Skip to main content

Policy Templates & Policies

Overview

Policies can be applied to determine the actions taken on emails based on their verdicts.

Policies can be configured globally, for specific mailboxes, and everything in between, ensuring the required level of granularity.

  • MSP Level (Global Policy Templates): Create a policy template that applies to new customers, or update policy templates and apply changes to existing customers.

  • Customer Level: Create a policy that applies to a specific customer account.

  • Domain Level: Create a policy that applies to a specific domain.

  • End-User Level: Create a policy that applies to specific mailboxes.

image-20250310-124538.png

Creating Policies

This topic describes policy creation and configuration in Mesh.

  1. Navigate to the Policy page and select New. Alternatively, select the Clone option to duplicate an existing policy.

    Note

    At the Partner Level, only a template can be created but can be cascade down to customers. More info: Updating Policies from MSP Level

  2. Choose who you want to apply the policy to. You can choose between Organization, Domain, or User.

    image-20240725-120535-20250225-090126.png

  3. Enter a policy name and description.

  4. Configure the policy by setting the action that is applied for each verdict. You can find suggestions for best practices here.

    image-20250307-140051.png

  5. Configure the Banned Attachments and Geo Filter fields.

    • Banned Attachments - Attachment extensions are grouped into the following categories: Executable, Encrypted, Video, Audio, Compressed, Macros, and HTML. If an email contains an attachment that is part of the selected group, the selected action is applied.

      Screenshot 2025-03-07 at 14.09.46.png

    • Geo Filter - Geo-filtering is based on Geo-Location or the envelope-from Top-Level Domain (TLD). This can be useful to filter quarantine or junk email from locations that customers do not frequently contact or from regions known for high volumes of spam.

      image-20250307-141126.png

      Only team members with the partner role or administrators can release banned/geo filter emails if configured to “Quarantine in Mesh”. More info:Quarantine Digests

      Note

      The Geo Filter and Banned Attachments can only bypass the policy action through a Custom Rule. You can read more about this here.

  6. Configure Cold Outreach, Zero Trust, and Spam Filtering Sensitivity.

    image-20250307-144538.png

    • Cold Outreach - The Cold Outreach toggle allows you to filter unsolicited marketing and sales emails more aggressively. Enabling this slider may increase false positives, so it is recommended for use in user specific policies (C-suite, managers, directors) or circumstances where an organisation wants to reduce this type of content as much as possible.

    • Zero Trust - The Zero Trust toggle allows you to achieve a “quarantine by default” approach to email. Clean and Infomail verdict will be reclassified as Spam-Likely unless sent from a known contact or allowed sender. It is useful in situations such as a Mail Bomb attack.

      Note

      A Known Contact is a sender the recipient has previously sent outbound emails to.

      Using Mesh Unified or Mesh 365, we idenfity these automatically. For the Mesh Gateway, using our Outbound Smarthost is required.

      It is necessary to have our “Infomail” and “Spam-Likely” verdict to “Quarantine in Mesh” or “Junk in Outlook” to utilize this feature.

    • Spam Filtering Sensitivity - This feature increases or reduces the threshold of our “Spam Likely” verdict of the spam filtering. This can be useful if you require filtering to be more or less restrictive for everyone or for certain mailboxes.

      • Low quarantines emails with a spam score of 7.5 as Spam-Likely.

      • Medium is the default setting. It quarantines emails with a spam score of 6.25. Emails with this score fall into the Spam-Likely category.

      • High quarantines emails with a spam score of 5.0 as Spam-Likely.

      Note

      You can see our spam score thresholds in our best practice guides:

Updating Policies from MSP Level

Policy Templates can be updated and applied to existing customers in real time.

Note

When applying global policies to existing customers, the action will overwrite all existing active policies (including user-level policies) for the selected customers.

Step 1: Navigate to Policy page

Click the shield icon for the template you want to apply to customers.

image-20250225-130750.png

Step 2: Select Customers

Select one or more customers, or enable the “Select all Customers” slider to auto-select all eligible customers.

image-20250307-171824.png

Step 3: Select Apply

Click “Apply” to confirm and push the policy to the selected customers.

Best Practice - Mesh Unified

The default policy settings are designed to be best practice and are explained below.

Verdicts

Verdict

Recommended action

What the verdict means

CLEAN

DELIVER

The email has been scanned and given a clean verdict.

IMPERSONATION

QUARANTINE

The email contains Business Email Compromise indicators and sender information matches, or is similar to an internal user.

INFOMAIL

QUARANTINE

The email contains an unsubscribe link and/or advertising, marketing, newsletter type content.

Note

Many transactional emails will contain unsubscribe links and will be quarantined if your policy is configured to quarantine Infomail.

MALWARE

QUARANTINE

The email contains malicious content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined with the malware verdict can only be released by an administrator or partner team member.

PHISHING

QUARANTINE

The email contains phishing content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined for phishing verdict can only be released by an administrator or partner team member.

SPAM-DEFINITE

QUARANTINE

The email has received a spam score of 18.00+

SPAM-HIGH

QUARANTINE

The email has received a spam score of 9.00-18.00

SPAM-LIKELY

QUARANTINE

The email has received a spam score of 6.25-9.00

Authentication

Connection verdict

Recommended action

What the verdict means

DMARC-FAIL

SENDER DMARC POLICY

The email sender has failed DMARC.

  • Sender DMARC Policy - Email is actioned depending on the DMARC policy found in the sender’s DNS.

    • p=reject: Email is rejected at the connection level and cannot be retrieved.

    • p=quarantine: Email is given a Spam-Definite verdict.

    • p=none: No action is taken outside of regular filtering.

  • Quarantine - Email is given a Spam-Definite, regardless of the sender's DMARC policy.

SPF-FAIL

REJECT

The email sender has failed SPF.

  • Reject - Email dropped at the connection level. Rejected emails cannot be retrieved.

  • Quarantine - Set the verdict to Spam-Definite.

An SPF softfail will not be rejected even if action is set to reject. Instead, a spam score will be applied.

SPF-NONE

NO ACTION

The email sender has no SPF record in place.

Many legitimate senders send email without an SPF record in place e.g. Microsoft Out Of Office Notifications

  • No Action - Do nothing.

  • Score - Add an additional spam score of 3.0 to the message.

  • Quarantine - Set the verdict to Spam-Definite.

Additional Options

Policy Option

Recommended action

What the verdict means

Banned Attachments

QUARANTINE

EXECUTABLES

If an email contains a banned attachment, it will be automatically quarantined.

Allow rules DO NOT bypass this verdict. Emails quarantined for banned attachments can only be released by an administrator or partner team member.

Bypass Internal Banned Attachments

DISABLED

If enabled, internal emails containing a banned attachment will not be quarantined.

Geo Filter

QUARANTINE

Quarantine, junk, or banner actions on emails from different regions and countries. Policy is triggered based on the country of origin or the envelope-from TLD.

Allow rules DO NOT bypass this verdict. To bypass the policy-geo verdict, you must create a custom rule or remove the country from the policy option. Emails quarantined due to the policy-geo verdict can only be released by an administrator or partner team member.

Advanced Settings

Policy Option

Recommended action

What the setting means

Cold Outreach

OFF

The Cold Outreach toggle allows you to filter unsolicited marketing and sales emails more aggressively. When enabled, emails will have an increased spam score applied. This is more useful to C-Suite or users that receive more than normal levels of marketing content or sales directed at their mailbox. A user level policy would be most appropriate.

Zero Trust

OFF

The Zero Trust toggle allows you to achieve a “quarantine by default” approach to email. Clean and Infomail verdict will be reclassified as Spam-Likely unless sent from a known contact or allowed sender. Not recommended as a global setting unless end users understand it has been enabled. Enabling during a mail / spam bomb can help mitigate impact. Read more about the mail / spam bomb.

Spam Filtering Level

MEDIUM

This feature increases or reduces the sensitivity of the spam filtering. This can be useful if you require filtering to be more or less restrictive for everyone or for certain mailboxes.

  • Low will quarantine emails with a spam score of 7.5 as “Spam-Likely”.

  • Medium is our default medium setting. This will quarantine emails with a spam score of 6.25. Emails at this score would fall into our "Spam-Likely" category.

  • High will quarantine emails with a spam score of 5.0 as “Spam-Likely”.

  • Medium is the recommended setting.

Actions Explained

Actions

What it means

DELIVER

Emails are delivered to the inbox.

DELIVER + BANNER

Emails are delivered to the inbox with a verdict dependant or a contextual banner applied. Read more on banners.

QUARANTINE

Emails are quarantined in Mesh for 28 days.

JUNK

Emails are moved to the Junk folder in Outlook.

BANNER

A warning banner is applied to the top of the email.

JUNK + BANNER

A warning banner is applied to the top of the email and the email is moved to the Junk folder in Outlook.

DELETE

Emails are deleted entirely and will not appear in the quarantine or inbox. Deleted emails cannot be delivered.

REJECT

Emails are rejected before content scanning. Rejected emails cannot be delivered.

Best Practice - Mesh Gateway

The default policy settings are designed to be best practice and are explained below.

Verdicts

Verdict

Recommended action

What the verdict means

CLEAN

DELIVER

The email has been scanned and given a clean verdict.

IMPERSONATION

QUARANTINE

The email contains Business Email Compromise indicators and sender information matches, or is similar to an internal user.

INFOMAIL

QUARANTINE

The email contains an unsubscribe link and/or advertising, marketing, newsletter type content.

Note

Many transactional emails will contain unsubscribe links and will be quarantined if your policy is configured to quarantine Infomail.

MALWARE

QUARANTINE

The email contains malicious content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined with the malware verdict can only be released by an administrator or partner team member.

PHISHING

QUARANTINE

The email contains phishing content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined for phishing verdict can only be released by an administrator or partner team member.

SPAM-DEFINITE

QUARANTINE

The email has received a spam score of 18.00+

SPAM-HIGH

QUARANTINE

The email has received a spam score of 9.00-18.00

SPAM-LIKELY

QUARANTINE

The email has received a spam score of 6.25-9.00

Authentication

Connection verdict

Recommended action

What the verdict means

DMARC-FAIL

SENDER DMARC POLICY

The email sender has failed DMARC.

  • Sender DMARC Policy - Email is actioned depending on the DMARC policy found in the sender’s DNS.

    • p=reject: Email is rejected at the connection level and cannot be retrieved.

    • p=quarantine: Email is given a Spam-Definite verdict.

    • p=none: No action is taken outside of regular filtering.

SPF-FAIL

REJECT

The email sender has failed SPF.

  • Reject - Email dropped at the connection level. Rejected emails cannot be retrieved.

  • Quarantine - Set the verdict to Spam-Definite.

An SPF softfail will not be rejected even if action is set to reject. Instead, a spam score will be applied.

SPF-NONE

NO ACTION

The email sender has no SPF record in place.

Many legitimate senders send email without an SPF record in place e.g. Microsoft Out Of Office Notifications

  • No Action - Do nothing.

  • Score - Add an additional spam score of 3.0 to the message.

  • Quarantine - Set the verdict to Spam-Definite.

Additional Options

Policy Option

Recommended action

What the verdict means

Banned Attachments

QUARANTINE

EXECUTABLES

If an email contains a banned attachment, it will be automatically quarantined.

Allow rules DO NOT bypass this verdict. Emails quarantined for banned attachments can only be released by an administrator or partner team member.

Geo Filter

QUARANTINE

Quarantine, junk, or banner actions on emails from different regions and countries. Policy is triggered based on the country of origin or the envelope-from TLD.

Allow rules DO NOT bypass this verdict. To bypass the policy-geo verdict, you must create a custom rule or remove the country from the policy option.

Quarantine, junk, or banner actions on emails from different regions and countries. Policy is triggered based on the country of origin or the envelope-from TLD.

Allow rules DO NOT bypass this verdict. To bypass the policy-geo verdict, you must create a custom rule or remove the country from the policy option. Emails quarantined due to the policy-geo verdict can only be released by an administrator or partner team member.

Advanced Settings

Policy Option

Recommended action

What the setting means

Cold Outreach

OFF

The Cold Outreach toggle allows you to filter unsolicited marketing and sales emails more aggressively. When enabled, emails will have an increased spam score applied. This is more useful to C-Suite or users that receive more than normal levels of marketing content or sales directed at their mailbox. A user level policy would be most appropriate.

Zero Trust

OFF

The Zero Trust toggle allows you to achieve a “quarantine by default” approach to email. Clean and Infomail verdict will be reclassified as Spam-Likely unless sent from a known contact or allowed sender. Not recommended as a global setting unless end users understand it has been enabled. Enabling during a mail / spam bomb can help mitigate impact. Read more on mail / spam bomb.

Spam Filtering Level

MEDIUM

This feature increases or reduces the sensitivity of the spam filtering. This can be useful if you require filtering to be more or less restrictive for everyone or for certain mailboxes.

  • Low will quarantine emails with a spam score of 7.5 as “Spam-Likely”.

  • Medium is our default medium setting. This will quarantine emails with a spam score of 6.25. Emails at this score would fall into our "Spam-Likely" category.

  • High will quarantine emails with a spam score of 5.0 as “Spam-Likely”.

  • Medium is the recommended setting.

Actions Explained

Actions

What it means

DELIVER

Emails are delivered to the inbox.

QUARANTINE

Emails are quarantined in Mesh for 28 days.

DELETE

Emails are deleted entirely and will not appear in the quarantine or inbox. Deleted emails cannot be delivered.

REJECT

Emails are rejected before content scanning.

Rejected emails cannot be delivered.

Best Practice - Mesh 365

The default policy settings are designed to be best practice and are explained below.

Verdicts

Verdict

Recommended action

What the verdict means

CLEAN

DELIVER

The email has been scanned and given a clean verdict.

IMPERSONATION

JUNK + BANNER

The email contains Business Email Compromise indicators and sender information matches, or is similar to an internal user.

INFOMAIL

JUNK + BANNER

The email contains an unsubscribe link and/or advertising, marketing, newsletter type content.

Note

Many transactional emails will contain unsubscribe links and will be quarantined if your policy is configured to quarantine Infomail.

MALWARE

QUARANTINE

The email contains malicious content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined with the malware verdict can only be released by an administrator or partner team member.

PHISHING

QUARANTINE

The email contains phishing content such as a URL, attachment, or other suspicious characteristics.

Allow rules DO NOT bypass this verdict. Emails quarantined for phishing verdict can only be released by an administrator or partner team member.

SPAM-DEFINITE

JUNK + BANNER

The email has received a spam score of 18.00+

SPAM-HIGH

JUNK + BANNER

The email has received a spam score of 9.00-18.00

SPAM-LIKELY

JUNK + BANNER

The email has received a spam score of 6.25-9.00

Additional Options

Policy Option

Recommended action

What the verdict means

Banned Attachments

QUARANTINE

EXECUTABLES

If an email contains a banned attachment, it will be automatically quarantined.

Allow rules DO NOT bypass this verdict. Emails quarantined for banned attachments can only be released by an administrator or partner team member.

Bypass Internal Banned Attachments

DISABLED

If enabled, internal emails containing a banned attachment will not be quarantined.

Geo Filter

QUARANTINE

Quarantine, junk, or banner actions on emails from different regions and countries. Policy is triggered based on the country of origin or the envelope-from TLD.

Allow rules DO NOT bypass this verdict. To bypass the policy-geo verdict, you must create a custom rule or remove the country from the policy option. Emails quarantined due to the policy-geo verdict can only be released by an administrator or partner team member.

Advanced Settings

Policy Option

Recommended action

What the setting means

Cold Outreach

OFF

The Cold Outreach toggle allows you to filter unsolicited marketing and sales emails more aggressively. When enabled, emails will have an increased spam score applied. This is more useful to C-Suite or users that receive more than normal levels of marketing content or sales directed at their mailbox. A user level policy would be most appropriate.

Zero Trust

OFF

The Zero Trust toggle allows you to achieve a “quarantine by default” approach to email. Clean and Infomail verdict will be reclassified as Spam-Likely unless sent from a known contact or allowed sender. Not recommended as a global setting unless end users understand it has been enabled. Enabling during a mail / spam bomb can help mitigate impact. More info: https://docs.emailsecurity.app/help-center/Mail-%2F-Spam-Bomb.1321173007.html

Spam Filtering Level

MEDIUM

This feature increases or reduces the sensitivity of the spam filtering. This can be useful if you require filtering to be more or less restrictive for everyone or for certain mailboxes.

  • Low will quarantine emails with a spam score of 7.5 as “Spam-Likely”.

  • Medium is our default medium setting. This will quarantine emails with a spam score of 6.25. Emails at this score would fall into our "Spam-Likely" category.

  • High will quarantine emails with a spam score of 5.0 as “Spam-Likely”.

  • Medium is the recommended setting.

Actions Explained

Actions

What it means

DELIVER

Emails are delivered to the inbox.

DELIVER + BANNER

Emails are delivered to the inbox with a verdict dependant or a contextual banner applied. Learn more here:Banners

QUARANTINE

Emails are quarantined in Mesh for 28 days.

JUNK

Emails are moved to the Junk folder in Outlook.

BANNER

A warning banner is applied to the top of the email.

JUNK + BANNER

A warning banner is applied to the top of the email and the email is moved to the Junk folder in Outlook.

DELETE

Emails are deleted entirely and will not appear in the quarantine or inbox. Deleted emails cannot be delivered.

In this section: