You know the ones. You’ve diligently blocked spoofed email domains with DMARC, DKIM, and SPF. Now your users are getting emails with your CEO’s name and some random email address. Let’s reject those!

If you use Office 365 for email, here are the instructions for that

Let’s say our CEO is Tony Stark:


From: Tony Stark <[email protected]>
To:¬†Pepper Potts <[email protected]>
Subject: Urgent!

Hey Pepper,

I’m out of the office right now and I lost my cell phone but I really need to you pick me up some iTunes Gift Cards real fast so I can hand them out at this event. Respond to this email and I’ll give you the details

Tony Stark
Stark Industries


Looks legit enough to pass by spam filters, which have no way of knowing if “[email protected]” is Tony Stark or not. And if you block that address, the spammers will just send from another one.


  1. Log into your G suite Admin and head over to APPS -> G SUITE CORE -> GMAIL -> Advanced Settings (at the bottom)
  2. Scroll down to find “Content Compliance”
  3. Create a new setting with a catchy title (Block spoofed Tony Stark emails?)
    1. Set to affect “Inbound”
    2. Change to “If ALL of the following match the message” and hit ADD to add each of these these conditions:Type: Advanced Content Match
      Location: Sender header
      Match Type: Contains Text
      Content: [email protected]” (your CEO’s real email)Type: Advanced Content Match
      Location: Sender header
      Match Type: Not Contains Text
      Content: “Tony Stark” (your CEO’s name)
    3. Set “if the above expressions match…” to “Reject Message” or Quarantine if you’d like to see and manage them.
    4. Click the blue text “Show Options” at the bottom and under “B. Account types to affect”, check all 3 types and hit SAVE
  4. OK! Don’t forget to hit SAVE¬†at the bottom right of the screen you are returned to and you’re all set!