PDF(389.2 KB) View with Adobe Reader on a variety of devices
ePub(331.9 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(407.8 KB) View on Kindle device or Kindle app on multiple devices
Updated:July 31, 2022
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes an in-depth analysis of the Gold Configuration provided for Cisco Secure Email Cloud Gateway. The Gold Configuration for Cisco Secure Email cloud customers is the best practice and zero-day configuration for both the Cloud Gateway and the Cisco Secure Email and Web Manager. Cisco Secure Email Cloud deployments use both Cloud Gateway(s) and at least one (1) Email and Web Manager. Parts of the configuration and best practices direct administrators to use quarantine(s) located on the Email and Web Manager for centralized management purposes.
Cisco recommends that you know these topics:
Cisco Secure Email Gateway or Cloud Gateway, both UI and CLI administration
Cisco Secure Email Email and Web Manager, UI level administration
The information in this document is from the gold configuration and best practice recommendations for Cisco Secure Email Cloud customers and administrators.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
This document is also applicable with:
Cisco Secure Email Gateway on-premises hardware or virtual appliance
Cisco Secure Email and Web Manager on-premises hardware and virtual appliance
Quarantines are configured and maintained on the Email and Web Manager for Cisco Secure Email Cloud customers. Please log in to your Email and Web Manager to view the quarantines:
Cloud Gateway Gold Configuration
Warning: Any changes to configuration(s) based on the best practices as provided in this document need to be reviewed and understood before you commit your configuration changes in your production environment. Please consult your Cisco CX Engineer, Designated Service Manager (DSM), or Account Team before configuration changes.
Mail Policies > Recipient Access Table (RAT)
The Recipient Access Table defines which recipients are accepted by a public listener. At a minimum, the table specifies the address and whether to accept or reject it. Please review the RAT to add and manage your domains as needed.
Some examples included in the URL Defense Guide are also incorporated into this document.
Sender Policy Framework (SPF) DNS records are created externally to Cloud Gateway. Therefore, Cisco strongly recommends all customers build SPF, DKIM, and DMARC best practices into their security posture. Please see SPF Configuration and Best Practices for more information on SPF validation.
For Cisco Secure Email Cloud customers, a macro is published for all Cloud Gateway(s) per the allocation hostname to make it easier to add all hosts.
Place this before ~all or -all within the current DNS TXT (SPF) record, if it exists:
Note: Ensure the SPF record ends with either ~all or -all. Validate the SPF records for your domains before and after any changes!
Recommended information and tools for more about SPF:
(Optional) enable "Connecting host PTR record lookup fails due to temporary DNS failure."
Aggressive HAT Sample
BLOCKLIST_REFUSE [-10.0 to -9.0] POLICY: BLOCKED_REFUSE
BLOCKLIST_REJECT [-9.0 to -2.0] POLICY: BLOCKED_REJECT
SUSPECTLIST [-2.0 to 0.0 and SBRS scores of "None"] POLICY: THROTTLED
ACCEPTLIST [0.0 to 10.0] POLICY: ACCEPTED
Note: The HAT examples show additionally configured Mail Flow Policies (MFP). For complete information for MFP, please refer to "Understanding the Email Pipeline > Incoming/Receiving" in the User Guide for the appropriate version of AsyncOS for the Cisco Secure Email Gateway you have deployed.
Enable Domain-based Message Authentication, Reporting, and Conformance (DMARC) Verification and Send Aggregate Feedback Reports
Note: DMARC requires additional tuning to configure. For further information on DMARC, please refer to "Email Authentication > DMARC Verification" in the User Guide for the appropriate version of AsyncOS for the Cisco Secure Email Gateway you have deployed.
Incoming Mail Policies
Default Policy is configured similar to:
Enabled, with thresholds left at default thresholds. (Modification of the scoring could increase false positives.)
Message Scanning: Scan for Viruses only
assure check box for "Include an X-header" is enabled
For Unscannable Messages and Virus Infected Messages, set Archive Original Message to No
For Unscannable Actions on Message Errors, use Advanced and Add Custom Header to Message, X-TG-MSGERROR, value: True.
For Unscannable Actions on Rate Limit, use Advanced and Add Custom Header to Message, X-TG-RATELIMIT, value: True.
For Messages with File Analysis Pending, use Action Applied to Message: "Quarantine."
Scanning is enabled for each verdict (Marketing, Social, Bulk), with Prepend for Add Text to Subject and action is Deliver.
For Action on Bulk Mail, use Advanced and Add Custom Header (optional): X-Bulk, value: True.
Enabled and URL_QUARANTINE_MALICIOUS, URL_REWRITE_SUSPICIOUS, URL_INAPPROPRIATE, DKIM_FAILURE, SPF_HARDFAIL, EXECUTIVE_SPOOF, DOMAIN_SPOOF, SDR, TG_RATE_LIMIT are selected
These content filters are provided later in this guide
The default threat level is 3; please adjust to your security requirements.
If the threat level for a message equals or exceeds this threshold, the message moves to the Outbreak Quarantine. (1=lowest threat, 5=highest threat)
Enable message modification
URL Rewriting set for "Enable for all messages."
Change Subject prepend to: [Possible $threat_category Fraud]
Policy Names (shown)
BLOCKLIST Mail Policy
BLOCKLIST mail policy is configured with all services disabled, except Advanced Malware Protection, and links to a content filter with the action of QUARANTINE.
ALLOWLIST Mail Policy
The ALLOWLIST mail policy has Antispam, Graymail disabled and Content Filters enabled for URL_QUARANTINE_MALICIOUS, URL_REWRITE_SUSPICIOUS, URL_INAPPROPRIATE, DKIM_FAILURE, SPF_HARDFAIL, EXECUTIVE SPOOF, DOMAIN_SPOOF, SDR, TG_RATE_LIMIT, or content filters of your choice and configuration.
ALLOW_SPOOF Mail Policy
The ALLOW_SPOOF mail policy has all default services enabled, with Content Filters enabled for URL_QUARANTINE_MALICIOUS, URL_REWRITE_SUSPICIOUS, URL_INAPPROPRIATE, SDR, or content filters of your choice and configuration.
Outgoing Mail Policies
Default Policy is configured similar to:
Message Scanning: Scan for Viruses only
un-check the check box for "Include an X-header."
(Optional) For all messages: Advanced > Other Notification, enable "Others" and include your admin/SOC contact email address
Advanced Malware Protection
Enable File Reputation only
Unscannable Actions on Rate Limit: use Advanced and Add Custom Header to Message: X-TG-RATELIMIT, value: "True."
Messages with Malware Attachments: use Advanced and Add Custom Header to Message: X-TG-OUTBOUND, value: "MALWARE DETECTED."
Enabled and TG_OUTBOUND_MALICIOUS, Strip_Secret_Header, EXTERNAL_SENDER_REMOVE, ACCOUNT_TAKEOVER, or content filters of your choice are selected.
Enable, based on your DLP licensing and DLP configuration.
Dictionaries (Mail Policies > Dictionaries)
Enable and review Profanity and Sexual_Content Dictionary
Create Executive_FED dictionary for Forged Email Detection with all executive names
Create additional dictionaries for restricted or other keywords as you see needed for your policies, environment, security control
For Cisco Secure Email Cloud customers, we do have example content filters included within the gold configuration and best practice recommendations. In addition, please review the "SAMPLE_" filters for more information on conditions and actions associated that can be beneficial in your configuration.
Cisco Live hosts many sessions globally and does offer in-person sessions and technical breakouts that cover Cisco Secure Email best practices. For past sessions and access, please visit Cisco Live (requires CCO login):
Cisco Email Security: Best Practices and Fine Tuning - BRKSEC-2131