Email filtering is the first line of defense against spam, phishing, and malicious content reaching your users. Proofpoint provides a powerful rules engine that allows administrators to create custom filtering policies tailored to their organization's security requirements.
Prerequisites
Before configuring email filtering policies, ensure you have:
- Administrator access to the Proofpoint Essentials console
- Understanding of your organization's email flow and security requirements
- List of trusted domains and known malicious patterns
- Defined security policies for handling suspicious emails
Understanding Proofpoint Filter Architecture
Proofpoint filters operate on a conditions-and-actions model:
| Component | Description |
|---|---|
| Conditions | Criteria that trigger the filter (sender, subject, content, etc.) |
| Actions | What happens when conditions are met (quarantine, allow, notify) |
| Scope | Who the filter applies to (company, group, or user) |
| Direction | Whether the filter applies to inbound or outbound mail |
Step 1: Access Filter Policies
- Log in to the Proofpoint Essentials Admin Console
- Navigate to Security Settings in the left sidebar
- Click on Email
- Select Filter Policies
- You'll see tabs for Inbound and Outbound filters
Step 2: Create a New Inbound Filter
Basic Filter Setup
- Click the Inbound tab
- Click New Filter to create a new policy
- Enter a descriptive Filter Name (e.g., "Block Suspicious Attachments")
- Ensure Direction is set to Inbound
- Click Continue to open the filter definition page
Define Filter Scope
Choose who this filter applies to:
- Company - Applies to all users in your organization
- Group - Applies to specific groups (e.g., Finance, Executives)
- User - Applies to individual email addresses
Best Practice: Start with company-wide filters for broad security rules, then create group or user-specific filters for targeted policies.
Configure Conditions
- Click Add Condition to define when the filter triggers
- Select a condition type from the dropdown:
| Condition Type | Use Case |
|---|---|
| From Address | Filter based on sender email |
| From Domain | Filter entire sending domains |
| Subject Contains | Match specific subject line text |
| Header Contains | Match email header values |
| Attachment Name | Filter by attachment filename |
| Attachment Type | Block specific file types |
| Client IP | Filter by sending server IP |
| Client IP Country | Block emails from specific countries |
- Set the condition value (e.g., attachment type "is" executable)
- Click Add Another Condition to combine multiple criteria
Set Filter Actions
-
Choose the Primary Action:
- Quarantine - Hold the message for admin or user review
- Allow - Deliver the message (use with secondary actions)
- Reject - Permanently block the message
- Nothing - Process secondary actions only
-
Configure Secondary Actions as needed:
- Notify Recipient - Send notification about the filtered message
- Notify Admin - Alert administrators
- Add Header - Insert custom headers for downstream processing
- Tag Subject - Prepend text to the subject line
-
Check Override Previous Destination if this filter should take priority
-
Check Stop Processing Additional Filters to prevent further rule evaluation
-
Click Save to activate the filter
Step 3: Create Common Security Filters
Block Executable Attachments
This filter quarantines emails with potentially dangerous file types:
- Create a new inbound filter named "Block Executables"
- Set scope to Company
- Add condition: Attachment Type is Executable
- Add condition: Attachment Type is Script
- Set action: Quarantine with Require Admin Privileges to Release
Block Emails from Specific Countries
Filter emails originating from high-risk geographic regions:
- Create a new inbound filter named "Geo IP Block"
- Set scope to Company
- Add condition: Client IP Country is [Select Country]
- Set action: Quarantine
- Enable Require Admin Privileges to Release
Block HTML Attachments
HTML attachments are commonly used in phishing attacks:
- Create a new inbound filter named "Block HTML Files"
- Add condition: Attachment Type is HTML
- Set action: Quarantine
Note: You may need to add exceptions for legitimate business partners who send HTML attachments, such as certain financial institutions.
Quarantine Impersonation Attempts
Protect against business email compromise:
- Create a new inbound filter named "Impersonation Protection"
- Add condition: From Name Contains [Executive Names]
- Add condition: From Domain is not [Your Domain]
- Set action: Quarantine with admin notification
Step 4: Create Outbound Filters
Outbound filters help enforce compliance and prevent data leakage:
- Click the Outbound tab
- Click New Filter
- Name the filter (e.g., "Encrypt Sensitive Data")
- Set scope as appropriate
Trigger Encryption Based on Subject
- Add condition: Subject Contains "[ENCRYPT]" or "[SECURE]"
- Set action: Encrypt Message
- This allows users to trigger encryption by including keywords in subject lines
Block Large Attachments
- Add condition: Attachment Size is greater than 25 MB
- Set action: Reject or Notify Sender
Step 5: Manage Filter Priority
Filter order matters because Proofpoint evaluates rules sequentially:
- In the Filter Policies list, use drag-and-drop to reorder filters
- Place more specific filters higher in the list
- Place broad catch-all filters lower
Processing Order Example:
| Priority | Filter | Description |
|---|---|---|
| 1 | Allow VIP Partners | Whitelist trusted senders |
| 2 | Block Known Threats | Quarantine identified threats |
| 3 | Block Geo IP | Filter by country |
| 4 | General Spam Filter | Catch remaining spam |
Step 6: Test Your Filters
Before deploying filters organization-wide:
- Create the filter with User scope targeting a test account
- Send test emails that should trigger the filter
- Verify the expected action occurs (check quarantine, delivery, etc.)
- Review the Logs section to confirm filter activation
- Adjust conditions as needed
- Expand scope to groups, then company-wide
Troubleshooting Filter Issues
Filter Not Triggering
Symptoms: Emails that should be filtered are being delivered.
Solutions:
- Verify the filter is enabled (toggle should be ON)
- Check filter scope matches the affected users
- Review conditions for typos or incorrect operators
- Ensure the filter isn't being overridden by a higher-priority rule
- Check if the sender is on a Safe Senders list
Too Many False Positives
Symptoms: Legitimate emails are being quarantined.
Solutions:
- Review quarantined messages to identify patterns
- Add exceptions for trusted senders or domains
- Refine conditions to be more specific
- Consider using Allow action for known-good patterns before the blocking rule
Filter Processing Issues
Symptoms: Inconsistent filter behavior or delays.
Solutions:
- Review filter priority order
- Remove redundant or conflicting rules
- Simplify complex filter chains
- Contact Proofpoint support if issues persist
Best Practices for Email Filtering
- Document your filters - Maintain a record of all filter rules and their purposes
- Review regularly - Audit filters quarterly to remove outdated rules
- Monitor quarantine - Check quarantined messages daily for false positives
- Layer defenses - Combine filters with sender lists and other security features
- Train users - Educate staff about what filtered emails look like
- Test before deploying - Always test new filters with limited scope first
Next Steps
After configuring email filtering:
- Set up sender lists - Configure safe senders and block lists
- Enable URL Defense - Protect against malicious links
- Configure DLP - Prevent data loss
- Review quarantine - Learn quarantine management
Additional Resources
Need help optimizing your Proofpoint email security? Inventive HQ provides expert Proofpoint configuration and management services. Contact us for a free security assessment.