Summary


The following states Connor Group's policies and practices regarding the whitelisting of sender addresses and domains.  


In nearly all circumstances, probably 98% plus, when an email is blocked or quarantined, the technical reasons for that message being blocked or quarantined are due to issues on the senders end.  


Connor Group IT needs to balance our employees need to get email from clients and partners quickly with the security risks of removing filtering rules on email sent from systems that may have potential problems with their configurations.  Our efforts should be spent on efficient activities that satisfy our user base and protect our security while allowing for reasonable accommodations to less than ideal circumstances.  


This policy outlines IT management's policies for managing whitelists in our email threat management tools.  


Policy


Generally, Connor Group does not whitelist whole domains in our email threat management filters.  


Exceptions for whitelisting domains can be made when a temporary accommodation for a partner organization needs to be made in the interest of convenience for our employees.  This is left to the discretion of IT management.  


Whitelisted domains will be audited at least annually, and should be removed if there is not a clear and present reason for that whitelisting.  


Connor Group's IT support staff may whitelist individual senders when requested at their discretion.  Generally this should be done at the request of an employee through an IT ticket.  


In summary:

  • We don’t whitelist whole domains except as a rare exception when there is no good alternative to accommodate communication with a client
  • The IT security director, is responsible for conducting an annual audit of whitelisted domains to ensure that whitelisted domain are still necessary
  • Support should investigate complaints about quarantined messages, record the important indicators in the ticket, and whitelist individual senders at their discretion when an obvious problem with the sender's configuration is not indicated. 
  • An escalation to IT engineering should be made when IT support recommends that a domain should whitelisted according the process described below or is having problems evaluating the technical details of the issue.  


Process


IT support should take the following actions when an issue is raised with IT support regarding inbound messages getting blocked or quarantined:

  1. A basic investigation of the reason for the message getting blocked or quarantined should be recorded in the ticket.

    Make note of these header values:

  • The SCL (spam confidence level) score. This is the metric used to determine if a message is delivered, quarantined, or blocked.  The higher the number, the more "spammy" the message.
  • The "Spam Filtering Verdict". This will likely be "SPM" for spam or another value for phishing, bulk, and other reasons.
  • The "Authentication-Results". SPF, DKIM and "compauth" values.

Understanding the Values

  • A SCL of 5 or higher will result in the message being quarantined.

    There is no point to trying to determine the specifics for why a message was scored as it was. This is proprietary information that none of the message hygiene providers make public. Generally, it's because the reputation for the sending domain has gathered a "spammy" score from the spam filtering industry, or there are elements of the message contents that are considered "spammy".

  • A failure indicator for "SPF" or "DKIM" in the "Authentication-Results" header, or a "compauth=<VALUE>" other than "pass", is a strong indicator a configuration issue on the sender's end causing the message to be blocked. Generally this indicates a misconfiguration of the senders DNS records responsible for authenticating the validity of the sender's identity or that the sender is using a bulk email service that is not configured to match the envelope and message from headers.

Consult with IT engineering to interpret the results if necessary.

Don't confuse users outside of IT by going into the details of this information.  They won't care or understand. 


Possible Action Items

  1. Determine the number of senders from an affected domain that are having messages blocked or quarantined.  
  2. If 5 or fewer senders are affected, IT support shall proceed with adding the individual sender(s)to the spam filtering whitelist.

    Consult with IT engineering for help with this activity if necessary.

  3. If more than 5 senders are being affected by spam filtering rules, or the specific senders are dynamic and can't be identified readily (bulk messaging services), consult with IT engineering and raise an issue with IT management to consider whitelisting the domain.  


  1. Consider suggesting a simple and concise message to pass along through the Connor Group employee, to the sender, and ultimately the sender's IT team if a failure is indicated in the "Authentication-Results" header..

    Validate the message with IT engineering or IT management before sending.