Message encryption process

A content policy that specifies the conditions under which an outbound message should be encrypted is configured in the Security Manager Data Security module. See Forcepoint DLP Administrator Help for details about configuring an outbound email data loss prevention (DLP) policy with an encryption action plan. See Creating an email DLP policy for encryption for a high-level procedure for email DLP policy configuration.

Important: The outbound DLP policy mode set in the Email Security module must be set to Enforce for Forcepoint Email Encryption to work properly (Main > Policy Management > Policies > Outbound > Data Loss Prevention).

When an email DLP policy identifies an outbound message for encryption, the message is sent to the email hybrid service via a TLS connection. If a secure TLS connection is not made, the message is placed in a delayed message queue for a later delivery attempt.

The email hybrid service analyzes a message for threats in email routed for encryption. If threats are detected, the email hybrid service sends a non-delivery receipt (NDR) to the Email Security module.

If the analyses determine that a message contains no email-borne threats, the hybrid service encrypts the email, which is then sent as an HTML message attachment to the email recipient. Encrypted content is not stored in the cloud during this process. After the email hybrid service encrypts a message, it is forwarded directly to its recipient.

Important:

The email hybrid service checks the email appliance FQDN for a valid public “A” record. This record should contain the FQDN IP address.

The email hybrid service also checks the public IP address for an associated PTR, or reverse DNS lookup record. This record must point to the FQDN referenced in the certificate subject and set in the Email Security module, in the field Fully Qualified Domain Name on the page Settings > General > System Settings.

When opened in a browser, the message attachment displays a button that allows the recipient to access a secure encryption network via HTTPS. The email recipient must register an email address and password with the encryption network on first access. This password is used to open all subsequent encrypted messages to this email address.

Encryption is not performed on inbound or internal email messages, although the email security system can forward inbound email to an encryption gateway for decryption. The DLP policy must designate only outbound messages for encryption when Forcepoint Email Encryption is used. See Forcepoint DLP Administrator Help.

When decryption is enabled (Settings > Inbound/Outbound > Encryption), the email hybrid service attempts to decrypt inbound encrypted mail, and adds an x-header to the message to indicate whether the decryption operation succeeded. Message analysis is performed regardless of whether message decryption is successful.