Because Content Filtering uses heuristics, it is expected to produce some false positives. These are handled with whitelisting rules which state, "Messages with this specific identifier configuration are exempt from (s0ome or all) content filtering."
However, whitelisting becomes very dangerous if an attacker impersonates that identifier configuration and the evaluator does not require sender authentication. But IETF says authentication is only defined if the sender chooses to configure a policy (and does so correctly). This does not meet the evaluator's need to provide authentication anytime that a message source needs to be whitelisted.
does not have an SPF policy, so their messages produce SPF NONE. (Both SMTP Mail From and Message From are the same domain.)
just changed to Outlook.com
, but failed to updated their SPF policy, so their messages produce SPF FAIL. (Both SMTP Mail From and Message From are the same domain.)
to send password resets for users of their website.
(SMTP Mail From is @SendGrid.net, while Message From is @Example.com.) The messages fail DMARC, either because SendGrid.net
is not configured with a DKIM signature for Example.com, or because Example
.com has not published a DMARC policy at all.)
is a small business that uses ConstantContact.com
to send a newsletter which you find very useful. (SMTP Mail From is @ConstantContact.com, while Message From is @Example.com.) The message will always fail DMARC because Gmail.com
never releases their DKIM selectors to third parties like ConstantContact.com
It would seem that any email filtering vendor which understands the filtering problem would recognize the need for safe whitelisting. But I have had difficulty finding products that can do so. Do you know of products that can handle any whitelisting scenario without allowing impersonation at the same time?