Reference:
https://www.networkworld.com/article/2305394/ironport-adds-bounce-back-verification-for-e- mail.html

Reference:
Connection Behavior setting allows you to specify how the Cisco Email Security Appliance (ESA) handles incoming connections from different sender groups. You can choose from four different settings:
Accept: The ESA accepts all connections from the sender group and applies the mail flow policy settings to the messages.
Throttle: The ESA limits the number of concurrent connections and messages per connection from the sender group. This can help reduce the impact of spam or malicious traffic on the ESA's performance.
Reject: The ESA rejects all connections from the sender group and returns a 5xx SMTP error code to the sender. This can help block unwanted or abusive senders from reaching your network.
Test: The ESA accepts connections from the sender group but does not deliver the messages to the recipients. Instead, it logs the messages and marks them as test messages. This can help you test the mail flow policy settings before applying them to real traffic.
To modify the Connection Behavior setting for a sender group, you need to do the following steps:
On the ESA, choose Mail Policies > HAT Overview.
Click Edit Settings for the sender group that you want to modify.
In the Mail Flow Policy Settings section, choose one of the options from the Connection Behavior drop-down list.
Click Submit and commit changes.

[email protected] is the data that must be added to the dictionary to accomplish this goal. A content dictionary is a list of values that can be used as a condition in a content filter or a message filter. Forged Email Detection is a feature that allows Cisco ESA to detect and prevent email spoofing attacks, where the sender's address or domain is forged to appear as someone else, such as the CEO of the organization.
To create a content dictionary for use with Forged Email Detection on Cisco ESA, the administrator can follow these steps:
Select Mail Policies > Content Dictionaries and click Add Dictionary.
Enter a name and description for the content dictionary, such as CEO Email.
Under Dictionary Values, click Add Value.
Enter the email address of the CEO, such as [email protected].
Click Submit.

Non-final actions are actions that do not terminate the message filter evaluation, such as adding headers, setting variables, logging, etc. Final actions are actions that end the message filter evaluation and determine the fate of the message, such as accept, drop, bounce, quarantine, etc.

Reference:
https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma11-5/user_guide/ b_SMA_Admin_Guide_11_5/b_SMA_Admin_Guide_11_5_chapter_01010.html