subscriptions section of Product Configuration where you’ll see options for upgrading the version of FailSafe.

Upgrading an existing package results in cancellation for billing purposes of the current service and a new product instance is created from the date of upgrade, chargeable at the new rate. This is for billing only – there will be no service interruption.

To add additional user packs

From the Subscriptions section of Product Configuration simply select the user pack type, enter the number of packs you require and click on the Add Pack button. Remember to click Save Settings when finished. For example, if you require 20 more users, select the pack type which includes 10 users, enter 2 in the quality box and click the Add Pack button.

Configure: Notifications & Alerts

Notifications & Alerts

Spam & Virus Notifications

When incoming mail is blocked due to a virus or restricted file type, it is possible to configure email notifications to the original recipient and/or an administrator address(es).

By default, this feature is disabled.

Statistics Digest Email

The Statistics Digest email provides an overview of the filtering performance. The email sent is unbranded and can be scheduled to go regularly. The subject, from name and email sender can all be customised.

By default, this feature is disabled.

Domain Quarantine Digest Email

Domain level quarantine management can be delegated to one or more customer admins – see Creating a login for Account Administrators. A daily or weekly quarantine digest email, listing all emails in the quarantine, can be configured so that it is sent to one or more email addresses. Quarantined emails can be released from the digest email.

By default, this feature is disabled.

User Quarantine Digest Email

A daily or weekly digest email can be sent to users and they can release emails directly from the email without needing a login to the system. This reduces set-up time and complexity. Only users who have quarantined items will receive the digest email – if nothing had been quarantined, they will not receive the digest.

By default, this feature is disabled.

Provision, Upgrade & Cancel

How to cancel a subscription

Any active products in the Control Panel will be invoiced on their renewal date, regardless of whether they are being used or have MX records pointing at them

To cancel a subscription navigate to the Subscriptions link in the product configuration section and follow the instructions: How to cancel a subscription

Configure: Virus & Content Handling

Default Operation

All Incoming and Outgoing emails are scanned for viruses and potentially harmful file types.

By default:

  • emails containing a virus or blocked files will not be placed into the quarantine.
  • The sender of the blocked email will receive a bounce email notifying them of the failed delivery.
  • Recipients and Administrators are not notified of blocked emails by default, however this can be altered in Notifications and Alerts

NB: Settings described here affect Virus and Content Handling layers of the overall filtering system. The separate spam filtering layers may also trap emails which contain malicious content.

Email Attachment Filtering

Compressed File Attachments

If ‘Compressed File Attachments’ is enabled, any email with Zip file attachments containing any of the file types listed in the Default Block List will be rejected.

File Attachments

If File Attachments is enabled, any email containing any of the file types listed in the Default Block List will be rejected.

Default Block list

The files listed will be blocked if either File Attachment or Compressed File Attachment scanning is enabled. You may edit the list.

Configure: Outgoing Email

Overview

The service can be used to relay outgoing email from your in-house server(s)

The only supported authentication mechanism is SMTP Authentication and you must use the Control Panel to create an SMTP Auth Account so that you can then configure your in-house server(s) with those account details.

It is possible to force our Smart Hosts to relay all outgoing email via third party Smart Hosts. For example, this may be required if you employ a third party archiving or email branding service.

Rate Limits & Restrictions

Read more about rate limits

Email Newsletters

Whilst it is possible to send email newsletters via the Smart Hosts, you should make sure that you remain within the Volume Rate Limits. Additionally, all email usage must be strictly inline with our Acceptable Use Policy. Valid complaints from third parties about unsolicited mail sent from your domain will be upheld and will likely result in service suspension.

SPF Records

Sender Policy Framework (SPF) is a validation system designed to prevent email spoofing by verifying sender IP addresses. You should create an SPF record for all domains you add to this system.

How to create an SPF record

Navigate to the Your Product Details page where a customised SPF record is provided for your domain. Your Product Details is in the upper right corner of this help area.

Configure: Incoming Email

Destination Server Configuration

Please read the following to understand how to configure your destination server so that it is optimally configured for use with the service

Reject unknown users

Configure rejection of unknown email addresses on your destination server(s).

The filtering system uses call out verification to query the destination server(s) before accepting mail – if the user is accepted by the destination server(s), the mail is processed by the scanning system. The result of the call out verification is cached to reduce load on the destination server, particularly in cases of directory harvest attacks.

NB: You should configure the destination server(s) to reject unknown users otherwise the scanning system will not offer any protection against directory harvesting attacks.

Avoiding ‘Backscatter’

It is very important that your destination server(s) do not reject emails that are addressed to valid recipients. Typically this would be caused by your servers carrying out their own spam and virus scanning and us trying to deliver mail that’s tagged as suspect spam. If you want to perform secondary scanning, you should configure your server to quarantine suspect mail rather than rejecting it.

Why is Backscatter a problem?

When we accept an email on your behalf for a valid user, our servers let the sending server know that we’ve accepted the email. If your server subsequently rejects it and issues a Non Delivery Report (NDR), this creates confusion and generates unnecessary email traffic (the NDRs). It can quickly lead to black listing of your domain and potentially our entire service. Read more about Backscatter on Wikipedia.

Multiple Destination Servers

The system is designed to attempt delivery of incoming mail to all of the Primary Destination Servers first. If all are unresponsive, it will try to deliver to each of the Secondary Destination Servers. If none of these are responsive, the email will be queued and will also be passed to the FailSafe Queue. For details of how often the FailSafe queue tries to redeliver queued emails, please read Understanding the Mail Queues.

Example Configurations

Primary IP address provided by your main DSL provider + secondary IP address provided by a backup Internet provider. Both configured to accept mail and forward to your single Exchange Server.

  • Configure both IP addresses as Primary Destination Servers, with the primary IP listed first.

Primary Exchange Server + standby mail forwarder. You only want the standby server to receive email if the Exchange Server is offline.

  • Enter the Exchange Server host details as the Primary Destination Server.
  • Enter the Standby mail forwarder as the Secondary.
  • NB: Consider using FailSafe options instead of the standby server.

Firewall configuration

You need to allow our servers talk to your servers. You should restrict incoming SMTP connections from the IP ranges listed in Your Product Details in the upper right corner of this help area

NB: If performing a migration, be sure to keep any existing SMTP rules in place until all email is being delivered via our servers.

Spam Handling

All incoming email is scanned for spam before being forwarded to the destination servers. At no point does the system silently discard emails.

Read more about how the spam filtering works.

Default Settings

When you activate Email Security, the default spam filtering settings are:

  • Suspect mail will be quarantined.
  • Spam mail will be rejected and not quarantined.
  • Accepted Language = English

You can easily modify this behaviour in the Spam Handling section of the product configuration.

DKIM Signatures

The system verifies DKIM signatures for incoming email. Invalid signatures contribute to an email’s spam score.

Sender Policy Framework (SPF)

If incoming mail fails an SPF validation, a score is assigned as follows depending on whether it’s a soft or hard fail:

  • score SPF_FAIL 3.0
  • score SPF_SOFTFAIL 1.0

Unfortunately a lot of legitimate mail is sent from domains with badly configured SPF records. For this reason, the above scores aren’t enough on their own to mark an email as spam (assuming default spam scoring settings) but, in the case of a hard fail, only a few other minor rule hits are required to cross the threshold.

White/Black lists

  • White and Black Lists operate domain wide for both the primary and any Alias domains configured.
  • Whitelisting affects most layers of the filtering system - except Virus filtering and some custom RBLs.
  • Entries in either list must be valid email addresses only - host addresses cannot be used.
  • White and Black lists operate using the SMTP Envelope Sender From address and the body From address. See SMTP Envelope From address
  • White and Black lists only affect incoming mail.

Language Preference

The spam filter will assign higher scores to emails which aren’t in your native language, therefore you should add any other languages you communicate in using the settings in Language Preferences.

Read more about how the spam filtering works.

Unknown Sender Delay

Unknown Sender Delay (Greylisting) works very well to cut out unwanted emails. You can read  more about this feature here.

FailSafe

FailSafe Standard

There is nothing to configure – queued emails are automatically redelivered – see Understanding The Mail Queues

FailSafe Professional and Enterprise

For both products, you need to:

  1. Set up the FailSafe mailboxes using the Mailbox Manager.
  2. Add any email aliases and distribution lists which should be active and accessible during a disaster.
  3. Provide details of a valid email address at the destination domain which will be used by our system for testing the configuration.

Anti Spoofing

You can configure the system to protect against various spoofing attacks.

By default, these anti-spoofing features are disabled.

Important note

Before you enable these features, you must have a properly configured SPF record published for all domains which are enabled for use with this system. See SPF Records for more information. You must also add all Authorised Senders.

Internal Impersonation Protection?

This feature stops external senders from impersonating your internal email addresses and makes it harder to send your users emails pretending to be from your domain. When an email arrives with your domain name in the From address, sent from a system which is not on your list of Authorised Senders, the system will flag the email as impersonated.

  • Impersonated email can be quarantined, delivered, or diverted with a modified subject line, so that the recipient is warned about the impersonation.

Close Match Detection

Emails sent to you from a domain name which resembles your own can be detected as impersonation attempts. The system provides a number of ways to process emails after they trigger this feature.

Attackers may try various domain name related misspellings in order to trick your recipients into thinking that the email is a legitimate message from your domain. For example:

  • sample.com and samp1e.com where the letter ‘L’ is swapped for a number ‘1’
  • sample.com and sample.co where the domain extension is a single letter difference
  • sample.com and smple.com where the ‘A’ is missing

In these examples the character difference would be 1, a very close match and possible impersonation.

Configuring Authorised Senders

Authorised Senders are the systems which are allowed to send email using your domain. You  must list every system including 3rd party systems to avoid falsely triggering the Anti Spoofing features on otherwise legitimate emails. Systems which might send email using your domain could include:

  • Your in-house server (which is protected by this service) if you do not relay your outgoing emails via this service
  • Your accounting system (e.g. Sage or Xero)
  • Your email marketing system (e.g. MailChimp)
  • Photocopiers / Printers which can send emails

Troubleshooting

Common Problems

General Email Troubleshooting

Our Knowledge Base contains various articles listing the most common email issues

Understanding Email Headers

Please read this help article about how to identify and understand email headers

Common problems with spam filtering settings

Our Knowledge Base contains various articles listing the most common issues with spam filtering settings

Common reasons you aren’t receiving emails

Our Knowledge Base contains various articles listing the most common reasons you aren’t receiving emails

Common reasons emails sent to you are delayed

Our Knowledge Base contains various articles listing the most common reasons emails sent to you are delayed

Common Problems when Sending Emails

Our Knowledge Base contains various articles listing the most common problems when sending emails

Website Contact Forms

If you send mail from your website to a recipient in any domain configured for this service (e.g. from a contact form) you may experience problems receiving the email, if the web host is a known source of spam. This is often the case with web hosting servers as they can be easy for spammers to compromise and thus become blacklisted. In such cases, your contact notification emails from your website could well be blocked as spam. It is not possible to whitelist mail sending hosts by IP Address or by hostname (eg. www.example.com).

To check if your hostname or IP address has been blacklisted as a know source of SPAM, you can use the Barracuda SPAM database lookup tool.

Technical Support

How to Request Technical Support

Please use the ticketing system within the Control Panel to initiate a request for support.

What to Expect

Our support is provided by engineers who have deep technical knowledge about email and won’t be reading from a script when they reply to you. They will almost certainly spend time investigating your issue before replying to provide the resolution in their first response. This is to save you as much time as possible.

What’s covered by Technical Support

Support is limited to third line, technical issues only – we don’t provide end user support and we aren’t able to help with basic email concepts. It’s also frustrating when we’re asked to explain why an email bounced, when the explanation is already provided in the forwarded bounce error message - so please read error messages carefully before forwarding to us for assistance.

Billing

How we bill for this service

The service is active and chargeable from the moment you provision it, regardless of whether you have switched MX records or otherwise made use of it. We’ll invoice you the month after you provision it and each period (e.g. month/year) thereafter until you cancel it.

Cancellations

If you no longer need the service, you must cancel the subscription – see below.

No credits are provided for early cancellation.

Upgrades

Upgrading an existing package results in cancellation for billing purposes of the current service (operationally nothing is affected) and a new product instance is created from the date of upgrade, chargeable at the new rate.

How to cancel a subscription

Any active products in the Control Panel will be invoiced on their renewal date, regardless of whether they are being used or have MX records pointing at them.

To cancel a subscription navigate to the Subscriptions link in the product configuration section and follow the Cancelation Instructions.