Callback Verification is an anti-spoofing measure used to confirm the validity of the email address of an incoming message's purported sender. To do this, SecurityGateway will connect to the mail exchanger of the domain passed in the "MAIL From" statement during the SMTP session and attempt to verify whether or not that sender's address is a valid address at that domain. If the result of the check shows that the sender's address does not exist, then SecurityGateway can treat the message as if it is being sent from a forged address and therefore refuse the message, quarantine it, or accept it and optionally adjust its Message Score or add a tag to the Subject. Because there are a number of potential problems and drawbacks associated with callback verification in general, this feature is disabled by default.

For general information on callback verification, see the Callback verification article at


Use callback verification to verify senders

Click this checkbox if you wish to use callback verification to check the validity of sender email addresses. SecurityGateway will use the value that is passed by the sending server during the SMTP "MAIL From" statement to connect to the purported sender's domain and verify whether or not that address exists. Callback verification is disabled by default.

Try VRFY command first (if supported by the sender's mail server)

By default, SecurityGateway will first try to use the SMTP "VRFY" command to verify a sender's address when the server indicates that it supports that command. Servers indicate they support VRFY by responding to SecurityGateway with the "250-VRFY" statement at the beginning of the SMTP session. If you disable this option or if the server does not support VRFY, then SecurityGateway will use the "MAIL From" and "RCPT To" commands instead. SecurityGateway verifies that the sender's address is valid at the domain by using these commands as if it were going to send a message to the address in question, although no message will actually be sent.

Send message from this address:

This is the From address that will be used in the "MAIL From" SMTP statement when a NULL from address is not permitted by the server, or when you disable the "Try NULL from address first" option below. The default value of this option is "postmaster". The domain portion that will be appended is the recipient's domain (e.g. If you specify a full email address in this option, then that address will be used instead. For example, using "" in this option would mean that the recipient's domain would not be used.

No message is actually sent to the sender's email server. SecurityGateway connects to the server and sends the MAIL From and RCPT To commands as if it were going to send a message, but then ends the connection without sending one. By testing to see if the server will accept a message for the sender address in question, SecurityGateway can confirm that the server considers the address valid.

Try NULL from address first

When using the "MAIL From" and "RCPT To" commands to verify a sender's address, SecurityGateway will first try to use a From with NULL value (i.e. "MAIL From <>"). If this option is disabled or if the server does not allow a NULL From, then SecurityGateway will use the "Send message from this address:" value designated above.

If a sender fails callback verification:

When the callback verification test indicates that the sender's address is invalid, the message can be refused, quarantined, or accepted and optionally tagged and have its Message Score adjusted. Select the option below that you wish to use for messages that fail callback verification.

...refuse the message

When this option is selected, messages with senders who fail callback verification will be refused during the SMTP session.

...quarantine the message

Choose this option if you wish to quarantine messages that fail callback verification. This is the default option.

...accept the message

Use this option if you wish to accept a message that fails callback verification but wish to adjust its message score or add some text to the subject.

...tag the subject with [ text ]

Click this option and specify some text if you wish to add something to the beginning of the message's Subject header when the sender's email address fails the callback verification test. By default this option is disabled. If you enable it, then "*** CBV ***" is added to the subject by default, but you can edit that text if you choose.

There are a number of other places within SecurityGateway where you can optionally add text to the Subject header. For example, the Message Scoring and URI Blacklists (URIBL) pages also have this option. When the designated text in these options matches, the text will only be added to a message's subject once even if that message meets the criteria under each option. If, however, you change the text in one or more places then that customized text will be added as well. So, for example, if you set the text under all three of these options to "*SPAM*" then that text would only be added to the subject once, regardless of whether or not it matched the criteria under more than one of the options. But, if you changed the DNSBL optional text to "*DNS blacklisted*" and the message matched the criteria under that option and the others then the subject would have both "*SPAM*" and "*DNS blacklisted*" added to it.

...add [xx] points to message score

By default a message that fails the callback verification check will have its Message Score adjusted by 1.0 points. You can adjust this value if you choose, or you can disable the option if you do not wish callback verification to affect the score.

Even when SecurityGateway is configured to accept a message rather than refuse or quarantine it, it could still be refused or quarantined if its Message Score ends up being sufficiently high, depending on how you have configured the other Security options and the options on the Message Scoring page.


Exclude messages from whitelisted senders

Messages from whitelisted senders are exempt from callback verification checks by default. Disable this option if you do not wish to exclude whitelisted senders from callback verification requirements.

Exclude messages from authenticated sessions

By default, messages being sent over authenticated sessions are excluded from callback verification requirements. Uncheck this box if you wish to verify senders even when the session is authenticated.

Exclude messages from local senders

Messages from your local senders are excluded from Callback Verification by default. Clear this checkbox if you do not wish to exempt local senders.

Exceptions - Domains

If you select a specific domain in the "For Domain:" drop-down list box at the top of the page when configuring these settings, that domain will be listed here after saving the settings. Click the View/Edit link for the corresponding domain to review or edit its Callback Verification settings, or click Reset to reset the domain's settings to the default Global values.