Email security – defanging URLs

When the contents of an artifact are within an email notification, any web and IP addresses are automatically “defanged” to prevent the user from inadvertently clicking a malicious link.

When URLs are deranged, the following actions occur.

http is replaced with hxxp.
ftp is replaced with fxp.
Brackets are added to domain names; for example, www.example.com is replaced with www[.]example[.]com.
Brackets are added to the IP address; for example, 8.8.8.8 is replaced with 8[.]8[.]8[.]8.

You might have a number of legitimate domains that you do not want to be "defanged." In this case, you can create an allowlist that allows the specific domains to remain untouched. To see the current setting of the allowlist, enter the following command.

sudo resutil configget ‐key whitelist_defang_domains

Use the following command to create the allowlist. For multiple domains, use a comma (,) as a separator.

sudo resutil configset ‐key whitelist_defang_domains -svalue $<domain>

The following example adds the example.com and example.org domains to the list.

sudo resutil configset ‐key whitelist_defang_domains -svalue example.com,example.org