In certain situations, you may see messages being flagged as domain spoofs coming from your own domain. Agari Phishing Defense (APD) looks very closely as messages coming from domains tagged as internal and not passing authentication. Legitimate messages that typically fall into this classification are cases when a phishing vendor such as KnowBe4 is spoofing your own domain, but they have yet to be added to your SPF record. This could also be payroll and other services you use, sending as your own domain, but did not get the proper authorization.
To override this, go to Manage > Senders, select your domain in the top drop-down box, select the appropriate date range, find the sender/IP address, and select approve. These messages will now be called 100% authentic.
Be careful of this override as any messages coming from that IP address will be called absolutely authentic. Ideally, you would want to add these to your authenticity records for them to naturally pass DMARC instead of overriding them in the portal. If you approve an IP, and the owner of the IP changes, messages coming from that IP will still be labeled authentic. Additionally, this override is only for messages in the APD portal. It will not affect any other security control, or any message going out to any other domain.
One recommendation is to use this as a temporary solution while you sort out the root cause of the unauthentic messages. When you click Approve the sender goes to the top of the page and shows Manual as the authenticity reason. You can then use this as a reference to what changes need to be made in your records. Once the changes have been made, you can undo the manual override, allowing messages naturally pass authentication.
Comments
0 comments
Please sign in to leave a comment.