The Sublime integration is currently available as a Labs release for Valimail Enforce customers. To use it, your account must have Labs enabled and the Active Threat Detection add-on turned on. If you don't see the features described below, contact your account manager or open a support ticket.
The Sublime integration lets you push the malicious senders you identify in Valimail Enforce directly into your own Sublime Security tenant. When you report a threat from the Active Threat Detection report in Enforce, Valimail automatically maintains a dedicated blocklist and a matching detection rule in Sublime, so the bad sender is acted on by your existing Sublime mail-handling workflow.
This article walks through connecting your Sublime tenant to Enforce and reporting your first threat.
TABLE OF CONTENTS
Introduction
What you'll need
How the integration works
Step 1: Generate a Sublime API key
Step 2: Connect Sublime in Enforce
Step 3: Report a threat
Disconnecting
Troubleshooting / FAQs
Introduction
Valimail Enforce surfaces suspicious and malicious senders targeting your domains in the Active Threat report. The Sublime integration extends that report so a single click can hand a malicious sender off to Sublime Security, where it's added to a blocklist and a detection rule that you control. This keeps remediation inside the tooling your security team already uses, without manual copy-and-paste between platforms.
When you connect the integration, Valimail creates and maintains two objects in your Sublime tenant on your behalf:
A blocklist named valimail_blocklist - the set of domains and senders you've reported as malicious from Enforce.
A detection rule named Block Valimail-reported malicious senders - a rule that matches inbound mail whose sender email, sender domain, or sender root domain appears on the blocklist, and applies the action you choose during setup.
You stay in control: Valimail only ever reads and writes these two dedicated objects, and you choose which Sublime action the rule performs.
What you'll need
Before you begin, make sure you have:
A Valimail Enforce account with Labs enabled and the Active Threat Detection add-on turned on.
Owner permissions in your Enforce account so you can manage Integrations.
A Sublime Security account, and permission within Sublime to generate an API key and to view/manage lists, rules, and actions.
Your Sublime platform base URL (for example, https://na-east-3.platform.sublime.security). You'll find this in your browser's address bar when you're signed in to Sublime, or you can ask your Sublime administrator.
How the integration works
Note: The API key you generate in Step 1 is shown only once. Store it somewhere secure (such as a password manager) before leaving the Sublime page.
You generate an API key in Sublime and paste it, along with your Sublime base URL, into the Enforce Integrations page.
Enforce verifies the connection and asks you to pick a Sublime action for the detection rule (for example, quarantine or move to a review folder). Valimail then creates the valimail_blocklist list and the Block Valimail-reported malicious senders rule in your tenant.
From then on, each threat you report in the Active Threat report is added to the blocklist, and the rule applies your chosen action to matching mail.
Step 1: Generate a Sublime API key
Sign in to your Sublime Security platform (for example, https://na-east-3.platform.sublime.security).
In the left-hand navigation, open the API section (Developer area).
Click Create API Key.
Give the key a recognizable Name (for example, Valimail Enforce integration) and, optionally, set an Expiration Date.
Click to create the key, then copy and store it securely. Sublime will not display the full key again, and you'll need it in the next step.
Note: Treat this key like a password. Anyone with the key can act on the lists, rules, and actions in your Sublime tenant.
Step 2: Connect Sublime in Enforce
Log in to Valimail Enforce at app.valimail.com.
Go to Account Settings → Integrations.
Locate the Sublime tile and click Connect. A dialog opens.
Enter the following, then continue:
Base URL: your Sublime platform URL, e.g. https://na-east-3.platform.sublime.security
API Token: the key you created in Step 1
Once Enforce verifies the credentials with Sublime, a third field appears: an Action dropdown listing the actions available in your Sublime account. Choose the action you want the detection rule to apply to matching mail (for example, quarantine), then click Save.
Enforce confirms the connection and creates the valimail_blocklist list and the Block Valimail-reported malicious senders rule in your Sublime tenant. The integration is now active.
Note: If a Sublime connection already exists and you need to start fresh (for example, to change the base URL or key), disconnect the existing connection first (see Disconnecting below), then reconnect.
Step 3: Report a threat
In Enforce, open the Active Threat report. (Confirm that the Active Threat Detection add-on is enabled and that you have the Labs toggle turned on - if either is off, the reporting controls won't appear.)
Review the suspicious sender you want to act on, then click to report it as a threat.
The reported sender is added to your valimail_blocklist in Sublime, and the Block Valimail-reported malicious senders rule applies your chosen action to matching inbound mail going forward.
You can confirm the entry in Sublime by viewing the valimail_blocklist list; the sender you just reported will appear among its entries.
Disconnecting
To stop the integration:
In Enforce, go to Account Settings → Integrations.
On the Sublime tile, click Disconnect.
Disconnecting stops Enforce from sending further updates to Sublime. If you want to fully remove the Valimail-managed list and rule from your Sublime tenant, delete the valimail_blocklist list and the Block Valimail-reported malicious senders rule from within Sublime. You should also revoke the API key you created in Step 1 from the Sublime API page.
Troubleshooting / FAQs
I don't see a Sublime tile, the Active Threat report, or the reporting controls.
The Sublime integration is a Labs feature for Enforce, and reporting requires the Active Threat Detection add-on. Make sure Labs is enabled and the Active Threat Detection add-on is turned on for your account. If you're not sure, contact your account manager or open a ticket at support.valimail.com.
The connection fails, or my credentials are rejected.
Double-check that the base URL matches the region your Sublime tenant is hosted in (it's the URL you see when signed in to Sublime) and that the API token was copied in full with no extra spaces. If the key may have expired, generate a new one in Sublime and reconnect.
The Action dropdown is empty.
The dropdown lists the actions configured in your Sublime account. If it's empty, confirm in Sublime that at least one action is available to your account, then reconnect.
Will Valimail change anything else in my Sublime tenant?
No. The integration only creates and maintains the valimail_blocklist list and the Block Valimail-reported malicious senders rule, and applies the action you selected during setup.
This is a Labs feature and is subject to change. We'd love your feedback. Open a ticket to let us know how it's working for you.
