Configuring outbound and inbound email DLP attributes

Use the Outbound and Inbound tabs of the Policy Management > Manage DLP Policies > Email DLP Policy page to select one or more email attributes to include in the policy.

To include an attribute:

Select the attribute from the Attributes list.
Mark the Enabled check box in the right pane.

Properties that apply to the attribute are listed under the check box.

Modify the attribute properties as needed, including:
- The default severity (low, medium, or high)
- What action to take when a breach is detected (for example, quarantine). Actions are described in Adding or editing an action plan.
The available properties for each attribute are described in the table below.

Repeat this procedure for each attribute that you want to include. When the system detects a match for an attribute, it triggers the policy.

To send notifications when there is a violation of a particular attribute setting, mark the Send the following notification check box.
- To configure who receives notifications, click the notification name (“Email policy violation”), then define the mail server, email subject, and message body, as well as other required properties.
- By default, for inbound messages, policy owners receive notifications. For outbound messages, both policy owners and message senders receive them.

Field	Description
Message size	The size of email messages to monitor. Only messages of the specified size or higher are monitored. The default size is 10 MB. Default severity: low. Available actions: quarantine (default), permit.
Regulatory & compliance	Select the regulatory and compliance rules to enforce. These are applied to all selected regions. (If no regions are selected, an error is displayed. Click Select regions to address the issue.) Personally Identifiable Information (PII Protected Health Information (PHI) Payment Card Industry (PCI DSS) After selecting a law, click its name to view or edit the specific policies to enforce, then select a sensitivity for each policy. Wide is highly sensitive and errs on the restrictive side. It is more likely to produce a false positive (unintended match) than a false negative (content that is not detected). Default balances the number of false positives and false negatives. Narrow is the least restrictive. It is more likely to let content through than to produce an unintended match. Default severity: high. Available actions: quarantine (default), permit.
Attachment name	One by one, enter the names of the exact files that should be monitored when they’re attached to an email message. Include the filename and extension. Click Add after each entry. For example, after adding a file named confidential.docx, when a user attaches a file with that name to an email message, the system detects it and takes the configured action. Note that only Forcepoint Email Security can drop attachments. If the drop attachments options is selected when the protector or Email Security Cloud is monitoring email, messages are quarantined when a policy is triggered. Default severity: low. Available actions: quarantine, permit, drop attachments (default)
Attachment type	Click Add to specify the types of files that should be monitored when attached to an email message, for example Microsoft Excel files. Select the type or types of files to monitor. If there are more file types than can appear on the page, enter search criteria to find the file type you want. The system searches in the file type group, description, and file type for the data you enter. If the file type does not exist, specify exact files of this type using the Attachment name attribute instead. Default severity: low. Available actions: quarantine, permit, drop attachments (default). Note:Only Forcepoint Email Security can drop attachments. If the drop attachments options is selected when the protector or Email Security Cloud is monitoring email, messages triggering a policy are quarantined.
Patterns & phrases	Click Add to define key phrases or regular expression (regex) patterns that should be monitored. Regex patterns are used to identify alphanumeric strings of a certain format. Enter the precise phrase (for example “Internal Only”) or regex pattern (for example ~ m/H.?e/) to include. Select how many phrase matches must be made for the policy to trigger. The default number of matches is 1. Define whether to search for the phrase or regex pattern in all email fields, or in one or more specific fields. For example, you may want to search only in an attachment, or skip searching in To and CC fields. Default severity: medium. Available actions: quarantine (default), permit. Note:Although you do not define whether to search only for unique strings, the system uses the following defaults: Key phrase searches are non-unique. All matches are reported. For regular expression searches, only unique matches are reported as triggered values.
Acceptable use	Select the dictionaries that define unacceptable use in your organization. Forcepoint DLP includes dictionaries in several languages. Select the languages to enforce. Only terms in these languages are considered a match. For example, if you select the Adult dictionary in Hebrew, then adult terms in English are not considered an incident. Note that false positives (unintended matches) are more likely to occur when you select multiple languages. For this reason, exercise caution when selecting the languages to enforce. You cannot add or delete terms from predefined dictionaries, but you can exclude terms from detection, if needed. Do this on the Main > Content Classifiers > Patterns & Phrases page. Select the dictionary to edit, then enter the phrases to exclude. By default, the policy is triggered by a single match from the dictionary or dictionaries you select. Default severity: medium. Available actions: quarantine (default), permit.
Questionable images	Select this attribute to prevent pornographic images from entering your organization. Pornographic images pose a legal liability to organizations in many countries. The system judges images based on the amount of flesh tone they contain. Default severity: low. Available actions: quarantine, permit, drop attachments (default).
Number of attachments	Specify the number of attachments to detect. Email messages with this number of attachments (or more) trigger the policy. The default number of attachments is 20. Default severity: low. Available actions: quarantine (default), permit
Number of destination domains	This option is available for outbound messages only. Sometimes you may want to block messages sent to multiple destination domains, because this may indicate spam. Specify the number of destination domains to detect. Email messages sent to this number of domains (or more) trigger the policy. The default number of domains is 25. Also, select which email fields to monitor (To, Cc, Bcc). To and Cc are selected by default. Default severity: low. Available actions: quarantine (default), permit.