Email Safe Lists, Block Lists & False Positives

Audience: Email Security Administrators.

Purpose: Manage allowlist/blocklist entries and submit misclassified emails to Proofpoint.

---

Overview

Temporary allowlist/blocklist entries help manage email flow while maintaining security. Always include a date and incident number in comments to enable periodic cleanup.

---

Submitting False Positives

When legitimate email is incorrectly quarantined, submit it to Proofpoint for scoring adjustment.

Method 1: Report from Quarantine (Recommended)

This is the preferred method as it provides extra diagnostics.

Report Steps

1. In Quarantine, check the message to report
2. Click Options → Report
3. Select FP (Legitimate Mail)
4. Click Report Message
5. Note the Reference ID displayed in the upper left

Method 2: Open Support Case

Support Case Steps

1. Open an Email Classification Errors (FN/FP) case type
2. Provide the Reference ID from the quarantine report
3. Use "Method A" to supply the reference ID

Case Type

Open cases as Email Classification Errors (FN/FP) type, not default Support type. This routes directly to Threat Operations and prevents delays.

---

Submitting False Negatives (Spam)

When spam reaches inboxes, report it to improve Proofpoint's filtering.

Open FN Case

1. Open an Email Classification Errors (FN/FP) case type in the PCSC portal
2. Threat Operations will review the messages and scoring
3. Interact with the team via the case for questions

Report from Spam Reporting Group

If part of a Spam Reporting group:

1. PPS administrator opens a Support Call
2. Admin reports the FN from your Quarantine's Audit folder
3. Reference ID is returned
4. Include reference ID in the Support call

---

Important Notes

Why Not Paste Messages Into Cases?

Proofpoint data analysts use tools requiring specific message formats. Attached messages can be converted, but copied text cannot without manual overhead.

Why Not Forward Emails?

Forwarding alters message headers and content, making forensic analysis unreliable.

What About Filter Logs?

Filter logs show that a message was discarded but not why. The actual message is needed for proper analysis.

Domain/Sender Blocks

If email from certain domains is being blocked:

1. Find blocked messages in Quarantine
2. Report as False Positive
3. Proofpoint will determine the issue and update algorithms

---

Resources

Resource	Link
Spam Monitoring Guide	Proofpoint Community
Spam Reporting Group FAQ	Proofpoint Community