Shopping Cart

No products in the cart.

Sophos Central Email – Updates in the last few months

Sophos Central Email is really the most exciting product right now, and that’s because something is happening here in product development.

The situation is different at ZTNA, where it has been written in the data sheet since day one that mobile apps are planned, but nothing comes. But that was more than 2 years ago. 🫢

That’s why it’s nice to see Central Email evolving. In January, in the article: Latest Sophos Central Email features summarized the renewals, which I will do again now. And not only that almost every 2 months new features and improvements come, there is also always a video about the renewals 🤯. So a big praise to the Central Email team at Sophos 🫡, this is exactly how we imagine a cloud service.

Aggressive fashion for anti-spam

The age of perpetual spam could see a decisive damper with the introduction of the new anti-spam feature in Sophos Email – “Aggressive Mode”.

What is the “Aggressive Mode” for Anti-Spam?

The new feature allows administrators to customize the spam detection rate. In the anti-spam email security policy, a slider shows five catch rate levels from L1 to L5. The further to the right, the more aggressive the detection. Aggressive Mode also allows specific settings for different external and internal senders, providing maximum flexibility and control.

  • Adjust cautiously: Increasing the aggressiveness of the anti-spam catch rate may increase the risk of false positives. Therefore, it is recommended to change the level gradually and monitor the results in terms of false negatives and false positives for a certain period of time.
  • Customization for external senders: for example, if you receive more spam from a single domain, you can set your policy more aggressively for that specific domain.
  • Protecting internal departments: Parts of your organization that are particularly sensitive to spam can be protected by setting a more aggressive catch rate level in a different policy for those users, groups, or domains.

Sophos KB article: Sophos Email: Suspected spam

Quarantine improvements

Sophos Central Email’s quarantine capabilities give administrators more flexibility and control over how they handle quarantined emails and their attachments. It enables safer handling of potentially dangerous content and provides additional tools for analysis and review. Cloning of email security policies simplifies their management and implementation. These enhancements are another step by Sophos to help administrators keep their systems secure.

Admin quarantine

  • Administrators can now remove or re-attach attachments from quarantined emails before releasing a copy of the email.
  • Attachments can be downloaded for manual review. These attachments are provided in a password-protected zip file.
  • There is an advanced search function that displays the most recently quarantined messages by default.
  • Administrators can view URLs in the message body and search for specific URLs.
  • Emails can be sent to Intelix for review. If you have already been scanned by Intelix, you can be released with confidence or submitted for re-screening.

User quarantine

  • Advanced search is now available in both the End User Quarantine and the Self Service Portal Distribution List Quarantine.
  • Two new fields, “To” and “Reason,” have been added to help end users make informed decisions about sharing or deleting emails.

More improvements

  • Support for outgoing messages on port 587 in gateway mode. Previously, only port 25 was supported.
  • A new feature to detect compromised mailboxes based on traffic patterns. When detected, a notification is sent prompting to enable multi-factor authentication and change the mailbox password.
  • Impersonation Protection has been extended to support more VIPs. Now up to 500 users can be added.
  • There is also a new clone feature for Sophos email policies.

Secure Message Policy & Policy Improvements

Secure Message Policy – This feature consolidates multiple encryption and security assumptions into a single policy, giving administrators more precise control than before.

The previous global settings, especially the settings for encryption and TLS connections, have been migrated to this new policy. Users will notice this because a banner will be displayed on the dashboard to indicate the move. Despite this shift, the functionality of the product remains unchanged. However, the change allows users to more easily customize and refine their policies.

Another important update is the improved distinction between internal and external users or domains, making selection and management easier. Sophos has also improved TLS encryption and now supports TLS 1.3, a recommended setting for incoming and outgoing messages.

Another area that has been improved is encryption. S/MIME can now be used for incoming and outgoing messages with specific policies. Push encryption and portal encryption features for outgoing messages have also been improved, with portal encryption in particular now offering more intuitive license management.

Overall, these updates aim to provide administrators with an improved, more intuitive and secure messaging experience. For those who want a more in-depth exploration, a video is available that covers these changes in detail.

Impersonation Protection

Impersonation Protection is designed to protect businesses from fraudulent emails. This feature detects emails that pretend to be from well-known brands or important people in your company.

Until now, email administrators have had to rely on complex filtering rules and third-party tools to detect such spoofed emails. With the introduction of Impersonation Protection, Sophos offers an integrated solution that automatically looks for signs of email identity theft. These include impersonating well-known brands and using the names of VIPs in your organization.

Configuration is as simple as can be. Administrators can navigate to the email security settings and set various actions for detected fraudulent emails, such as adding a warning banner to an email or blocking the sender. Similarly, there is a VIP management feature where administrators can store the email addresses of up to 500 important people in their organization. These addresses are then specially monitored.

Furthermore, administrators can view detection entries in various places in Sophos Email to get an overview of potential threats and spoofed emails.

Impersonation Protection is an important step in the fight against phishing and email fraud. It provides companies with an additional safety net and makes the task of protecting their organization from these growing threats easier for administrators. Those interested in learning more can watch the in-depth video from Sophos.

YouTube video

Sophos KB article: Impersonation Protection and VIP Management

SMTP routing

SMTP Routing enables targeted forwarding of email messages by defining gateway routes, optimizing direct communication between email servers.

This allows gateway messages to be sent directly to an email server using either the A record or the server’s Fully Qualified Domain Name (FQDN).

  • Settings: SMTP routing can be found in the global settings under “Email Security” and “Custom SMTP Routing”. There, the email domain can be selected and IP addresses or DNS names for routing can be defined.
  • Individualization: It is possible to create individual SMTP routing policies that can be configured specifically for users, groups or domains.
  • Data Control: This feature allows messages to be forwarded based on criteria such as a specific subject.
  • Rule-based redirection: Messages can be redirected based on the presence of certain headers or subjects.
  • Verification: The correct functioning of the SMTP routing can be traced in the logs and reports of the message history.
  • Platform: With the update, it is possible to send emails from different platforms, such as Office 365 or Google Apps Gmail, under the same email domain.

An additional video helps administrators to implement this feature. Please note that SMTP routing is designed specifically for messages processed by Sophos Email Gateway.

Inspect & Modify Header

The “Inspect & Modify Header” feature in Data Control. This extension allows you to inspect and edit your email headers in more detail. Below is a brief summary.

Inspect header

With the new Message Attribute rule type in Data Control, it is now possible to check the attributes of each email. This allows filtering messages by header, source or size.

  • Header inspection can be used to check whether the value of a header corresponds to a regular expression, contains a specific value or is equivalent, or whether the header itself exists or not.
  • The Source Message attribute can be used to check whether an IP address or domain corresponds to a specific value.
  • Size control allows filtering messages or attachments that are larger or smaller than a specified value.

Message attribute inspection can also be combined with other rule types to allow even more detailed rule setting.

Modify header

Header modification now has its own place as well. Each rule type allows:

  • Insert a new header and value into the message.
  • Edit the value of all matching headers.
  • Remove all matching headers.

A practical use case was demonstrated in the video where a header was first used to make the decision and then, after the action was performed, a rule was added to remove the header and not share it with external recipients.

Advantages of Inspect & Modify Header

The main benefit of this feature is that administrators now have tighter control over their email headers. Whether it’s checking specific header values for consistency, filtering messages by attributes, or modifying the headers themselves, everything is now possible.

An illustrative example from below the video shows how to use header checking to encrypt an email according to its sensitivity. This shows how powerful this feature can be for everyday management tasks.

Conclusion: Sophos’s new update offers clear benefits for those looking for improved data control options in their email solution. With the new Header Inspect & Modify feature, you now have more control and flexibility in managing your email headers.

For a practical introduction to this new feature, you can watch the video at the end of this article. It shows you vividly how to make the best use of this feature.

Email Quarantine API

Sophos Central Email has unveiled a new quarantine API that gives administrators advanced control over quarantined emails. The interface enables more efficient and automated email security management, helping to improve email security.

Most important functions of the Quarantine API

  • Quarantine messages list
  • Retrieve details of specific quarantine messages
  • Release or delete messages in the quarantine
  • View, download, attach, remove, list attachments of a message
  • Automation of quarantine management tasks
  • Advanced control of quarantine messages
  • Integration with various systems and workflows
  • Direct interaction with the quarantine without UI

Outbound Disclaimer

Sophos Email has responded to feedback from its users and introduced a useful new feature: the Outbound Disclaimer function. This now makes it possible to insert legal notices or other notes directly into outbound emails – in both plain text and HTML format.

In the past, external tools or scripts had to be used to insert such disclaimers into emails. This was time-consuming and complicated. With Sophos’s new feature, you can now do this directly in the email security settings. Depending on whether the message is in plain text or HTML format, the appropriate disclaimer is added automatically.

To learn more about the exact functionality and configuration, I recommend the attached demonstration video.


Patrizio is an experienced network specialist with a focus on Sophos firewalls, switches and access points. He supports customers or their IT department in the configuration and migration of Sophos firewalls and ensures optimal network security through clean segmentation and firewall rule management.

Subscribe Newsletter

We send out a monthly newsletter with all the blog posts for that month.