Online criminals hate us. We protect you from attacks that antivirus can't block.

Heimdal™ Email Security (Configuration)

You can configure and setup the Heimdal™ Email Security module by logging in the Heimdal Dashboard and accessing the Settings -> Perimeter section.


To add a new domain in the E-Mail Security module, you have to Enable E-Mail Security.





Domain name - allow you to add a domain name (eg.

Inbound Host - allows you to set your email server, your port and to choose a TLS option (Optional, Require, None

Outbound IP/Provider - allows you to set the Outbound provider by selecting one from the dropdown or add the IP address or domain in the Public IP/Domain field.

More Inbound and Outbound settings can be added by hitting the +ADD button 




Resend retention time - allows both administrators and users to resend any email filtered by Heimdal™ Email Security - E-Mail Security in up to 30/90 days after it was originally received

Put inbound delivery on pause - allows you to put the system on pause for delivering emails (the system will check every 15 minutes for any changes)

Recipient verification - this option sends the emails through another port (2525) to verify recipients

Block outbound Danish CPR Number - scans the email for any Danish CPR number and blocks them if they include any sensitive information

Inbound Verification - Anti-Spoofing

DMARC** - checks if the incoming email from a domain is authorized by the domain's administrators and that the email (including attachments) have not been modified in the delivery process 

SPF** - checks if the incoming email from a domain comes from a host authorized by the domain's administrators 

Outbound Verification

DKIM** Signing - checks if the email is being sent by trusted servers and untampered

Force TLS transmission to any domain - encrypts the email message from Heimdal Security to the next-hop email server


SEPO In - adds another security check using SEPO and delivers the email to the SEPO Inbound Scan

SEPO Out - adds another security check using SEPO and checks CPR, Abnormal and Forced TLS delivery

 Block emails without TLS

 Block emails without TLS -  This option allows you to add a checkbox for enabling blocking emails without emails and you can also choose a following action once the blocking is done.


You can find more details about it in the following article:







The Antispam Settings allow you to change the aggressiveness of the spam filter and to choose what actions to take on emails based on five different classification levels.

Enable Anti Spam Filtering - enables or disables all antispam filtering in Heimdal™ Email Security within your organization

SCORE LEVEL - allows you to input a value between 0-100, where a higher number will make the classification more relaxed (emails that are less likely to be spam are going to be quarantined) and a lower number stricter (emails that are likely to be spam, are going to be quarantined).

ACTION - allows you to choose an action for every classification (Reject, Quarantine, Tag subject, No Action).
- Reject will reject the email and not store it in any way
- Quarantine will store these emails for 90 days in Heimdal™ Email Security
- Tag will add a tag to the email’s existing subject: # Warning: Possible Spam or Fraud! #
- No Action will make the emails pass unaltered through Heimdal™ Email Security.

PRESETS - allows you to change all spam settings to one of three predefined profiles: Moderate (relaxed setting), Default (medium setting), and Aggressive (restrictive setting).




Security Settings will allow you to change the different Security settings for Heimdal™ Email Security.

Antivirus & Antimalware - allows you to activate or deactivate the Heimdal malware & virus detection engines. This can be used to diagnose against false positives, in the event that Heimdal™ Email Security and detects legitimate emails and/or attachments as harmful, or containing malware.

Advanced Threat Protection (if licensed) - allows you to activate or deactivate the Heimdal detection systems against advanced threats. This can be used to diagnose against false positives, in the event that Heimdal™ Email Security detects legitimate emails and/or attachments as harmful, or containing advanced threats.

Enable Email Security Advanced Threat Protection - allows you to enable the Advanced Threat Protection. detects new threats through Machine Learning and Dynamically developed detection mechanisms

Enable Email Security Macro Analyzer - allows you to execute macros and scripts within emails in a sandboxed environment for analysis & detection

Enable Email Security SHA256 Analyzer - allows you to quickly check an email, blocked by Email Security Advanced Threat Protection, against online malware analyst services Virustotal and Payload Security. This can be of use in establishing whether the threat and detection are a first of its kind, or if not, gaining more information on a specific malware sample. By enabling Email Security SHA256 Analyzer, Heimdal™ Email Security generates a SHA256 hash checksum for each file detected as suspicious/bad/harmful/malicious. You can run the search or even download email parts through the Messaging Logs interface. To search & locate any email blocked by Email Security Advanced Threat Protection in Messaging Logs, you have to left-click the email and select Attachments. Here you will have the option to check the attachments checksum directly at VirusTotal or Hybrid Sandbox. You can download the full attachment for further investigation and analysis, but please be aware that downloading the full attachment can be a security risk (which also will be communicated via a dialogue box before potential download)

Email Security PDF Analyzer - executes PDF files and other container files within emails in a sandboxed environment for analysis & detection

Enable Email Security Phishing Protection - allows you to activate or deactivate the detection systems against phishing emails. This can be used to diagnose against false positives, in the event that Heimdal™ Email Security detects legitimate emails as phishing emails




Allow the email to be scanned by the ATP EmailSecurity engines, post being released from quarantine, after previously having been detected by the Antivirus, Anti Malware and AntiSpam engines (and hence quarantined).


Created a new tick box (ENABLED by default) called: “Force ATP scanning if released”; in case the check box is ticked, if an email has been detected by the Antivirus, Antispam and Antimalware engines as suspicious, placed in Quarantine and released by you, it will also be scanned by the ATP engines (in the inbound and outbound views it will appear with a new type Released To ATP). If ATP says that the email should be in quarantine, the message type will be changed from Released to ATP into ATP, if the email can be delivered, the email message type will remain Released to ATP.

In the “Advanced search area” from both Inbound, as well as Outbound views, in the Type drop down list, a new status “Released To ATP” has to be created. This type will be applied to emails that have been detected by the previous engines (Antivirus, Antimalware and Antispam), released by you and then force scanned by the ATP engines and based on detection, placed again in Quarantine

The “Release” button has to be active only in the case of emails having Quarantine status.









Action on Detection - allows you to define what Heimdal™ Email Security shall do with emails containing threats, categorized by malware, ATP, and Phishing. 





Will allow you to add email addresses, domains, or IPs to the Blacklist or to the Whitelist, thus regulating specific email senders your organization needs to always block or allow. 

Blacklist - allows you to add complete email addresses, domains, or even sender IPs, to block all emails from them. You can also take action on the emails received from the blocked addresses/domains/IPs.

Whitelist - allows you to add complete email addresses, domains, or even sender IPs, to allow all emails from them. Each entry within the Whitelist can be customized to bypass different scanning methods.
Note: Under normal circumstances, it is not advisable to allow sender IPs under whitelists, as this can provide open access for threats and spam in the event the sender's network or endpoints are compromised.
SPF/DMARC scanning - while unticked, the specified email address/domain/IP Address will be whitelisted for SPF/DMARC scanning
Spam scanning - while unticked, the specified email address/domain/IP Address will be whitelisted for Spam scanning
Virus scanning - while unticked, the specified email address/domain/IP Address will be whitelisted for Virus scanning
Attachment detection - while unticked, the specified email address/domain/IP Address will be whitelisted for attachment scanning
Advanced Threat Protection - while unticked, the specified email address/domain/IP Address will be whitelisted for Advanced Threat Protection scanning
Check Header - while enabled, the header sender information will be checked. The SPF/DMARC scanning engine will not be whitelisted for security reasons.




Adding an option to greylist new domains for a period of time


Note: If option is enabled, you will see on inbox level that the message is from new domains, if recipient domain is not in greylist or exists in greylist domain and it not exists in whitelist or in halon dedicated greylist common domains (note that this common domains can be updated only be the dev’s which has access to Halon).

1. Domain greylist threshold which, if ticked, will allow the storage in Heimdal's database for the number of days set by threshold slider, of the domains from which the customer is receiving emails. This tick box will also have an info bubble and the text to be displayed when the mouse is hovered over the info bubble is: "Enable this feature to begin collecting data on historically known domains in your mailflow. It's recommended to have this activated for 30 days + for best data collection before activating the Tag greylisted email".
Be aware that this saving will be done if all the above conditions are met: recipient domain is not equal with the sender domain, sender domain is not in the list of the common domains, sender domain was not whitelisted.

2. Tag greylisted emails which, if ticked, would generate a dedicated tag in the user's Inbox: "E-Mail from new domain" in the case of emails that are coming from new domains (use passive mode, do not block directly), while, in the background, the email will be scanned. This tick box will have an info bubble and the text to be displayed when the mouse is hovered over the info bubble is: "Enabling this feature, will put a tag in the subject field, if the sender domain has not been seen before, according to the collected data. Use the slider to set how many days we tag a new domain (1-2 days recommended). Subject will be tagged with: #Unknown domain: Possible spam / phishing email#".
This can be made if the previous checkbox is checked.




This feature will allow you to change the different settings for an email with attachments. The attachment filters can be enabled for the specific file extension, based on the attachment's filename. As an increasing number of threats are trying to bypass email filters by filename and/or file parser manipulation, Heimdal™ Email Security also provides an advanced attachment filter, based on inspection and analysis of each attached file. The advanced attachment filter will also safeguard against users renaming or manipulating their files to bypass policies your organization has set up for allowable file types for email transmission. The list of dangerous files includes the following file extensions: .ac .air .apk .app .applescript .awk .bas .bat .cgi .chm .cmd .com .cpl .crt .csh .dld .dll .drv .elf .exe ._exe .fxp .hlp .hta .inf .ins .inx .isu .iqy .jar .js .jse .jsp .kix .ksh .lib .lnk .mcr .mem .mht .mpkg .mrc .ms .msc .msi .msp .mst .ocx .pas .pcd .pif .pkg .pl .prc .prg .py .pyc .pyo .reg .scpt .scr .sct .seed .sh .shb .shs .spr .sys .thm .tlb .udf .url .uue .vb .vbe .vbs .vdo .wcm .ws .wsc .wsf .wsh .xap .zlq

IMPORTANT: The FILTER BY EXTENSION is working only for the inbound mail flow and is blocking the emails containing external attachments.



This feature allows you to change the notification settings for emails that have been sent to quarantine by Heimdal™ Email Security. The Personal Quarantine Report by email, will send an email containing a notification of quarantined emails to the intended receiver of the quarantined emails in your organization.
Select types of e-mail in quarantine to be added to the report, and also define if it’s possible to preview and release the e-mail directly from the quarantine report.

General Quarantine Report Settings - allows you to set a sending schedule for the Quarantine Report. It can be configured for daily sending, weekly sending, or hourly sending

Advanced Threat Protection - allows you to specifiy what details should be included in the Quarantine Report 

View/Edit Quarantine Report - allows you to set the limits of the classification to be included in the Quarantine Report

   -View & Edit Template : With this option you can change the message (from footer and header) and the way it looks. The first option makes it possible to transform the selected text from Normal through Heading 1, 2 and 3. The next 3 buttons are for transforming the selected text in a strong text, underline text or italic. The next button is for adding a link for a selected text. The next 2 buttons are for alignment with numbers or with bullets. The last button is for clearing the selection (for example to undo alignment with numbers, or to undo transformation into a strong text, etc). This can be done if you didn’t press Save Changes. Load Default Template disables all template changes and load the first one that we have stored into the database (it doesn’t save the changes until you’ve press Save Changes button).


   - Test report - this feature allows testing Quarantine reports.


Personal Quarantine Report by Email - allows you to enable the Personal Quarantine Report to be sent only be to recipients of quarantined emails. Users who do not have any quarantined emails will not receive a Personal Quarantine Report. Settings can be changed to select how often the Personal Quarantine Report by Email will be sent to the intended recipient of the quarantined emails in your organization

Admin Quarantine Report by Email - allows you to enable the Quarantine Report for the administrator. This report includes all quarantined emails within your organization in one complete quarantine report. You can add one or more recipients using the Receivers field (comma-separated list).



With this option you can set a limit for outgoing emails by minutes or per day.

- minute (default: 200 messages sent in 1 minute)

- day (default: 10.000 messages sent in one day)


Also this feature can be enabled/disabled.

All the emails that exceed the limit will be rejected.


These are the limits set for now in halon.

To reflect this change (for now) you can access followed by domain name. This change will be reflected only in elasticsearch, not in halon (so for now the emails will not be blocked when the limits are reached).





This feature allows you to add an SMTP Authenticated User for a Printer or a Copy-Machine to send out emails through Heimdal™ Email Security. To use this feature you need to specify the username, the password, and the IP address):

Username: smtp (or any other username)
Password: <your-password>
Confirm Password: <confirm-your-password>
IP Address: <your-IP-Address>

Press Add and Save changes.

To test the SMTP Auth feature, you can open a PowerShell window and run the following command:

Send-MailMessage -From '' -To '' -Subject 'Test Email' -Body 'Testing the SMTP Relay Service' -SmtpServer '' -Usessl -Port 587 -Credential (Get-Credential)

You will be prompted to insert the credentials (* and password) you added in the Heimdal Dashboard
* - Although in the Heimdal Dashboard, the username does not include the domain, in the authentication popup you are required to specify the domain.  



The Copy Settings feature consists of a popping modal with the most important configuration of a domain (in this case the edited domain) and applying them to one or more existing domains per customer. It is important to know that the edited domain will have the modifications you already did on the page. (so is a double save feature).

In the Heimdal Dashboard, when you enter the Settings section, in the Perimeter view you can see a checkbox that appears only when editing the domain, which, when it is checked, enables the Copy Settings feature when submitting the form using the Save Changes button.








Below, you can read information about how Anti Spoofing Mechanisms work and what SPF, DKIM, or DMARC do.

◦        SPF (Sender Policy Framework)
          More about SPF:
◦        DKIM (Domain Keys Identified Mail)
          More about DKIM:
◦        DMARC (Domain-based Message Authentication, Reporting & Conformance)
         Read more about DMARC:


**SPF (Required for domains using Heimdal™ Email Security - security outbound sending system)

SPF records basically tell the world what hosts or IPs are allowed to send an email for your domain. When email servers receive an email that claims to be from your domain, they can look up your SPF record and if the sending server is included. We strongly recommend you set up an SPF record that includes Heimdal™ Email Security. This will not only make your email seem more legitimate and thus less likely to be sent to spam folders, but it will also help protect your domain from attackers who send emails with forged headers pretending to be you.

Heimdal™ Email Security  SPF record to include:

The “” means you allow the servers of Heimdal™ Email Security to send on behalf of your domain. If you want to keep an existing SPF record, simply add the “” to it right after the “v=spf1”.

DKIM is a method of email authentication that cryptographically verifies if an email is sent by trusted servers and untampered. Basically, when a server sends an email for your domain, it will calculate an encrypted hash of the email contents using a private key (that only trusted servers know) and add it to the email headers as a DKIM signature. The receiving server will verify the email contents by looking up the corresponding public key in your domain’s DNS records, decrypting the encrypted hash, calculating a new hash based on the email contents is received, and see if the decrypted hash matches the new hash. If there is a match, then the email was not changed and so DKIM passes. Otherwise, DKIM fails and the email is treated with suspicion.

Important: The DKIM record for your domain, is added to the hostname of your domain in the following syntax:

selector._domainkey.domainname (selector is predefined as centium{currentdate} )

Example: If domainname is, the TXT DKIM public key is added to:


It can seem complicated but implementing DKIM for your domain is quite easy in Heimdal™ Email Security. Once you request a new certificate for your domain, Heimdal™ Email Security will generate a DKIM key pair and show you the TXT record to add if you want to enable DKIM signing. This record contains the public key and is different for every domain.

Once you added the TXT record to your domain, you can ‘Check DNS’ to verify your public DKIM key and enable outbound signing if validation is successful.

Some online services provide DKIM verification to test if your e-mails are DKIM signed correctly by sending e-mails to a specific e-mail address. Here is a few, but more can be found online:


Domain-based Message Authentication, Reporting and Conformance (DMARC) makes it possible to instruct the receiving server in how to handle a received email coming (or pretending to come) from your domain which fails the SPF and DKIM email verification checks. DMARC enables you to choose one of three predefined actions to unverified emails: none, quarantine, and reject.

A basic DMARC TXT record example: v=DMARC1; p=none;

The “p=” specifies the action to take for emails that fail DMARC and here, “none” basically means don’t do anything, accept the email as usual. The “rua=” is an optional parameter that specifies an email address where other email services can send aggregate reports to so you can see how many of your emails are failing DMARC. Once you are confident your legitimate emails are passing DMARC (either SPF passes or DKIM passes), then you may want to set “p=quarantine”, which tells the receiving server to send failed emails to the spam folder. Even more aggressively, you can set “p=reject” to tell the receiving server to not accept failed emails. We advise working towards “p=quarantine” or even “p=reject” if you think you are likely to be a target of spoofing. For example, Yahoo, PayPal, and eBay use “reject” to prevent spammers from impersonating them.

Important: The DMARC record for your domain, is added to the hostname of your domain in the following syntax:


Example: If the domain name is, the TXT DMARC record is added to

Examples of Online Service for DMARC record wizards & reporting: 


See how to set up and configure Heimdal™ Email Security in the following video: 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Article is closed for comments.