Policies & Preferences
PhishNet has two layers of configuration: user preferences (personal, per-user) and organisation policies (admin-controlled, apply to everyone in the org).
User preferences
Every PhishNet user has their own set of preferences that control how their inbox is scanned. These are described in full in Settings.
User preferences are personal — changing them only affects your own account.
Organisation policies
Admins on a PhishNet team plan can enable org-wide policies that apply to every member. These are configured from the PhishNet admin dashboard.
| Policy | What it does |
|---|---|
| Auto-quarantine high-risk emails | Quarantines any email scoring above the high-risk threshold for every member, regardless of their personal auto-quarantine setting |
| Flag urgent keywords | Forces urgent-language detection on for all members |
| Trusted senders allowlist | Adds an org-managed list of trusted addresses/domains on top of each user's personal list |
| Block known phishing domains | Hard-blocks senders flagged in PhishNet's shared threat-intelligence feed |
| Require 2FA to mark safe (planned) | Users must complete 2FA verification before they can restore a quarantined email |
How they interact
When an org policy conflicts with a user preference, the org policy wins. Users cannot opt out of policies their admin has enabled.
There is one exception: the Trusted senders allowlist is additive. PhishNet unions your personal trusted-senders list with the org list — the org list extends yours, it doesn't replace it.
What users see
When an org policy is controlling one of your preferences, you'll see a notice next to that setting explaining which policy is active. The setting appears locked — you can read it but not change it.