/
Risky Policies Detection and Remediation

Risky Policies Detection and Remediation

Email Protection now includes a feature that detects and surfaces risky policy configurations so you can safely fix them. This first release focuses on overly broad “allow” rules that bypass security controls. Broad allow rules such as whole‑domain allows for large external senders (for example, finance or e‑signature providers) and wildcard rules like *.vendor.com are considered high risk because attackers commonly spoof these brands and domains.

  • What we detect initially

    • High‑risk domain allows, especially commonly impersonated vendors (for example, financial software and e‑signature providers).

    • Overly broad “allow” patterns applied at account, domain, or user level.

  • How detection works

    • The initial release uses a predefined set of high-risk items and basic checks to flag risky policies.

    • Future enhancements will increase automation and accuracy, but the current experience prioritizes clarity and safe remediation.

What happens when the banner is shown

riskyPolicies.png

When the Risky policies detected banner appears at the top of the Policies page, click it to open a page that summarizes what was found, why it is considered risky, and how many policies are affected at each level (account, domain, user). Then review the risky settings and initiate remediation on the affected policies.

Best practice: Replace broad “allow all from vendor.com” rules with more specific allows (for example, validated sending subdomains or specific service addresses) and keep standard inspection controls enabled wherever possible.

Step-by-step remediation

  1. To access the Email policies page, click the Open Email Protection link located at the top right corner of the respective product (Email Gateway Defense, Impersonation Protection, Incident Response).

  2. Click Policies in the left-hand navigation menu.

  3. Look for and click the Risky policies detected banner at the top.

    riskyPolicies.png

  4. Review to see which rules are affected and at which levels (account, domain, user). Confirm that these are the policies you want to delete.

    riskyPolicies1.png

  5. Select Delete all at the top upper right. Email Protection removes the flagged policies across the account, domain, and user levels where it exists, in the tenant you are currently managing. Alternatively, delete each policy individually by using the trash can icon next to the policy you want to remove.

Note that this process cannot be undone.

  1. When removal is complete, the risk counts update, and a Done button appears; clicking it returns you to the Policies page.

If some layers could not be updated (for example, due to a permission issue) or the delete fails, an alert appears in the lower-left corner. The policies that could not be deleted are returned to the default state (other policies show a green checkmark).

The banner is only shown again on the Policies page if some risky policies could not be removed or a recheck finds that qualifying high-severity risky policies still remain.

Notes

  • Tenant-specific changes – All detections and remediations apply only to the tenant you are currently managing. Other tenants are not changed.

  • No automatic remediation – Email Protection does not delete or modify risky policies without your explicit confirmation.

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.