Message types

The Sublime system categorizes the directionality of email messages using the type property in the Message Data Model (MDM).

The message type lets you construct detection rules to address different use cases in your email environment. For example:

  • Inbound for phishing
  • Outbound for DLP
  • Internal for lateral movement (east-west traffic)

Below is how each message type is defined. Message source domains are verified domains associated with your cloud email provider, i.e. Google Workspace or Office 365. Domains are synced daily.

Message TypeDescription
type.inboundThe message was received from a sender outside your message source domains.
type.outboundMessages sent by your organization to at least 1 recipient outside of your message source domains.
type.internalMessages sent by your organization where at least 1 recipient is in your message source domains.

Messages must be authenticated by either SPF, DKIM, or DMARC and have a Return-Path header matching one of your organization’s internal domains to be treated as internal.

If a message passes one of SPF, DKIM, or DMARC, but also fails any of the others (including softfail), it is treated as an inbound message.

A single message could have any of the following combinations of types:

  1. Inbound
  2. Outbound
  3. Internal
  4. Outbound and Internal (a message sent by your organization to both an external and internal recipient)