Graphus whitelisting options and best practices

This article describes the different whitelisting options available in Graphus and emphasizes the importance of cautious and informed whitelisting. Improper whitelisting can significantly compromise your email security by allowing malicious emails to bypass scanning. In addition, whitelisting can be a security risk if the domain or IP address gets compromised or spoofed.

Whenever possible, customers should interact with the Graphus AI via the EmployeeShield banner. Admins should take action on alerts in the portal. These actions will teach the AI the senders who should be trusted.

Finally, this article covers best practices for allowing emails from trusted senders.

Whitelisting options for incoming emails

Graphus provides the following whitelisting options:

Whitelisting by IP address
Whitelisting by sender domain
Whitelisting by SMTP mail from domain
Whitelisting by SMTP mail from and sender domain

Whitelisting by IP address

With this method, you specify IP addresses from which you trust to receive incoming emails. Graphus will not scan any incoming emails from these IP addresses.

Use case: Use this option for a known and trusted external mail server whose IP address remains static.
Example: A trusted partner has a dedicated mail server with the IP address 192.168.1.10. To ensure that Graphus does not flag or block incoming emails from this server, you can whitelist the IP address 192.168.1.10.
Recommendation: Use the whitelisting by IP address method when you want to stop Graphus from processing emails you receive from a trusted external mail server whose IP address is static.

IMPORTANT Be cautious of potential IP spoofing. Whitelisting an incorrect or compromised IP address can open a gateway for malicious emails.

Whitelisting by sender domain

The whitelisting by sender domain method allows you to whitelist specific external domains. Incoming emails from any address within the whitelisted domain will bypass scanning. Sender domain whitelisting in Graphus works only for authenticated domains, meaning a domain needs to pass the SPF or DMARC protocols. If a domain is not properly authenticated, it cannot be whitelisted.

Use case: Use this option to stop Graphus from scanning emails from a trusted partner organization whose email domains are consistently legitimate.
Example: Your organization frequently collaborates with partnercompany.com. Whitelisting the partnercompany.com domain ensures all incoming emails are trusted and are not scanned by Graphus.
Recommendation: Use for domains of well-known and highly trusted partners.

IMPORTANT Review your whitelisted domains regularly to ensure continued trustworthiness. Whitelisting an unverified domain can allow phishing or other malicious emails to infiltrate your organization.

Whitelisting by SMTP mail from domain

This method whitelists a sender's domain based on the SMTP MAIL FROM command. This is typically the domain specified in the "MAIL FROM" section of the SMTP envelope which indicates the sender's domain during the email transfer process. Processing will be skipped for inbound emails whose SMTP MAIL FROM domain and the SPF value match the configured values.

Use case: This is similar to sender domain whitelisting but considered a safer alternative because the risk of spoofing is reduced.
Example: Whitelisting smtp.partnercompany.com ensures that all emails passing through this SMTP domain are considered safe and therefore, will not be scanned by Graphus.
Recommendation: Suitable for scenarios when you know the sending server domain or when you use a third-party service to send emails on your behalf. This method is generally more secure than IP address whitelisting.

IMPORTANT Ensure the domain used in the SMTP envelope is reliable. An incorrectly whitelisted SMTP domain can allow spam or malware to bypass security measures.

Whitelisting by SMTP mail from and sender domain

This method combines the SMTP MAIL FROM command and SPF check result with the sender's domain, providing a more specific and secure whitelisting option for incoming emails.

Use case: Best for situations when both the sending server and the sender's domain need to be verified. This option is particularly useful when using third-party services, like Salesforce, to send emails on behalf of your organization. By whitelisting the SMTP MAIL FROM domain of the service and your organization's sender domain, you ensure that only emails sent from the trusted service with the correct sender domain are allowed. And, you are not whitelisting all emails coming from the third-party service.
Example: Whitelist smtp.salesforce.com combined with yourcompany.com and set the SPF check result to Pass. This ensures emails sent from Salesforce on behalf of your company are trusted, but emails from other sources using the Salesforce domain are not automatically trusted.
Recommendation: This is the most secure whitelisting option and is ideal for scenarios requiring server and sender verification.

IMPORTANT Implement this method carefully to prevent misconfigurations that could lead to security breaches.

Best practices

Below are best practices to consider when implementing whitelisting for your organization.

Teach the Graphus AI: Whitelisting stops Graphus from scanning emails sent from a particular domain or IP address. Whitelisting can be a security risk if the domain or IP address gets compromised or spoofed. Therefore, it is recommended you teach the Graphus AI which senders to trust by allowing end users to interact with the Employeeshield warning banner instead of whitelisting. Admins can teach the Graphus AI by unquarantining/reporting false positives within the Graphus portal.
Review whitelists regularly: Ensure all whitelisted IP addresses and domains are still necessary and are trusted. Remove those that are no longer valid. Failure to review whitelists regularly can lead to outdated or incorrect whitelisting which is a significant security risk.
Monitor for abuse: Whitelisted sources can be compromised. Continuously monitor email traffic from these sources for unusual activity. Always assume that whitelisted entities can be exploited an maintain vigilance.
Limit the scope of whitelisting: Be as specific as possible when whitelisting. Avoid broad criteria that could allow malicious emails to bypass security checks. For example, use SMTP mail from domain whitelisting instead of IP address or sender domain whitelisting. Broad whitelisting can expose your organization to a wide range of security threats.
Log and audit: Keep logs of whitelisting changes. Audit these logs reqularly to ensure compliance and security. Regular audits can help identify and address improper or risky whitelisting entries.

Summary

By understanding the different whitelisting options and following best practices, you can effectively manage and secure your email communications. This will minimize your risk of false positives and ensure legitimate emails are not incorrectly flagged. Always be aware that improper whitelisting can significantly compromise your organization's email security.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.