Skip to main content

Policy Templates & Policies

Overview

Policies can be applied to determine the actions taken on emails based on their verdicts.

Policies can be configured globally, for specific mailboxes, and everything in between, ensuring the required level of granularity.

  • MSP Level (Global Policy Templates): Create a policy template that applies to new customers, or update policy templates and apply changes to existing customers.

  • Customer Level: Create a policy that applies to a specific customer account.

  • Domain Level: Create a policy that applies to a specific domain.

  • End-User Level: Create a policy that applies to specific mailboxes.

image-20250310-124538.png

Creating Policies

Step 1a: Click New

Navigate to the "Policy" page and select ‘New’.

Note

At the Partner Level, only a template can be created but can be cascade down to customers. More info: Updating Policies from MSP Level

Step 1b: Select Organization/Domain/User The Policy Will Apply (Customer view)

Select if you are applying the policy to the “Organization”, “Domain”, or a particular “User”.

image-20240725-120535-20250225-090126.png

Step 2: Fill in name and description

Enter a "policy name" and "description".

Step 3: Define the policy actions for email verdicts

Configure the policy by setting the action that will be applied for each verdict. You can see our suggestions for best practices here:

image-20250307-140051.png

Step 5: Configure Banned Attachments and Geo Filter

Banned Attachments

Attachment extensions are grouped into the following categories: Executable, Encrypted, Video, Audio, Compressed, Macros, and HTML.

If an email contains an attachment that is part of the selected group, the selected action will be applied.

Screenshot 2025-03-07 at 14.09.46.png

Geo Filter

Geo-filtering is based on Geo-Location OR the envelope-from Top-Level Domain (TLD). This can be useful to filter quarantine or junk email from locations that customers do not frequently contact or from regions known for high volumes of spam.

image-20250307-141126.png

Only team members with the partner role or administrators can release banned/geo filter emails if configured to “Quarantine in Mesh”. More info:Quarantine Digests

Note

The Geo Filter and Banned Attachments can only bypass the policy action through a Custom Rule. More info: https://docs.emailsecurity.app/help-center/creating-a-custom-rule

Step 6: Advanced Settings

image-20250307-144538.png

Cold Outreach:

The Cold Outreach toggle allows you to filter unsolicited marketing and sales emails more aggressively.

Enabling this slider may increase false positives, so it is recommended for use in user specific policies (C-suite, managers, directors) or circumstances where an organisation wants to reduce this type of content as much as possible.

Zero Trust:

The Zero Trust toggle allows you to achieve a “quarantine by default” approach to email. Clean and Infomail verdict will be reclassified as Spam-Likely unless sent from a known contact or allowed sender. It is useful in situations such as a Mail Bomb attack.

Note

A “Known Contact” is a sender the recipient has previously sent outbound emails to.

Using Mesh Unified or Mesh 365, we idenfity these automatically. For the Mesh Gateway, using our Outbound Smarthost is required.

It is necessary to have our “Infomail” and “Spam-Likely” verdict to “Quarantine in Mesh” or “Junk in Outlook” to utilize this feature.

Spam Filtering Sensitivity:

This feature increases or reduces the threshold of our “Spam Likely” verdict of the spam filtering. This can be useful if you require filtering to be more or less restrictive for everyone or for certain mailboxes.

  • Low will quarantine emails with a spam score of 7.5 as “Spam-Likely

  • Medium is our default setting. It will quarantine emails with a spam score of 6.25. Emails with this score fall into our “Spam-Likely” category.

  • High will quarantine emails with a spam score of 5.0 as "Spam-Likely".

Note

You can see our spam score thresholds in our best practice guides:

Updating Policies from MSP Level

Policy Templates can be updated and applied to existing customers in real time.

Note

When applying global policies to existing customers, the action will overwrite all existing active policies (including user-level policies) for the selected customers.

Step 1: Navigate to Policy page

Click the shield icon for the template you want to apply to customers.

image-20250225-130750.png

Step 2: Select Customers

Select one or more customers, or enable the “Select all Customers” slider to auto-select all eligible customers.

image-20250307-171824.png

Step 3: Select Apply

Click “Apply” to confirm and push the policy to the selected customers.

Best Practice - Mesh Unified

The default policy settings are designed to be best practice and are explained below.

Verdicts

Verdict

Recommended action

What the verdict means

CLEAN

DELIVER

The email has been scanned and given a clean verdict.

IMPERSONATION

QUARANTINE

The email contains Business Email Compromise indicators and sender information matches, or is similar to an internal user.

INFOMAIL

QUARANTINE

The email contains an unsubscribe link and/or advertising, marketing, newsletter type content.

Note

Many transactional emails will contain unsubscribe links and will be quarantined if your policy is configured to quarantine Infomail.

MALWARE

QUARANTINE

The email contains malicious content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined with the malware verdict can only be released by an administrator or partner team member.

PHISHING

QUARANTINE

The email contains phishing content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined for phishing verdict can only be released by an administrator or partner team member.

SPAM-DEFINITE

QUARANTINE

The email has received a spam score of 18.00+

SPAM-HIGH

QUARANTINE

The email has received a spam score of 9.00-18.00

SPAM-LIKELY

QUARANTINE

The email has received a spam score of 6.25-9.00

SPF-FAIL

REJECT

The email sender has failed SPF.

  • Reject - Email dropped at the connection level. Rejected emails cannot be retrieved.

  • Quarantine - Set the verdict to Spam-Definite.

An SPF softfail will not be rejected even if action is set to reject. Instead, a spam score will be applied.

SPF-NONE

NO ACTION

The email sender has no SPF record in place.

Many legitimate senders send email without an SPF record in place e.g. Microsoft Out Of Office Notifications

  • No Action - Do nothing.

  • Score - Add an additional spam score of 3.0 to the message.

  • Quarantine - Set the verdict to Spam-Definite.

Additional Options

Policy Option

Recommended action

What the verdict means

Banned Attachments

QUARANTINE

EXECUTABLES

If an email contains a banned attachment, it will be automatically quarantined.

Allow rules DO NOT bypass this verdict. Emails quarantined for banned attachments can only be released by an administrator or partner team member.

Bypass Internal Banned Attachments

DISABLED

If enabled, internal emails containing a banned attachment will not be quarantined.

Geo Filter

QUARANTINE

Quarantine, junk, or banner actions on emails from different regions and countries. Policy is triggered based on the country of origin or the envelope-from TLD.

Allow rules DO NOT bypass this verdict. To bypass the policy-geo verdict, you must create a custom rule or remove the country from the policy option. Emails quarantined due to the policy-geo verdict can only be released by an administrator or partner team member.

Advanced Settings

Policy Option

Recommended action

What the setting means

Cold Outreach

OFF

The Cold Outreach toggle allows you to filter unsolicited marketing and sales emails more aggressively. When enabled, emails will have an increased spam score applied. This is more useful to C-Suite or users that receive more than normal levels of marketing content or sales directed at their mailbox. A user level policy would be most appropriate.

Zero Trust

OFF

The Zero Trust toggle allows you to achieve a “quarantine by default” approach to email. Clean and Infomail verdict will be reclassified as Spam-Likely unless sent from a known contact or allowed sender. Not recommended as a global setting unless end users understand it has been enabled. Enabling during a mail / spam bomb can help mitigate impact. More info: https://docs.emailsecurity.app/help-center/Mail-%2F-Spam-Bomb.1321173007.html

Spam Filtering Level

MEDIUM

This feature increases or reduces the sensitivity of the spam filtering. This can be useful if you require filtering to be more or less restrictive for everyone or for certain mailboxes.

  • Low will quarantine emails with a spam score of 7.5 as “Spam-Likely”.

  • Medium is our default medium setting. This will quarantine emails with a spam score of 6.25. Emails at this score would fall into our "Spam-Likely" category.

  • High will quarantine emails with a spam score of 5.0 as “Spam-Likely”.

  • Medium is the recommended setting.

Actions Explained

Actions

What it means

DELIVER

Emails are delivered to the inbox.

DELIVER + BANNER

Emails are delivered to the inbox with a verdict dependant or a contextual banner applied. Learn more here:Banners

QUARANTINE

Emails are quarantined in Mesh for 28 days.

JUNK

Emails are moved to the Junk folder in Outlook.

BANNER

A warning banner is applied to the top of the email.

JUNK + BANNER

A warning banner is applied to the top of the email and the email is moved to the Junk folder in Outlook.

DELETE

Emails are deleted entirely and will not appear in the quarantine or inbox. Deleted emails cannot be delivered.

REJECT

Emails are rejected before content scanning. Rejected emails cannot be delivered.

Best Practice - Mesh Gateway

The default policy settings are designed to be best practice and are explained below.

Verdicts

Verdict

Recommended action

What the verdict means

CLEAN

DELIVER

The email has been scanned and given a clean verdict.

IMPERSONATION

QUARANTINE

The email contains Business Email Compromise indicators and sender information matches, or is similar to an internal user.

INFOMAIL

QUARANTINE

The email contains an unsubscribe link and/or advertising, marketing, newsletter type content.

Note

Many transactional emails will contain unsubscribe links and will be quarantined if your policy is configured to quarantine Infomail.

MALWARE

QUARANTINE

The email contains malicious content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined with the malware verdict can only be released by an administrator or partner team member.

PHISHING

QUARANTINE

The email contains phishing content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined for phishing verdict can only be released by an administrator or partner team member.

SPAM-DEFINITE

QUARANTINE

The email has received a spam score of 18.00+

SPAM-HIGH

QUARANTINE

The email has received a spam score of 9.00-18.00

SPAM-LIKELY

QUARANTINE

The email has received a spam score of 6.25-9.00

SPF-FAIL

REJECT

The email sender has failed SPF.

  • Reject - Email dropped at the connection level. Rejected emails cannot be retrieved.

  • Quarantine - Set the verdict to Spam-Definite.

An SPF softfail will not be rejected even if action is set to reject. Instead, a spam score will be applied.

SPF-NONE

NO ACTION

The email sender has no SPF record in place.

Many legitimate senders send email without an SPF record in place e.g. Microsoft Out Of Office Notifications

  • No Action - Do nothing.

  • Score - Add an additional spam score of 3.0 to the message.

  • Quarantine - Set the verdict to Spam-Definite.

Additional Options

Policy Option

Recommended action

What the verdict means

Banned Attachments

QUARANTINE

EXECUTABLES

If an email contains a banned attachment, it will be automatically quarantined.

Allow rules DO NOT bypass this verdict. Emails quarantined for banned attachments can only be released by an administrator or partner team member.

Geo Filter

QUARANTINE

Quarantine, junk, or banner actions on emails from different regions and countries. Policy is triggered based on the country of origin or the envelope-from TLD.

Allow rules DO NOT bypass this verdict. To bypass the policy-geo verdict, you must create a custom rule or remove the country from the policy option.

Quarantine, junk, or banner actions on emails from different regions and countries. Policy is triggered based on the country of origin or the envelope-from TLD.

Allow rules DO NOT bypass this verdict. To bypass the policy-geo verdict, you must create a custom rule or remove the country from the policy option. Emails quarantined due to the policy-geo verdict can only be released by an administrator or partner team member.

Advanced Settings

Policy Option

Recommended action

What the setting means

Cold Outreach

OFF

The Cold Outreach toggle allows you to filter unsolicited marketing and sales emails more aggressively. When enabled, emails will have an increased spam score applied. This is more useful to C-Suite or users that receive more than normal levels of marketing content or sales directed at their mailbox. A user level policy would be most appropriate.

Zero Trust

OFF

The Zero Trust toggle allows you to achieve a “quarantine by default” approach to email. Clean and Infomail verdict will be reclassified as Spam-Likely unless sent from a known contact or allowed sender. Not recommended as a global setting unless end users understand it has been enabled. Enabling during a mail / spam bomb can help mitigate impact. More info: https://docs.emailsecurity.app/help-center/Mail-%2F-Spam-Bomb.1321173007.html

Spam Filtering Level

MEDIUM

This feature increases or reduces the sensitivity of the spam filtering. This can be useful if you require filtering to be more or less restrictive for everyone or for certain mailboxes.

  • Low will quarantine emails with a spam score of 7.5 as “Spam-Likely”.

  • Medium is our default medium setting. This will quarantine emails with a spam score of 6.25. Emails at this score would fall into our "Spam-Likely" category.

  • High will quarantine emails with a spam score of 5.0 as “Spam-Likely”.

  • Medium is the recommended setting.

Actions Explained

Actions

What it means

DELIVER

Emails are delivered to the inbox.

QUARANTINE

Emails are quarantined in Mesh for 28 days.

DELETE

Emails are deleted entirely and will not appear in the quarantine or inbox. Deleted emails cannot be delivered.

REJECT

Emails are rejected before content scanning.

Rejected emails cannot be delivered.

Best Practice - Mesh 365

The default policy settings are designed to be best practice and are explained below.

Verdicts

Verdict

Recommended action

What the verdict means

CLEAN

DELIVER

The email has been scanned and given a clean verdict.

IMPERSONATION

JUNK + BANNER

The email contains Business Email Compromise indicators and sender information matches, or is similar to an internal user.

INFOMAIL

JUNK + BANNER

The email contains an unsubscribe link and/or advertising, marketing, newsletter type content.

Note

Many transactional emails will contain unsubscribe links and will be quarantined if your policy is configured to quarantine Infomail.

MALWARE

QUARANTINE

The email contains malicious content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined with the malware verdict can only be released by an administrator or partner team member.

PHISHING

QUARANTINE

The email contains phishing content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined for phishing verdict can only be released by an administrator or partner team member.

SPAM-DEFINITE

JUNK + BANNER

The email has received a spam score of 18.00+

SPAM-HIGH

JUNK + BANNER

The email has received a spam score of 9.00-18.00

SPAM-LIKELY

JUNK + BANNER

The email has received a spam score of 6.25-9.00

Additional Options

Policy Option

Recommended action

What the verdict means

Banned Attachments

QUARANTINE

EXECUTABLES

If an email contains a banned attachment, it will be automatically quarantined.

Allow rules DO NOT bypass this verdict. Emails quarantined for banned attachments can only be released by an administrator or partner team member.

Bypass Internal Banned Attachments

DISABLED

If enabled, internal emails containing a banned attachment will not be quarantined.

Geo Filter

QUARANTINE

Quarantine, junk, or banner actions on emails from different regions and countries. Policy is triggered based on the country of origin or the envelope-from TLD.

Allow rules DO NOT bypass this verdict. To bypass the policy-geo verdict, you must create a custom rule or remove the country from the policy option. Emails quarantined due to the policy-geo verdict can only be released by an administrator or partner team member.

Advanced Settings

Policy Option

Recommended action

What the setting means

Cold Outreach

OFF

The Cold Outreach toggle allows you to filter unsolicited marketing and sales emails more aggressively. When enabled, emails will have an increased spam score applied. This is more useful to C-Suite or users that receive more than normal levels of marketing content or sales directed at their mailbox. A user level policy would be most appropriate.

Zero Trust

OFF

The Zero Trust toggle allows you to achieve a “quarantine by default” approach to email. Clean and Infomail verdict will be reclassified as Spam-Likely unless sent from a known contact or allowed sender. Not recommended as a global setting unless end users understand it has been enabled. Enabling during a mail / spam bomb can help mitigate impact. More info: https://docs.emailsecurity.app/help-center/Mail-%2F-Spam-Bomb.1321173007.html

Spam Filtering Level

MEDIUM

This feature increases or reduces the sensitivity of the spam filtering. This can be useful if you require filtering to be more or less restrictive for everyone or for certain mailboxes.

  • Low will quarantine emails with a spam score of 7.5 as “Spam-Likely”.

  • Medium is our default medium setting. This will quarantine emails with a spam score of 6.25. Emails at this score would fall into our "Spam-Likely" category.

  • High will quarantine emails with a spam score of 5.0 as “Spam-Likely”.

  • Medium is the recommended setting.

Actions Explained

Actions

What it means

DELIVER

Emails are delivered to the inbox.

DELIVER + BANNER

Emails are delivered to the inbox with a verdict dependant or a contextual banner applied. Learn more here:Banners

QUARANTINE

Emails are quarantined in Mesh for 28 days.

JUNK

Emails are moved to the Junk folder in Outlook.

BANNER

A warning banner is applied to the top of the email.

JUNK + BANNER

A warning banner is applied to the top of the email and the email is moved to the Junk folder in Outlook.

DELETE

Emails are deleted entirely and will not appear in the quarantine or inbox. Deleted emails cannot be delivered.

In this section: