This feature is designed to protect against business email compromise (BEC) and display name impersonation attacks, where threat actors use display names similar to those of trusted users (e.g., executives, vendors, or colleagues) to trick recipients into taking actions such as transferring money or revealing sensitive information. It detects when a display name closely matches a protected user but comes from a different email address. Comprehensive protection is provided through multiple layers of defense:
•Core Detection Engine: Uses advanced name similarity detection (Jaro-Winkler algorithm) to identify when an email's display name closely matches a protected user but originates from a different email address. Administrators can set a Similarity threshold (0.0 - 1.0), where 1.0 requires an exact match and lower values enable fuzzy matching to catch variations such as "Jon Smith" vs "John Smith".
•Protected User Management: Administrators can designate high-value targets (e.g. executives, finance personnel, HR staff) for monitoring. A personal address list of legitimate alternate addresses can be maintained for each protected user, to prevent false positives when they send emails to your organization from personal accounts.
•Free Email Provider Actions: Apply stricter policies to messages from free email providers (Gmail, Yahoo, Outlook.com, Hotmail, ProtonMail, iCloud, AOL, and many others) where impersonation attacks commonly originate. Configure separate actions specifically for these high-risk sources.
•Flexible Response Actions: Choose from multiple response options, including: rejecting messages, quarantining them for security review, adding warning headers (X-DisplayName-Spoof), tagging subject lines with a message such as "DISPLAY NAME SPOOFED", or moving messages to spam folders. Different actions can be configured for general matches versus matches from free email providers.
•Granular Exclusions: Prevent false positives with multiple exclusion options: allowlisted IP addresses, authenticated sessions, domain email servers, and a configurable sender exclusion list supporting wildcard patterns (*@company.com, user*@domain.com, admin@*.com).
•Sieve Integration: Advanced users can create custom policies using the new vnd.mdaemon.display_name_protection and vnd.mdaemon.sender_is_free_email Sieve tests.
Configuration
Enable display name protection
Click this checkbox to enable Display Name Protection and configure its settings.
When a display name impersonation is detected:
Choose the action you wish to take when an impersonation is detected for one of your Protected Users:
...refuse the message
Refuse to accept the message.
...quarantine the message
Accept the message but move it to the quarantine for review.
...accept the message
Use this option if you wish to accept the message but possibly take other actions, such as add a header to the message or adjust its message score, which could cause it to be flagged as spam.
...add a header to the message
If you choose to quarantine or accept messages when a display name impersonation is detected, you can use this option to add a custom header to the message.
Header Name:
The default custom header name is: X-DisplayName-Spoof
Header Value:
The default custom header value is: Suspected
...tag subject with
If you choose to quarantine or accept messages when a display name impersonation is detected, you can choose to add this text to the beginning of the message's Subject header. The default value is: *** DISPLAY NAME SPOOFED ***, but you can set it to whatever you prefer.
...add [xx] points to message score
Use this option to add points to the message score when display name impersonation is detected. By default, 3.0 points are added.
Similarity threshold (0.0 - 1.0):
Names with a similarity score greater than or equal to this threshold will be flagged. A threshold of 1.0 requires an exact match to the Protected User's display name. The default value is: 1.0
Detect nickname and diminutive variations
When enabled, common first name variations are treated as matches. For example, "Bob Smith" will match "Robert Smith", and "Matt Jones" will match "Matthew Jones"..
Free Email Provider Actions
Apply stricter actions to messages from free email providers
Impersonation attacks often originate from addresses at free email providers (Gmail, Yahoo, Outlook.com, etc.). Activate this option if you wish to apply a different action when the spoofed message comes from a free provider.
When impersonation is detected from a free email provider:
Choose the action you wish to take when an impersonation is detected but the sender is an address at a free email provider.
...refuse the message
Refuse to accept the message.
...quarantine the message
Accept the message but move it to the quarantine for review.
...accept the message
Use this option of you wish to accept the message but possibly take other actions, such as add a header to the message or adjust its message score, which could cause it to be flagged as spam.
...add a header to the message
If you choose to quarantine or accept messages when a display name impersonation is detected, you can use this option to add a custom header to the message.
Header Name:
The default custom header name is: X-DisplayName-Spoof
Header Value:
The default custom header value is: Suspected-FreeEmailProvider
...tag subject with
If you choose to quarantine or accept messages when a display name impersonation is detected from a free email provider, you can choose to add this text to the beginning of the message's Subject header. The default value is: *** DISPLAY NAME SPOOFED ***, but you can set it to whatever you prefer.
...add [xx] points to message score
Use this option to add points to the message score when display name impersonation is detected originating from a free email provider. By default, 5.0 points are added.
Protected Users
This area lists all users that you have added for Display Name Protection. To edit or remove a user, select the user and click Edit or Remove.
 | Add Protected User Click this button to open the Protected User page for adding users that you wish to protect from display name impersonation. |
Exclusions
Exclude messages from allowlisted IP addresses
By default, messages sent from IP addresses on the IPs Allowlist are excluded from Display Name Protection settings. Uncheck this box if you wish to apply these settings to allowlisted IPs.
Exclude messages from authenticated sessions
By default, messages being sent over authenticated sessions are excluded from Display Name Protection settings. Uncheck this box if you wish to apply these settings even when the session is authenticated.
Exclude messages from domain mail servers
Messages coming from your domain mail servers will be exempt from Display Name Protection settings by default. Clear this checkbox if you wish to apply these settings even when the messages are coming from those servers.
Exceptions - Domains
If you select a specific domain in the "For Domain:" drop-down list box at the top of the page when configuring these settings, that domain will be listed here after saving the settings. Click the View/Edit link for the corresponding domain to review or edit its Display Name Protection settings, or click Reset to reset the domain's settings to the default Global values.
