Dispositions and attributes
Email Security uses a variety of factors to determine whether a given email message, domain, URL, or packet is part of a phishing campaign. These small pattern assessments are dynamic in nature and — in many cases — no single pattern will determine the final verdict.
Dispositions
Any traffic that flows through Email Security is given a final disposition, which represents our evaluation of that specific message. Each message will receive only one disposition header, so your organization can take clear and specific actions on different message types.
You can use disposition values when setting up auto-moves.
Available values
- Malicious: Traffic invoked multiple phishing verdict triggers, met thresholds for bad behavior, and is associated with active campaigns.
- Spoof: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies (SPF ↗, DKIM ↗, DMARC ↗) or has mismatching
Envelope From
andHeader From
values. - Suspicious: Traffic associated with phishing campaigns (and is under further analysis by our automated systems).
- Spam: Traffic associated with non-malicious, commercial campaigns.
- Bulk: Traffic associated with Graymail ↗, that fall in between the definitions of spam and suspicious. For example, a marketing email that intentionally obscures its unsubscribe link.