How To Bypass Anti-Spoofing Checks

Created by Abderrahim Ibnou el kadi, Modified on Fri, 09 Sep 2022 at 03:58 PM by Nadav Shenker

SituationEmails from trusted senders are being quarantined as Fraud despite being in the safe sender list. 
SolutionIndividual domains can be added as exceptions for DMARC, DKIM and/or SPF respectively.


Important: Each Exception List check will be against different domain values

  • DMARC Exceptions - will check against the "From Header" domain
  • SPF Exceptions - will check against the Envelope Sender domain
  • DKIM Exceptions - will check against the "From Header" domain

For more information on the different domain values, see this article on how DMARC works with Proofpoint Essentials.

How To Add A Domain As An Exception

Best Practice: While the exception list allows you to bypass Anti-Spoof checks for specific domains, the best long-term and more permanent solution is to have the owner of the sending domain to address any issues they might have with their SPF/DKIM/DMARC records. 

  1. In the sidebar, under Security Settings, navigate to Malicious Content > Anti-Spoofing.
  2. Under the policy you want to bypass (Inbound DMARC, DKIM or SPF) click Manage Exceptions.
  3. This will open a drawer to the right; from here, select + Add Exception.

Screenshot_2021-03-01 Anti Spoofing - Company Settings(1).png

  1. Enter a valid domain into the field and select Add

Screenshot_2021-03-01 Anti Spoofing - Company Settings(2).png

Note: Only domains are accepted currently. IP Addresses as well as individual email addresses will not work.

  1. The domain is added as an exception and the changes are saved automatically. Close the Exception List.

Note: Changes to the Anti-Spoofing Policies, including exceptions, can take up to 60 minutes.