Adjust Risk Levels

Description

Risk Levels help determine how Shield responds to messages that match a specific risk. The Risk Levels can be applied to an Organization, individual user, or to a specific sender of a user within Shield Control.

Risk levels for Shared mailboxes are treated differently. See Shared Mailboxes in Shield for more information.

Risk Levels

• High - A high risk level places the email in Jail regardless of whether the sender is a trusted contact.
• Moderate - A moderate level places the email in the Junk Email folder even if the sender is a trusted contact. An email in the Junk Email folder will retain its original contents but will be subject to its native protections.
• Low - A low risk level places a message in the Inbox for a trusted sender, or in the Junk Email folder for senders who are silenced to Junk or have no trust decision.

Adjustable Risk Categories

General Risk Levels

These risk levels are customizable by intermediate or expert-level end users for their Shield account or for individual senders. Choose the appropriate risk level for the category to alter Shield's default behavior.

• Unauthorized: SPF failure of the envelope sender address or a DMARC quarantine or reject policy.
• Forged: DKIM signature failure.
• Bulk: The email's source and/or contents are from a mass mailing.
• Possible dangerous file: The email may contain a macro, encrypted file, or potentially unwanted application (PUA). 
• Possible dangerous extension: File extensions that typically indicate a virus payload is included.
• Bad reputation: The sender or sending IP may be on one or more bad reputation databases.
• Obvious spam: Messages with many obvious signs indicate they are spam.
• Spam: The email contains content that is consistent with unwanted email behaviors.
• Possible spam: Messages that look like they could possibly be spam but might not be. 
• Possible impersonation: The email appears to be coming from someone you know but not from a source consistent with their known identity.
• Unwanted: Shield has learned that messages like these are unwanted by users.
• Possible unwanted: Shield believes messages like these are unwanted but might be wanted.
• Untrusted region: Any region not yet trusted in Manage Trusted Regions will show a risk level. This is only customizable at the Organization level by Shield Admins.

Organizations onboarded to Shield on or before April 15, 2025, will have different default Untrusted Region values to preserve Shield’s current behavior. Untrusted regions will be set to no risk, so the new feature will not impact mail flow decisions. The US and Canada will be added as trusted regions, but no dangerous regions will be pre-populated.

Dangerous Results

• Virus: Emails that contain signs attributed to confirmed viruses or malware.
• Impersonation: Messages with signs from a sender other than the sender visible to the recipient.
• Dangerous extension: The email may contain a macro, encrypted file, or potentially unwanted application (PUA). 
• Dangerous file: The email contains a macro, encrypted file, or potentially unwanted application (PUA).
• Phishing: Messages that have signs that they are fraudulent attempts to gain sensitive information from the recipient.
• Possible phishing: Messages that look like they could possibly be phishing but might not be.

Dangerous Results risk levels are only changeable at the user level by Administrators and Superusers, not by end users.

Getting Help

If you need assistance, please contact the Partner Success team.

Updated July 10, 2025 13:28