Important: Enforced SPF and Enforced TLS features are not available for Email Protection Lite plans.

With Email Authentication feature account administrators can customize the delivery of incoming messages which have failed the SPF and TLS checks. To manage the delivery options, navigate in HostPilotĀ® Control Panel to Services>Email Protection>Inbound Policies>Policy>Email Authentication. 

1

Enforced SPF

By default messages which failed the SPF checks are delivered as normal. It is possible to change the delivery of the message which failed the SPF checks. 

Enforced SPF settings allow to select actions for the following situations:

  • Emails that fails the SPF check
  • Emails that 'soft fail' the SPF check
  • Emails that 'error' the SPF check 

Following options can be used for the messages which failed the SPF checks:

  • Emails that have fail the SPF check will be Tagged with a [SPF FAIL] subject tag
    If it is enabled, all incoming messages which failed the SPF check will be tagged with [SPF FAIL] subject tag and delivered to Inbox
  • Emails that have 'soft fail' the SPF check will be Tagged with a [SPF FAIL] subject tag
    If it is enabled, all incoming messages which soft failed the SPF check will be tagged with [SPF FAIL] subject tag and delivered to Inbox
  • Emails that 'error' the SPF check will be Tagged with a [SPF ERROR] subject tag
    If it is enabled, all incoming messages from senders who have incorrect SPF record will be tagged with [SPF ERROR] subject tag and delivered to Inbox
  • Permanently deleted
    All incoming messages which failed the SPF check will be rejected.
  • Move to Admin quarantine
    All incoming messages which failed the SPF check will be moved to Admin Quarantine
  • Move to Junk email folder
    All incoming messages which failed the SPF check will be moved to Junk folder 
  • Move to User Quarantine
    All incoming messages which failed the SPF check will be moved to User Quarantine
  • Deliver as normal
    All incoming messages which failed the SPF check will be delivered to Inbox

2

Note: Move to Junk email folder or Move to User Quarantine options depend on Message Routing option in Settings. Refer to the following article for additional information

Enforced TLS

By default, messages which failed the TLS check are delivered as normal. You can customize the delivery of those messages.

The following options are available for messages which failed the TLS check:

  • Emails not delivered using TLS will be Tagged with [TLS FAIL] subject tag 
    All incoming messages which failed the TLS check will be delivered to Inbox with subhect tag [TLS FAIL]
  • Permanently deleted
    All incoming messages which failed the TLS check will be rejected.
  • Move to Admin quarantine
    All incoming messages which failed the TLS check will be moved to Admin Quarantine
  • Move to Junk email folder
    All incoming messages which failed the TLS check will be moved to Junk folder 
  • Move to User Quarantine
    All incoming messages which failed the TLS check will be moved to User Quarantine
  • Deliver as normal
    All incoming messages which failed the TLS check will be delivered to Inbox

3

Note: Move to Junk email folder or Move to User Quarantine options are depend on Message Routing option in Settings.

Sender Specific settings

It is possible to create custom delivery settings for certain senders or domains emails from which failed the SPF and TLS checks. 

Sender Specific feature is available both for Enforced SPF and Enfroced TLS. 

In Sender Specific for Enforced TLS email addresses, domains and IP addresses can be added. 

In Sneder Specific for Enforced SPF only email addresses and domain can be added.

The routing options are the same but they will be applied only to addresses mentioned in the specific senders list and override the default delivery method.

To modify the settings or add the addresses to Sender specific list, navigate to Services > Email Protection > Inbound Policies > Policy > Email Authentication and under Sender Specific settings click Manage Settings

4

Require Authentication

With Email Authentication you can also require messages from a Safe Sender to be successfully authenticated in order for the specified sender to be considered as indeed safe sender. Refer to the following article Email Protection: Policy Level Safe & Blocked Senders Lists for additional information.

Also, you can choose to bypass the Anti-Phishing domain impersonation check for successfully authenticated emails. Refer to the following article Email Protection: Managing Anti-Phishing And Anti-Spoofing Policies for additional information.