Default Rules

Email Security comes with a set of sensible Default Rules. These defaults may be sufficient for your organisation, but we still recommend you familiarise yourself with them, in order to fully understand what's happening. There are defaults for both Message Rules and Connection Rules.

Many of the default Rules are System Rules. System Rules will be hidden, unless you set the View System Rules toggle to .

Default Connection Rules

Connection rules are used when a connection is made to EMS and before any email content is processed. If an email is rejected no message rules will apply.

Please don't make changes to these default Rules. If you do so, the amount of spam you receive will probably increase significantly.

System Rules

(Locked) Spamhaus

Commercially available blacklists of IP addresses known to send spam.  This includes the XBL, SBL and PBL.

(Locked) DHA

The (Locked) DHA Rule checks whether a valid email address is configured in the Mailboxes section of the portal. If the email address is not configured, then the message is rejected.

(Locked) Spam RBL

Commercially available blacklists of IP addresses known to send spam.

(Default) Invalid MX record

This rule will only be triggered if the MX record for the domain is invalid and EMS was unable to deliver.

(Default) Zero Reputation Domain service

Identifies email domains that are newly registered or were previously dormant and will reject emails from them for a 24 hour period, excludes entries on the safe list.

Standard Rules

Maximum Mail Size

Automatically rejects emails above a certain size. The default is 50Mb, but you can easily change that limit.

Routing Loop detection

Detects mails that are in a possible loop based on the received header count. Values available from 25-32 hops.


The Deny Rule is used to block connections from address that are entered on the Global and personal Deny lists. It will block inbound and outbound email from and to those email addresses respectively.

Default Message Rules

System Rules

(Default) Signature Verification

Adds a header to the message (Authentication-Result) with the various Dmarc parameters with pass or fail properties of the email.

(Default) Invalid Sending Domain

Checks the sender domain for the presence of an MX record and host, and that the domain can be connected to. Also validates if the remote server responses to a Helo or ehlo command, within 10 seconds. Adds 110 to spam score if triggered.

(Default) FROM Address Check

This checks the from address in the header if it exists in any deny lists. Adds 144 to the spam score.

(Default) CoreService Spam

Checks and classifies if the email is a known Spam and adds values to the spam score 180

(Default) CoreService Malware

Checks and classifies the email as Malware detected by heuristic analysis adds values to the Virus score.

(Default) CoreService Phishing

Checks and classifies the email as a known Phishing attempt. These are Messages detected as phishing either by heuristic analysis or through a fraudulent link found in it. Adds values to the spam score 699.

(Default) CoreService2 Spam

This message has been identified as spam because it matches characteristics of a known spam outbreak from confirmed spam sources. Adds values to the spam score 181.

(Default) CoreService2 Suspect

This message has been considered as suspected spam because it matches characteristics of a mass distribution outbreak from sources that are not confirmed spammers, but are considered as spam. Adds to the spam score 111.

(Default) Password Protected Attachment

Looks for password protected docx,xlsx,pptx,pdf & zip files, and adds a message header if such a file is found.

(Default) System Malware Detection

Runs the email and attachments through commercial anti-virus engines for known malware and threats and adds 108 to the virus score.

(Default) Bitdefender AV

Runs the email and attachments through commercial anti-virus engines for known malware and threats and adds 110 to the virus score.

(Default) Blog Spam

Looks for known blog spam entries in body or subject and adds 110 to spam score if it finds any.

(Default) URL Scanner

Looks at URLs in the email and checks the reputation of those links using a subset of the LinkScan rule method.

(Default) Automatically add outbound recipients to Personal Safe List

Disabled by default. This will automatically add the recipient email address to the personal safe list for outbound emails.

(Default) Email Banner

Disabled by default. Adds an email banner/stamp based on your branding.

(Default) Apply DKIM signing

Applies a Domain Key Identified Mail or DKIM entry to outbound emails.

(Default) Domain Name Detection

Detection of domain in outlook label. For more information please see this link

Standard Rules

Opportunistic TLS

Marks the email for delivery by TLS if the remote server supports it. It will fall back to non-TLS/Plain SMTP if it can't be delivered by TLS.

Macro and VBA Detection

Disabled by default. Scans the attachments of the email for Macro or VBA code-enabled office documents. This includes .rtf files.

HTML attachments

Disabled by default. Detects any attachment with a HTML variant attachment name. Excludes the safelist and will add to the virus score. Used if sandboxing is not licensed.


If the current Virus Score for this message is greater than 30, send the message to the company quarantine "virus" folder.

Send Attachments to Sandbox (optional add-on)

If the sandbox product is licensed, this rule will send any attachments in the email to the sandbox(es) and await results before delivering the message. The rule can be configured to strip attachments and replace with a report if a threat is found.

The sandbox rule should always be placed below the Virus rule
Spoofed Messages

Checks the Mail from and recipient. If both are internal domains, add to the spam score.

Executive Tracking

For more information on this rule see this article.

Nearby Domain

Detects senders using a domain similar to your own configured domains to appear as if it is an internal message. For more information see this article.

CoreService Suspect

Messages with a subject that may potentially cause financial or other damage will be caught by this filter. For instance, emails with content referencing money transfer or intended to obtain personal information.

Script and Executable Files

Looks for any of the following file types, and adds to the spam score if such a file is detected:

Binary Format Extensions

If you wish to completely block Executable files then you can create a rule using the File Type condition with value Executable. The File Type condition will also unpack archives to find matching File Types.



Rewrites any URL links to use the service. For more information see this article.

High Reputation Marketing

Typically, this Rule catches email campaigns issued from a professional and known routing platform (ESP) that follow the rules of use for email advertising, by providing unsubscribe links, list cleaning, etc. Prefixes a subject line entry with [Marketing High].

Medium Reputation Marketing

This Rule will catch any advertising email that follow the rules of use of marketing email, but which was not sent through a well-known routing platform. The heuristic rules that catch these are predictive and generic. Prefixes a subject line entry with [Marketing Medium].

Low Reputation Marketing

Any other advertising campaign that does not comply with emailing rules by presenting poorly-organized content, non-compliance with CAN-SPAM, no unsubscribe link, etc. Adds 109 to the spam score.

SPF Fail

Adds to spam score for SPF FAIL message based on IP and SMTP connection sender domain and the sender domains SPF DNS records.

Confirmed Phishing

Quarantines any known phishing emails (as identified by the CoreService Phishing Rule).

Confirmed Spam

If the previous rules have raised the spam score to above the threshold specified, the message will be company quarantined into spam folder. No digest will be sent. This reduces the user administration as they are known spam emails.

Possible Spam

This rule works in much the same way as the Confirmed Spam rule, except it deals with emails that haven't reached a high enough level to be company quarantined, but which are above a set level for safety. Emails that reach this level and trigger on this rule and will be quarantined.


This checks the DMARC result in the message's Authentication Result header (added by the Signature Verification Rule) for all inbound emails. When there is a failed DMARC result and sender domain has reject/quarantine in their published DMARC policy the email will be quarantined.

Deliver Inbound

This rule is locked and cannot be changed or disabled. Routes email to DomainRoute, no NDR is sent back outbound if the customer's email server rejects the message. The message will remain in the queue for 144 hours before the message expires.


In order for this Rule to be triggered, the email has run through all the other Rules, and been considered safe. If you have a company-wide disclaimer that must be appended to the email, this Rule will add it. The Disclaimer rule is only created if a disclaimer has been added.

Deliver Outbound

This rule is locked and cannot be changed or disabled. Routes to MX records.An NDR will be sent to local sender if delivery fails, with an expiry of 4 hours.

How did we do?