Overview

We have made recent changes to our email filtering policies and continue to tweak and make improvements.  While security is never convenient, we are trying to address some of the inconveniences and find the appropriate balance for the company. Email is very complicated and there is a lot that goes on behind the scenes.  Please understand email filtering policies are somewhat autonomous.  The IT department does not deliberately "block" anything unless we know it to be malicious or illegitimate.  There are multiple email policies and layers that could affect your email delivery.  Supplying us detailed information will help resolve deliverability issues.  


Protection Layers

We have several layers of protections in place.  We also partner with a Security Operations team, Xent IT, to help log, monitor, and mitigate security issues.  The SOC team has access to our filtering and other security platforms and monitors 24x7.


  • Level 1 - Trend Micro Email Security Gateway
    This is our primary means of filtering email. It is our first line of defense for our email service. We catch and block about 500k bad email messages per month.  The majority of bad email gets filtered and caught in this level. This is a cloud service that protects our Microsoft Office 365 Enterprise email accounts.


  • Level 2 - Native Microsoft Office 365 Defender Basic Protection
    This is your basic entry-level email protection that comes native on personal email services like, Gmail, Yahoo, etc. It offers basic protection, but it is not sophisticated enough to catch some illegitimate emails. It does a great job of filtering SPAM, viruses, and malware. It lacks the coverage to effectively filter, phishing attempts, business email compromises, spoofing, and other hard-to-catch crafty emails.

  • Level 3 - Trend Micro Cloud App Security
    This is a cloud service that protects some of our cloud applications. This is an extra layer of protection for Email, OneDrive, SharePoint, and Teams.

  • Level 4 - MFA (Multi-Factor Authentication)
    This is our cloud authentication service used to authenticate users for VPN access, email access, and other cloud applications.  We have this enabled for external access to Email.  An attacker would need to have your username and password in addition to a token generated from you smartphone or hardware token in order to gain access to your email.  We have not had a sing email hijack since enabling this.


Email Filtering Policies


SPAM/Junk/Marketing/Grayware

Email in this category is usually annoying, but not harmful.  This includes a mixture of bulk email lists, marketing, and other email most do not want.  it can be equated to junk mail you receive in your mailbox offering you a sweepstakes, to purchase a new car, or the weekly sales paper for your local grocery store.  We do not block any of this email.  You can find this email in you "Junk" folder.  Items here should be reviewed on occasion to see if legitimate mail goes there.  If you can't find an email you expect to receive, check here first.  If you find legitimate email here, you can easily have it delivered to your inbox in the future by marking it as "Not Junk" following the instructions below.


Stop Selected Items from Going to Junk Folder


Disable Junk Mail Filter


IP Reputation / Blacklists

Many emails systems evaluate email traffic and add "bad" servers to blacklists automatically based on email behavior and end-user reports.  If an email server ends up on a blacklist, it's usually because it is sending malicious content to users or is hosting compromised email accounts being used to send malicious content to multiple users.  Rarely does legitimate email end up getting blocked for these lists.  We block this type of email and return a message to the sender stating the reason it was blocked from delivery.  It is up to the user to consult with their email provider and work to get them removed from the IP blacklist.  Our users do not have the ability to override or release these emails.  


SPF/DMARC/DKIM

Any company who manages an email domain has the ability to specify rules to let others know how to determine if the email claiming to be from them is legitimate or not.  We have to do the same for our company.  DMARC policies tell the rest of the world how to filter email coming from them. SPF rules tell the rest of the world to only accept messages from authorized email servers the company publishes.  DKIM signatures are digital signatures ensuring the validity of the email sender.   These technologies are easy ways for us to catch a lot of bad email, phishing attempts, spammers, etc.  Most all of the illegitimate emails we receive have violated one of these email rules.  It’s common practice to use them.  

 

Our problem has been that many of the vendors we deal with don’t properly setup or configure their email systems.  This causes them to violate their own published rules.  They tell us and the rest of the world to only allow emails truly from “them”, but violate their own published policies and send them from IP addresses and email servers they haven’t told us about.  This triggers our rules used to catch the bad guys making them look like imposters.  

 

Due to the volume of legitimate emails being blocked, we are offering the following:

 

We are giving you, then user, the ability to get a daily digest of emails that were Quarantined for the above stated reasons.  You will be able to see the details of the message and hopefully determine if the mail should be delivered or not.  You will click a link to either deliver, block sender, approve sender domain, or approve sender.  You can find details instructions in the link below


**You will ONLY be able to "Deliver and Approve Sender" for messages flagged as SPAM.  Other categories are more critical and don't offer this option


Trend Micro Email End-User Email Quarantine Guide


Malicious Content (Risky Attachments, Malware, Ransomware, Viruses)

We quarantine all of these emails for obvious reasons.   They usually contain malicious content that can corrupt your computer or install malware or ransomware.  They will not be delivered to your email. They must be released and reviewed manually.


Malicious Intent (Phishing, Fraud, BEC, Spoofing)

Some email content is an attempt to harvest your user credentials or gain access to a system.  These can also include fraudulent attempts for users to send money or complete wire transfers.  It's best practice to not perform any wire transfers via email.  You should always contact the person to verify legitimacy of these requests.  BEC (Business email compromise) is an attempt pretend to be a corporate user.  These attackers have often gained access to a corporate mail account and have found sent messages and recrafted them to request another user do something fraudulent or malicious.  Spoofing is when a user pretends to be from @dktire.com and send email messages claiming to be from our @dktire.com domain.  For obvious reasons we block and quarantine these messages.  These have to be released and reviewed manually.


Communication

If you are not receiving an email that you expect, please complete a helpdesk support request by navigating to https://support.dktire.com.  Please include the following information:

  1. Sender email address (Sender domain if sender email is unknown)
  2. Timeframe when email was sent
  3. Recipient Email Address (Who the email was sent to)
  4. General content or nature of the email


We block 100's of thousands of emails weekly.  We can not review all "blocked" emails and identify legitimate emails without your help.  Please help us be completing a helpdesk request with as much detail as possible to reduce time to resolution.  Many times we get support requests that say something like, "Didn't receive email".  This requires us to follow-up several times before we can begin to look at the issue.


Please refrain from asking "why" something was blocked.  It takes a lot of extra time to explain this to multiple users and doesn't address the issue at hand.  The "why" is very technical in nature and difficult for most to understand.  Simply let us know you are not receiving an email, and let us spend our time working to identify the issue and get it resolved.  Please understand email systems are somewhat autonomous and that we don't deliberately block anything unless we know it to be malicious.


Please don't request that we blanket "whitelist" and entire email domain for everything.  This opens us up to risk and tells the email system to ignore any malicious intent sent from users of that domain.  Also, in order to do this, we have to whitelist in multiple areas and policies.  We prefer to let the email system do it's job and whitelist user email addresses for specific policies that are violated.  Also, don't ask us to whitelist a user when you are actively getting messages.  It's almost impossible to do and may not be necessary.  In order to whitelist, we need to confirm your message was actually blocked so we can adjust the email policy appropriately.