How to whitelist emails with server-side signature using DLP policy
You’ve started using data loss prevention (DLP) policies in your Microsoft 365 organization. Even though you configured a special override in your custom DLP policy for emails with a server-side signature added by the CodeTwo software, DLP still blocks them.
Emails with a server-side signature are blocked after they leave the CodeTwo service – when they are processed by DLP for the second time. At this stage, DLP removes the override flag that was applied via the DLP policy on the first processing of an email, and the email gets blocked.
To have 100% certainty that your emails stamped with a server-side signature are not blocked by DLP, you need to configure a custom DLP policy which is based on the header our software adds to each email it processes. Here’s how to do it:
- Log in to the Microsoft 365 compliance center.
- Click Data loss prevention in the left-hand navigation menu and choose the Policies tab. Next, click the Create policy button (Fig. 1.).
- In the wizard that opens, first choose the Custom type of policy (Fig. 2.) and name your policy.
- On the third page of the wizard, select Exchange email as the only location to apply the policy (Fig. 3.).
- Next, on the Advanced DLP rules page that is displayed, click Create rule to configure your custom rule.
- Name your rule, click Add condition, and choose Header contains words or phrases from the list (Fig. 4.).
- Fill in the text fields with appropriate information:
- enter X-CodeTwoProcessed in the first field (Enter header),
- enter true in the second field, and
click the Add button (Fig. 5.).
- Scroll further down and specify settings in the Additional options section:
- select the If there’s a match for this rule, stop processing additional DLP policies and rules checkbox,
- set rule’s priority to 0 (highest), and
click Save to save the whole rule configuration (Fig. 6.).
- The correct configuration of the rule should be the same as shown in Fig. 7.
- On the Test or turn on the policy page, select the second option (Turn it on right away) to enable the policy (Fig. 8.).
- On the last page of the wizard, review your settings – if you’re OK with them, click Submit and Done to save and apply your policy.
- Now, your policy should be displayed on the Policies tab, and emails with a server-side signature shouldn’t be blocked by DLP any longer.
If, for some reason, your newly created policy is not displayed on the top of the policies’ list, click the three dots button and select Move to top (Fig. 9.). The highest priority plus the selected option to stop processing other DLP policies (see step 8) ensure that DLP will not process emails with a server-side signature for the second time and, consequently, block them.