WAF and Email Security

Overview

The Expedited WAF is a Web Application Firewall — it protects your website and web application by filtering HTTP/HTTPS traffic. It does not provide any email-related security.

What the WAF Protects

The WAF inspects all incoming web requests to your domain and blocks malicious traffic before it reaches your Heroku application. This includes protection against SQL injection, XSS, DDoS attacks, brute force login attempts, and more. See Common WAF Use Cases for the full scope.

What the WAF Does Not Do for Email

The WAF does not:

• Filter or scan incoming or outgoing email
• Block spam or phishing emails
• Protect your email accounts or mailboxes
• Affect email delivery, routing, or DNS records (MX, SPF, DKIM, DMARC)
• Scan email attachments for malware

Email traffic uses different protocols (SMTP, IMAP, POP3) and different network ports than web traffic. The WAF only operates on HTTP/HTTPS traffic (ports 80 and 443).

If You Need Email Security

Email security requires a dedicated service. Common options include:

• Google Workspace or Microsoft 365 — include built-in spam filtering and phishing protection
• Proofpoint, Mimecast, or Barracuda — dedicated email security gateways
• SPF, DKIM, and DMARC DNS records — help prevent email spoofing of your domain (these are DNS records you configure with your DNS provider, not related to the WAF)

Suspicious Emails About Your Domain

If you receive a suspicious email claiming to be about your domain’s security, SSL certificate, or WAF service:

1. Do not click links in the email
2. Check the sender — legitimate emails from us come from @expeditedsecurity.com
3. Forward it to us at support@expeditedsecurity.com if you are unsure whether it is legitimate

Need Help?

If you have questions about the scope of WAF protection:

• Contact us at support@expeditedsecurity.com
• Book a Call at https://app.harmonizely.com/expedited/30-min