Frequently Asked Questions

Email Security.cloud

Email Fraud Protection Platform

If my domains are protected by DMARC and are at enforcement, what do I have to monitor?

The Email Fraud Protection platform is continuously monitoring for changes in the services that are allowed to send email using your domain. If a service stops authenticating, or if a new service appears, the platform will notify the Symantec Support team. If necessary, they will contact you.

What does "at enforcement" mean?

"At enforcement" means that you have a DMARC policy of quarantine or reject. Only these two policy settings will cause unauthenticated email to go to the spam folder or be rejected.

What does a spike in unauthenticated emails mean?

If your domain is at enforcement, there is nothing to do. A spike in unauthenticated emails just means that these emails, which might indicate a phishing attempt, have been sent to the spam folder, or rejected, depending on your policy setting or the receiver's practice.

What if I see a new unauthenticated domain or sender?

The Email Fraud Protection platform continuously monitors for new senders. If necessary, the Symantec Support team will reach out to you. If you create a new domain, you need to add it to the Email Fraud Protection platform.

Are all emails that fail authentication phishing attempts?

Not necessarily. There are email messages that happen to get sent through some email forwarders, such as mailing lists, which damage information in the email needed for authentication. This is typically a very tiny percentage of overall mail flow.

Can I tell what domains are under attack?

You can see attacks only by looking at each unauthenticated domain and looking at the volume. There is always a background level of phishing that is going on, as automated attacks run continually.

Can I tell if I am being successfully phished?

If you are at enforcement, then exact-domain phishing attacks will get blocked. This means you are protected against the primary, and most dangerous, form of phishing attack.

What should I check on daily, weekly, monthly?

Each month, the Email Fraud Protection platform sends same monthly update Email which includes graphs and data about email authentication performance during the month. The report includes the number of emails authenticated and blocked, number of domains that are not at enforcement, sending with enforcement, and blocked, and the passing and failing services for each domain. This monthly update gives you a high-level view of the status of your domains.

What do I need to set up two-factor authentication?

First, you need to implement a SAML 2.0-compliant SSO provider in your enterprise environment. Then, you can set up the Email Fraud Protection platform to authenticate users with that SSO provider. Implementations are available for OneLogin and Okta, and instructions can be found in Account Settings. Custom implementations can be made for other SSO providers if they are SAML-compliant.

What does the Source of Email graph tell me?

This map shows which countries are sources of email that claim to come from your domain. If you select Suspicious, you can see what would be happening if you were not using Email Fraud Protection. The Top Countries list gives you an idea of which countries are the main source of suspicious emails. You may find that the United States or Canada are major sources, this can be due to email servers in those countries being used by overseas spammers.

What does the Email Disposition graph tell me?

This graph shows the number of emails processed during the past 30 days. Emails can be allowed through, quarantined, or rejected by the DMARC authentication process. Any increase or spike in unauthenticated emails can be attributed to an attempted phishing attack, or possibly to a new service that has appeared. Quarantined and Rejected show the number of emails blocked by Email Fraud Protection.

What does the Enforcement Status graph tell me?

This graph tracks your progress to enforcement. The Email Fraud Protection platform can only track the customer domains that we have been told about. Ideally, all customer domains should be at enforcement or blocked from sending email.

What does the DMARC Status graph tell me?

This graph shows a bar chart of the number of emails that pass or fail DMARC authentication. A spike in the number of emails failing DMARC may be evidence of a phishing or spam attack that was blocked.

How do I enable a sender? What should I consider before doing so?

To enable a sender, follow these basic steps:

1. Open the Email Fraud Protection Portal’s Domains page and navigate to the domain or subdomain for the sender.
2. Click the domain name to display the Configuration page for the domain.
3. Scroll down to the Your Email Domains section, which displays the list of domains currently configured for email authentication.
4. Click the “+”sign to the right of Enabled Senders and use the drop-down list in the Enable a new sender dialog to find and select the desired sender. Some configuration by the sender may be required to properly support email authentication.

To learn more, you can search the sender organization's website or contact the organization directly. If you have questions about what questions to ask, contact Symantec Support for information.

Emails authenticate by SPF or DKIM, or fail to authenticate, but why does that matter to me?

On the platform's dashboard, the DMARC Authentication Failure Rate graph shows failure rates for SPF and DKIM authorization separately. Any spike in unauthenticated email may indicate an attack that was successfully blocked, regardless of whether it was due to SPF or DKIM authorization failure.

How do I get and add a DKIM key? What do I have to do to make it work?

Keys used for email authentication by the DKIM mechanism are updated within the service periodically. However, if a new third-party service is not currently included and you are unable to engage the business, contact Symantec Support for assistance. Support will facilitate identifying the third-party service DKIM key details on your behalf. If you have the key details and need to add them, navigate to the Domains page in the Email Fraud Protection portal and click the name of the domain to display the Configuration page for the domain. Scroll down to the DKIM Keys section of the Configuration page and click the red "minus sign" icon to the right of the domain name for instructions on how to add the keys to your DNS record.

How do I see what email services the company is using?

On the Authentication Status page, the authorized email services are shown in the enabled senders list. What happens to emails that fail authentication?

Do they get quarantined or rejected?

This depends partially on what your policy setting is, be it none, quarantine, or reject. Generally, quarantine should mean that the email is sent to the spam folder. Reject means 21 Frequently Asked Questions FAQ that the email will not get to the inbox, but some providers will reject, and some will mark the emails as spam or junk. However, because different email recipients handle this step differently, it is not possible to determine what happens.

What is SPF alignment or DKIM alignment?

Alignment is required for DMARC. Alignment means that for SPF, the return path of the email is the same as the From address of the email. For DKIM, the domain that the DKIM key is associated with is the same as the From address. For an email to authenticate properly with DMARC, the email must pass either SPF or DKIM in an aligned way. Note that only one is required but passing both is fine.

Can I just whitelist IPs of services so that they send as me?

Simply whitelisting the IPs of services, although technically possible, defeats the purpose of using Email Fraud Protection and leaves you unprotected against unauthorized use of your domains. It is a best practice to use the Email Fraud Protection portal to add all services that send email on your behalf to your Enabled Senders list and configure appropriate authentication.