The purpose of this KB is to show the scanning order in details so we can better understand where and what blocked each message.
Emails are scanned in this sequence:
1- Dynamic IP Reputation (PDR) and Cloudmark Sender Intelligence (CSI) checks
. Spam-like Behavior: Machine learning analyzes email content and sending patterns to detect spam or botnet activity.
. User Complaints: CSI tracks how often recipients report messages as spam.
. Spamtrap Hits: Sending to decoy addresses used to catch spammers can trigger blocklisting.
. Reverse DNS Quality: Poor or generic rDNS entries can lower IP reputation.
. IP Block Reputation: Behavior of neighboring IPs in the same subnet is considered.
. Snowshoe Attacks: Dispersed spam across many IPs is flagged based on traffic volume.
2- DNS checks at the service level
. MX & A Records: Ensures the sender domain has valid mail exchange and address records.
. Bounceability: Verifies that the domain can receive bounce messages (i.e., has a valid MX).
. Malformed Records: Flags domains with zero-length MX hostnames or invalid configurations.
. Private IP Ranges: MX records pointing to internal IPs (e.g., 10.x.x.x or 127.x.x.x) are rejected.
. SPF, DKIM, DMARC: Proofpoint checks for proper authentication records in DNS to prevent spoofing.
. TXT Record Verification: For domain ownership, Proofpoint may require a specific TXT record to be published.
3- Anti-virus scan
4- Attachment Defense (if licensed)
5- Anti-spoofing check
6- Custom filter checks
. Safe Sender Lists (trusted IPs, domains, addresses)
. Blocked Sender Lists (blacklisted sources)
. Subject Line: Filters based on keywords or patterns in the subject.
. Header Fields: Inspects custom or standard headers like X-Mailer, Reply-To, etc.
. Message Body: Searches for specific phrases or patterns in the email content.
. Attachment Type or Name: Flags emails with certain file types or suspicious filenames.
. Direction: Applies filters to inbound or outbound messages.
. Scope: Targets filters at the organization, group, or individual user level.
7- Spam engine analysis
.Business Email Compromise (BEC)
.CEO impersonation
.Fake invoice scams
.Financial fraud attempts
.Social engineering tactics
These detections are based on:
.Message tone and urgency
.Suspicious keywords or formatting
.Known fraud patterns from threat intelligence feeds
The Spam Engine uses:
. Heuristic analysis: Looks for suspicious patterns in message content, formatting, and metadata
. Machine learning models: Trained to detect social engineering tactics, fake invoices, CEO fraud, and urgent wire transfer requests
. Threat intelligence feeds: Match known fraudulent sender behavior or payloads
. Behavioral indicators: Flags unusual tone, urgency, or financial language that mimics real-world scams
These messages may be labeled as "Fraud" in the quarantine portal even if they pass SPF/DKIM/DMARC checks.
8- URL Defense modification (if enabled)
Each step can reject or quarantine the message depending on its threat level.