Skip to main content

Message Rule Conditions

Condition name


Attachment Name

Check the attachment (if any) name of the message against a specific system or custom condition. System conditions include:

  • Double extension (e.g. .docs.exe)

  • Dangerous files

  • Office macro extensions


Scan attachments with Bitdefender anti-malware engine and cloud service. Available conditions are:

  • Clean

  • Suspected

  • Virus

  • Virus or Suspected


Compare the body of the message against specific custom or system conditions. System conditions include:

  • Direct Marketing Detection

  • Empty Body Detection

  • Homophobic Content

  • Marketing Exception

  • Newsletter SPAM

  • Racially Insensitive

  • Racist Content

  • RuleScan Exceptions

  • Sexual Enhancer/Explicit

  • Sexually Explicit

Body or Subject

Compare the title body of the message against specific custom or system conditions. System conditions include:

  • Chinese Spam keywords

  • Homophobic Content

  • Racially Insensitive

  • Racist Content

  • Redirect Spam URLs

  • Sexual Enhancer/Explicit

  • Sexually Explicit

  • Spam Blog URLs

Connection IP

Compare the remote server connection IP against specific custom or system conditions. System conditions include:

  • LocalHost

Core Service

Check the sender e-mail reputation as determined by the core anti-spam service against a specific system condition.

Each email is scanned and classified into one of the classifications. Rules can be customized to get the best out of the spam filtering.  Each customer will have their own requirements and this list is extensive and should help to custom the detection level to your requirements.


Some classifications are already used in default rules that will be enabled by default, these are marked.

System conditions include:

  • CoreService Clean - Emails found to be clean

  • CoreService Bounce -Bounced message (Non-delivery notifications).

  • CoreService Commercial -Professional Commercial Email detected by signature: Typically, emailing campaigns issued from a professional and known routing platform that follow the rules of use for email advertising, by providing unsubscribe links, list cleaning.

  • CoreService Commercial - High Reputation

  • CoreService Commercial - Low Reputation

  • CoreService Commercial - Medium Reputation

  • CoreService Community - Social Network alerts and notifications, Mailing-list email communications and Messages exchanged through forums.

  • CoreService Malware

  • CoreService Phishing

  • CoreService Spam (Used in "(Default) CoreService" rule) - Known Spam, Malware detected by heuristic analysis, Message detected as phishing either by heuristic analysis or through a URL and Message detected as scam by heuristic analysis.

  • CoreService Suspect (Used in "(Default) CoreService Suspect" rule) - Miscellaneous Commercial Email detected by heuristics: Any advertising email that follow the rules of use of marketing email, which was not sent through a renown routing platform.  Message with a subject that may potentially cause damage. For instance, emails with content referencing money transfer.  Detected by signature: Any other advertising campaign that does not comply with CAN-SPAM.

  • CoreService Suspect Only

  • CoreService Relax

  • CoreService Transactional - Transactional emails sent as a confirmation after buying on the Internet. Account update or actions such as welcome emails, account validation email and request for updates.  Emails related to travel arrangements and confirmation. Emails received after subscribing to alert services, such as housing alerts, Google alerts, Yahoo alerts.


Specify the direction of the message - inbound or outbound.

DKIM Enabled

Check if DKIM (DomainKeys Identified Mail) is enabled on your server. Conditions can be set to true or false.

DKIM Signature

Compare the DKIM (DomainKeys Identified Mail) signature for the email against a specific system condition. System conditions include:

  • DKIM Pass

  • DKIM Temporary Fail

  • Permanent Error

  • UnSigned

DMARC Failure

Compare the DMARC (Domain-based Message Authentication, Reporting and Conformance) failure action from the remote DNS record against a specific system condition. System conditions include:

  • None

  • Reject


Recommended settings are "Match type: Matches" and "Condition Value: Reject".

DMARC Policy

Compare the DMARC (Domain-based Message Authentication, Reporting and Conformance) policy against a specific system value. System conditions include:

  • DMARC Fail

  • DMARC Pass

Domain Threat Level

Scan domains within the header and envelope fields of the message, using leading threat intelligence fields, to identify high-risk domains.

Email Size

Compares the size of the message against a specific system value. You can set the match type to Greater Than or Less Than.

Executive Tracking

Scan headers for attempts to impersonate company executives, or to obtain sensitive information from high-profile employees. It can be compared against these system conditions:

  • Contains - To trigger the rule, this condition looks for a partial match. For example, if Dr Alex Smith is selected, the rule would trigger if the first and last name were Alex Smith or if a variant of Alex (for example Alexander.)

  • Exact - To trigger the rule, the entered string must match users first and last name or a configured variant exactly. 


    If you are using this condition, you must add a variant for every name you wish to detect.

  • High - To trigger the rule, a check is made using the Levenshtein Distance algorithm and Tanimoto Coefficient to automatically determine between the entered string and the users' real name.


    There is a risk of false positives associated with this option.

  • Medium - This condition works similarly to the High one, however the threshold for triggering is much lower.


    There is a significant risk of false positives associated with this option.


This value represents the amount of variation that the Condition will tolerate. For example, the Exact value will only trigger on an exact match, whereas High would trigger if one character had been changed to a number in the label name. We recommend setting the Condition to High by default, to avoid false positives.

Fake Sender Headers

Check if the email sender headers have been forged.

File Type

Check if the email contains an attachment of the specified file type. Recognized file types include include:

  • MS Access

  • MS Excel

  • MS PowerPoint

  • MS Word

  • Script

Group Membership

Check if the mailbox belongs to a specific synchronized Active Directory group.

Header Exists

Compare headers and header values against Custom Rule Data values.

IP Reputation

Check if the IP address of the email's originating server matches a specified reputation value.

Mailbox Exists

Check if the destination mailbox to exists on your server.


This Condition is only useful for incoming email, and should usually be added in conjunction with a Direction condition.

Message Security

Check if the message is digitally signed or encrypted.

MX Record

Check that the hostname in the MX records responds to an SMTP request.

Nearby Domains

Scan the email headers for addresses for domain names similar to your legitimate domain name (e.g. instead of These can often be an indication of a malicious or spam email. You can set this condition to a value greater than or less than values from 1 to 10.


The recommended value depends on your domain length. You should set it to a sightly lower value than the length of your domain then monitor results and adjust as needed.

Own Domain

Check if the sender of the email is configured as a domain for your account.

Protected Attachment

Check if the messages contain password protected attachments.


zip and PDF currently supported


Check the email recipient against your Active Directory export or you any Custom Rule Data you have created.

Recipient Count

Check if the total number of recipients is greater or higher than a specific value.

Scan Office Files

Scans any attached Office documents (except PDF files) for specific keywords or patterns.


Compare the sender of the email against a specific custom value you have created in Custom Rule Data.

Sender in List

Check if the sender is present in any personal or global Safe List or Deny List.

Sending Domain MX Record

Check if the originating domain for the email has a valid MX record.

Spam Score

Check if the email's spam score (as calculated by Email Security) is greater than or less than a specific value.


You can use Rule Actions such as Add to Spam Score, Set Spam Score or Subtract from Spam Score to adjust the score.


Check the Sender Protection Framework score for the email's domain against a specific system condition. System conditions include:

  • SPF Any Fail

  • SPF Fail or Neutral

  • SPF Fail

  • SPF Pass

  • SPF Softfail


Check the email subject's keywords against a specific custom or system condition. System conditions include:

  • Auto Responses

  • Homophobic Content

  • Invoice

  • Racially Insensitive

  • Racist Content

  • Sexual Enhancer/Explicit

  • Sexually Explicit

URL Scanner

Scan all links in the email message body and check for known threats. You can choose to check against either Clean URLs or Threat URLs.


The URL Scanner Condition can use LinkScan to provide on-demand URL protection.

Virus Ruleset

Detect the presence of malware, in macros, VBA scripts or Office documents. The Condition checks if the result is greater than or less than a specific system value.

Virus Score

Checks if the email Virus Score is greater than or lesser than a specific system value.


The Virus Score Condition is best used in combination with other Rules (with a higher priority) which uses the Add to Virus Score, Subtract from Virus Score and Set Virus Score Actions.

Word Count

Checks if the number of words contained in the body of the email matches against specific criteria.