How to correctly set a exemption from content policy
I would appreciate any interesting comments to my situation. Due to a number of e-mails containing zero-day malware in attachments, we decided to create a content profile, which does not allow:
password protected archives (in case they cannot be decrypted)
password protected documents
documents with embedded components
If any of the above is positive, then message goes to system quarantine and we notify the user. So far, this profile has stopped a number of malicious messages, mostly containing zero-day malware not detected by antivirus nor sandbox.
Of course, there are false positives too. This brings a need to create exemptions for trusted senders, for which we will not apply this content policy. What is the best and most secure way to do it?
For now, we have created another recipient policy, we created a "trusted senders" e-mail address group and use it in sender pattern. It works, but I think there must be a better option, because if someone can forge sender address, message would come through. It is not quite an option to work with sender SMTP server IP address, because of all the cloud services like Outlook which have hundreds of IPs. But for example, can we somehow utilize when SPF and DKIM are validated and correct, or rather if they are not, and change the rule behaviour accordingly?
Or any other idea?