Email Filtering Best Practices for Phishing

Email filtering is the primary technical defense against phishing. Properly configured email security gateways intercept the vast majority of phishing attempts before they reach users, reducing the burden on human awareness. CISA recommends advanced email filtering as a core component of phishing defense, alongside DMARC/SPF/DKIM and MFA.

The challenge in 2026 is that AI-generated phishing produces unique, well-written messages that evade signature-based detection. Modern filtering must combine multiple detection layers to remain effective.

The Email Security Stack

Layer 1: Authentication-Based Filtering

The first filter layer checks whether the sending server is authorized to send on behalf of the claimed domain. This is DMARC/SPF/DKIM enforcement.

Configuration:

Enforce DMARC policy — honor p=reject and p=quarantine from sending domains
Reject messages failing SPF hard fail (-all)
Flag messages with missing or invalid DKIM signatures
Apply stricter filtering to messages failing any authentication check

Layer 2: Reputation-Based Filtering

Check the sender’s domain, IP address, and email address against reputation databases:

Domain age — newly registered domains (under 30 days) sending email are high risk
IP reputation — known spam/phishing sources
Sender reputation — history of malicious or spam activity
URL reputation — links to known phishing sites

Layer 3: Content Analysis

Analyze the message content for phishing indicators:

Keyword analysis: Urgency language, credential requests, financial terminology
Brand impersonation detection: Logo matching, template similarity to known brands
Tone analysis: AI-based detection of social engineering patterns
Language anomalies: Mismatches between claimed sender (e.g., “Your Bank”) and message content

Layer 4: URL Protection

URLs in email are the primary phishing delivery mechanism. Advanced filtering includes:

URL rewriting: Replace links with security proxy URLs that check reputation at click time
Time-of-click analysis: Re-evaluate URLs when clicked, not just at delivery (catches delayed-detonation phishing)
URL sandboxing: Open suspicious URLs in an isolated environment to observe behavior
QR code scanning: Detect and analyze QR codes embedded in email bodies and attachments

Layer 5: Attachment Protection

Malicious attachments deliver malware or contain phishing links:

File type blocking: Block high-risk attachment types (.exe, .js, .vbs, .scr, .bat)
Macro scanning: Flag or block documents with macros (.docm, .xlsm)
Sandbox detonation: Open attachments in isolated environments to detect malicious behavior
Hash matching: Compare file hashes against known malware databases

Layer 6: Behavioral Analysis

AI-based analysis detects anomalies that content scanning misses:

Communication pattern deviations: First-time sender, unusual sending time, uncharacteristic tone
Impersonation detection: Sender name matching internal employees but from external domains
BEC detection: Requests for wire transfers, payment changes, or sensitive data from unusual sources
Account compromise indicators: Changes in sending behavior from known contacts

Platform-Specific Configuration

Microsoft 365 (Defender for Office 365)

Enable Safe Links with URL rewriting and time-of-click protection
Enable Safe Attachments with dynamic delivery (sandboxing)
Configure anti-phishing policies: mailbox intelligence, impersonation detection
Set quarantine policies for suspected phishing (versus junk)
Enable the Report Message add-in for user reporting

Google Workspace

Enable enhanced pre-delivery message scanning
Configure “Protect against spoofing of employee names” in advanced settings
Enable link checking for clicks on unfamiliar links
Configure external email warnings
Use Google’s phishing reporting integration

Standalone Gateways

For organizations using dedicated email security gateways (Proofpoint, Mimecast, Abnormal Security, Barracuda):

Layer the gateway in front of Microsoft 365 or Google Workspace
Enable all available detection layers (authentication, reputation, content, URL, attachment, behavioral)
Configure integration with SIEM and incident response tools
Enable automated quarantine with one-click release for false positives

Tuning for Effectiveness

Reducing False Positives

Overly aggressive filtering blocks legitimate email, causes business disruption, and trains users to ignore security warnings:

Start with moderate sensitivity and increase gradually
Maintain an allow list for verified legitimate senders that trigger false positives
Review quarantined messages regularly — patterns in false positives reveal tuning opportunities
Provide self-service quarantine access so users can release legitimate messages

Reducing False Negatives

Messages that pass filtering but are phishing represent the greatest risk:

Analyze phishing simulation results to identify what types of phishing bypass your filters
Review reported phishing to identify common characteristics of missed attacks
Enable all available detection layers — no single layer catches everything
Update custom rules based on current campaign patterns

External Email Warnings

Apply visible banners to all external email:

[EXTERNAL] This message originated outside your organization.
Exercise caution with links and attachments.

This simple control has measurable impact on phishing click rates, particularly for BEC and supply chain phishing where attackers impersonate internal contacts.

Integration with the Security Stack

Email filtering works best when integrated with other defenses:

Feed blocked phishing indicators to DNS filtering and web proxy
Share IOCs with endpoint detection and response (EDR)
Connect quarantine decisions to your SIEM for correlation
Integrate the user report button with your incident response workflow
Use filtering data to prioritize security training topics

Key Takeaways

Modern email filtering requires six layers: authentication, reputation, content, URL, attachment, and behavioral
AI-generated phishing demands behavioral analysis beyond traditional content scanning
URL rewriting with time-of-click protection catches delayed-detonation attacks
External email warnings visibly flag messages from outside the organization
Balance sensitivity — too aggressive blocks legitimate mail; too permissive misses attacks
Integrate email filtering with incident response, SIEM, and training programs

For the complete phishing defense framework, see our phishing recognition and reporting guide.

Sources

This content is for educational purposes only. Email filtering configurations should be tested thoroughly before deployment to avoid disrupting legitimate business communications.