How to use the Domain Name Detection rule

Updated 3 years ago by admin

This default rule, which is disabled by default, is designed to detect external spoof emails that use your company domain within the Display Name (generated by the FROM header) to trick users into believing it is an internal or legitimate message.

It does this by using data from the Custom Rule Data regular expression called Domain name detector (Automatic).  Any domain added to the domain section during provisioning will be added as an entry to this rule data regular expression.

If you add a domain after provisioning you will need to add further entries manually.

The rule is disabled by default as its effectiveness will depend on how you use your domain in public emails. For example, if you use marketing services to send email, often these will include the domain name multiple times in the FROM header and this rule can therefore generate false positives. Some automated and internal announcements emails may also be detected incorrectly depending on how they are created and routed.

It is worth reviewing any processes or external systems that may present your email domain in the display name field of email clients, before enabling this rule.

The format of the Regular Expression is

From:.{1,20}yourdomain1.com|From:.{1,20}yourdomain2.com

yourdomain.com will be the domain added to the domain section of Email Security -> Product Configuration.

The regular expression is fully customisable, however, the only part that you will likely need to change is the quantifier expressed as {1,20} . What this will do is detect your domain in the FROM header once within the first 20 characters.  This can be modified to suit your requirements.

How to enable the rule

  1. Login to the Dashboard
  2. Navigate to Email Security -> Message Rules
  3. Change the selector icon in the top right for “View system rules” from OFF to ON
  4. Locate the (default) Domain Name Detection and in the active column and click OFF to toggle it to ON in green

The rule will be active within a few minutes and will apply to any newly processed emails.

Additional Information

This regular expression can also include additional string detection within the display name generated by the FROM header.  For example, some spams may include the company name in the display name.  In this case you can append to the expression:

|From:.+companyname.+<

If you are receiving spam emails that contain your company name or domain within the display name and require further details on enabling and using this rule, please contact your Service Provider.


How did we do?