On the Notification Body tab


  1. Select a notification Type:
    • Select Standard to include all of the elements shown in the Body Content box. You can enable or disable these elements if you use the standard notification type.
    • Select Custom to send a custom notification. Edit the default text as needed. The drop-down menu provides variables.
  2. Select a display format from the Display as drop-down list: HTML or plain text.
  3. Select from the following display options:
    • Select Logo to display the Forcepoint logo, date, and time.
    • Select Action to displays the action taken when the breach was discovered.
    • Select Message to user, then update the text as needed. The result is displayed in the email body. Click the right-arrow icon to see a list of variables that may be included in the message.
      The right arrow displays the following variables for selection.
      • %Action%
      • %Channel%
      • %Destination%
      • %Details%
      • %Event Time%
      • %Incident ID%
      • %Incident Time%
      • %Policy Owners%
      • %Severity%
      • %Source%
      • %Source's Manager%
    • Select Incident details to include incident details in the notification message.
    • Select Violation triggers to attach a list of rules violated by the breach.
    • Select Include links so that recipients can perform operations on the incident to include links that administrators can use to perform workflow operations on the incident (like assign, ignore, and escalate) directly from the notification. (See sample links below.)

      Administrators can perform only the operations they have permission to perform from their role assignment.

      Plain text notifications do not show links.

      To support this feature, create an email account for the Forcepoint DLP system in Exchange. To avoid reconfiguration, make sure the credentials assigned to this mailbox do not expire. Once done, navigate to Settings > General > Mail Servers and configure the incoming mail server. Use this mailbox for the system email address.

    • Select Allow recipients to release quarantined email from this notification to give message recipients the ability to release blocked messages by replying to their notification message or by clicking the Release All link within the message.

      See Releasing blocked email in Forcepoint DLP section on the Forcepoint support site for instructions on setting up the release by reply capability. You must configure options in both Forcepoint DLP and Microsoft Exchange to enable it.

      Important: To include links in notifications or to allow recipients to release messages, you must configure the incoming mail server to use to receive these requests. To do so, click Mail Server Settings on the toolbar. See Mail servers for more information.
  4. Select Attach policy-breach content to include the content that violated policy as an attachment to the message.
  5. Click OK to save your changes.

Next steps

The following example shows what recipients see at the bottom of their notification message. Here, they can perform workflow actions on the incident and release the quarantined content.

Each link opens a window used to compose a message to the system’s notification server. This is how the workflow operation is communicated to the management server.

For example, if a recipient clicks the link to change the status of an incident to High, an email message opens like this:

A default message is drafted, but the sender can add comments to display on the History tab of the incidents report.

  • Do not delete the Comments section, even if there are no added comments.
  • If there are custom comments, do not modify the To: field or the encryption codes at the bottom of the message.

Without the encryption codes, workflow is not modified. Click Send to notify the system of your request.

Successful changes are shown on the incident’s History tab.This includes the name of the administrator who performed the action, any comments that were added, and the action taken.

If there is an error processing the workflow request, an error message is sent or the error is saved in the syslog. Syslog errors are logged if the system experiences an internal error.