The Impersonation Filter should take precedent over the spam filter or at the least if an email is released from quarantine, it should go through the impersonation filter and data protection filters before going to the user.
Tainted emails are getting through to the end user via quarantine because Email Impersonation and Data protection are being bypassed.
I would like to request a feature change to allow a change in the order of the filter steps or to require that emails released from quarantine have to go through Email Impersonation and Data Protection filters.
Currently email traffic entering the Symantec.cloud infrastructure is checked and scanned in the following order:
Traffic shaping
SMTP heuristics
Address Validation
AntiSpam Client approved list
AntiSpam Client blocked list
DMARC/SPF
AntiSpam Public DNS block lists (PBL)
AntiSpam Signaturing System
AntiVirus
ATP Cynic - Only available for domains enabled with Advanced Threat Protection
Antispam Skeptic Heuristics (including Newsletter Detection if enabled)
Image Control
Email Impersonation Control
Data Protection
Here is the order I propose so that tainted or ruled out emails never get into quarantine.
Traffic shaping
SMTP heuristics
Address Validation
Email Impersonation Control
Data Protection
AntiSpam Client approved list
AntiSpam Client blocked list
DMARC/SPF
AntiSpam Public DNS block lists (PBL)
AntiSpam Signaturing System
AntiVirus
ATP Cynic - Only available for domains enabled with Advanced Threat Protection
Antispam Skeptic Heuristics (including Newsletter Detection if enabled)
Image Control