The Click-time URL Protection service did not rewrite a URL that has been received by email. However, it is expected that the Click-time URL Protection service rewrites all of the URL links that are included in the body of an inbound email message.
The first step of investigating this type of problem is to ensure that the Click-time URL Protection service is enabled in the Symantec.cloud portal. For all existing Advanced Threat Protection: Email customers the Click-time URL Protection service is provided in a disabled state. You must enable the service for your organization either globally or on a per-domain basis.
For example:
By default, the Click-Time URL protection service does not rewrite URLs containing hostnames or private IP addresses such as:
The Click-time URL Protection service only handles mail that is inbound to your organization. The service does not rewrite URLs in outbound mail.
Symantec initially advised administrators not to apply click-time protection to the inbound emails that are securely signed using DKIM, S/MIME, and PGP. Rewriting the URLs changes the content of the email. This breaks encryption for the methods that expect an exact match between what is sent and what is received. Though this guidance remains in place for S/MIME and PGP, Symantec now recommends that DKIM-signed inbound emails not be excluded from URL rewriting. DKIM validation takes place at the MTA level and not at the endpoint level. This means that DKIM validation can be done before the URL is rewritten, so that the rewriting doesn’t break the validation. By contrast, because validation for both S/MIME and PGP is done on the endpoint, validation always takes place after rewriting, thus breaking encryption.
Note: Be careful to implement DKIM checking using Email Security.cloud only. You cannot perform DKIM checking on an MTA that is downstream from Email Security.cloud without breaking the signatures for the messages that contain rewritten URLs.
If your email is being displayed in HTML format, it is possible to have the text display a URL or link that is different to the actual destination URL.
For example, both of these links were successfully rewritten by the Click-time URL Protection service, but you can only view the rewritten URL when you hover your mouse pointer over the link or inspect the link's properties:
Advanced Threat Protection: Email customers can define a whitelist of domains that will be excluded from Click-time URL Protection processing. If you have a URL that has not been rewritten by the Click-time URL Protection service, check to ensure the domain in question is not currently on any of your organization's whitelists.
Note: When wildcard entries are used on a whitelist, there is a risk of unintentionally whitelisting certain domains.
Administrators can protect ALL users when the service is enabled, add recipient email addresses as exceptions or protect specific users. If you have a URL that has not been rewritten by the Click-time URL Protection service, check to ensure the recipient in question is not currently on any of your organization's whitelists.
The initial release of Click-time URL Protection will only rewrite URLs that are contained in an email's message body only.
The Click-time URL Protection service does not support the processing of ftp:// schemed URLs.
The initial release of Click-time URL Protection does not support the processing of internationalized domain names.
If you are unable to determine the reason why a URL has not been rewritten, please open a ticket with the Symantec. cloud Support team.
Note: Click-time URL Protection is designed to rewrite URLs up to 2048 characters in length. Longer URLs are not rewritten currently.