How advanced encryption works

When an advanced encryption rule is matched, the following process takes place:

  1. Sender sends email that triggers the rule.
  2. The email is encrypted by Forcepoint Email Security Cloud using identity-based encryption, and sent on to the recipient’s MTA for delivery.
  3. The recipient is sent an email notification containing an HTML attachment. When opened in a browser, the attachment displays a button that the recipient clicks to access to the secure encryption network via HTTPS. The recipient must register their email address and a password with the secure encryption network if this is the first time they have received an encrypted message via Forcepoint Email Security Cloud. The recipient then uses this password to access all subsequent encrypted messages sent to their email address.
  4. If the recipient replies to the encrypted message, the message is decrypted by Forcepoint Email Security Cloud and then analyzed in the same way as other inbound mail before delivery.

There are 3 ways to use advanced encryption:

  • Content-based: Set up lexical rules so that a message will automatically be encrypted if it contains certain phrases. See Creating a lexical rule in advanced mode.

    Note that if a message triggers a lexical rule with a Quarantine action and a rule with an Encrypt action, the Quarantine action will take precedence and the message will be quarantined without encryption.

    If a message triggers a rule with the Encrypt action and a rule with either Forward, Tag Subject, BCC, or BCC and Tag Subject, the Encrypt action will take precedence and the other action(s) will not be applied.

    If a message triggers lexical rules with the Encrypt and Keep Copy actions, both actions will be applied.

  • Sender/recipient-based: Set up an advanced encryption rule that encrypts a message sent from or to specific users.
  • Subject and content-based: Set up an advanced encryption rule that encrypts a message with a certain trigger word in the subject header, a particular sensitivity header, or specific phrases in the message headers or body.

You can combine these methods to configure the encryption policy that you require. Advanced encryption integrates with other aspects of your email policy as follows:

  • If you have set up attachment parking, an attachment that meets the parking criteria will be parked before the message is encrypted. The decrypted message will contain a link to retrieve the attachment. See Parking attachments.
  • If you have outbound aliases, the aliases will be applied before the message is encrypted. The resulting encrypted message will always show the external address.