Knowledge Base

How to whitelist emails with server-side signature using DLP policy

Problem:

You’ve started using data loss prevention (DLP) policies in your Microsoft 365 organization. Even though you configured a special override in your custom DLP policy for emails with a server-side signature added by the CodeTwo software, DLP still blocks them.

Solution:

Emails with a server-side signature are blocked after they leave the CodeTwo service – when they are processed by DLP for the second time. At this stage, DLP removes the override flag that was applied via the DLP policy on the first processing of an email, and the email gets blocked.

To have 100% certainty that your emails stamped with a server-side signature are not blocked by DLP, you need to configure a custom DLP policy which is based on the header our software adds to each email it processes. Here’s how to do it:

  1. Log in to the Microsoft 365 compliance center.
  2. Click Data loss prevention in the left-hand navigation menu and choose the Policies tab. Next, click the Create policy button (Fig. 1.).

Accessing the wizard to create a new DLP policy.
Fig. 1. Accessing the wizard to create a new DLP policy.

  1. In the wizard that opens, first choose the Custom type of policy (Fig. 2.) and name your policy.

Choosing the custom type of the DLP policy.
Fig. 2. Choosing the custom type of the DLP policy.

  1. On the third page of the wizard, select Exchange email as the only location to apply the policy (Fig. 3.).

Defining the location to apply the policy.
Fig. 3. Defining the location to apply the policy.

  1. Next, on the Advanced DLP rules page that is displayed, click Create rule to configure your custom rule.
  2. Name your rule, click Add condition, and choose Header contains words or phrases from the list (Fig. 4.).

Choosing the right condition type.
Fig. 4. Choosing the right condition type.

  1. Fill in the text fields with appropriate information:
    • enter X-CodeTwoProcessed in the first field (Enter header),
    • enter true in the second field, and

    click the Add button (Fig. 5.).

Defining the two conditions to whitelist emails with a server-side signature.
Fig. 5. Defining the two conditions to whitelist emails with a server-side signature.

  1. Scroll further down and specify settings in the Additional options section:
    • select the If there’s a match for this rule, stop processing additional DLP policies and rules checkbox,
    • set rule’s priority to 0 (highest), and

    click Save to save the whole rule configuration (Fig. 6.).

Configuring additional options and saving the rule.
Fig. 6. Configuring additional options and saving the rule.

  1. The correct configuration of the rule should be the same as shown in Fig. 7.

Overview of the correct rule configuration.
Fig. 7. Overview of the correct rule configuration.

  1. On the Test or turn on the policy page, select the second option (Turn it on right away) to enable the policy (Fig. 8.).

The option to enable the policy right away.
Fig. 8. The option to enable the policy right away.

  1. On the last page of the wizard, review your settings – if you’re OK with them, click Submit and Done to save and apply your policy.
  2. Now, your policy should be displayed on the Policies tab, and emails with a server-side signature shouldn’t be blocked by DLP any longer. 

Info

If, for some reason, your newly created policy is not displayed on the top of the policies’ list, click the three dots button and select Move to top (Fig. 9.). The highest priority plus the selected option to stop processing other DLP policies (see step 8) ensure that DLP will not process emails with a server-side signature for the second time and, consequently, block them.

Moving the policy for whitelisting the CodeTwo-processed emails to the top of the list.
Fig. 9. Moving the policy for whitelisting the CodeTwo-processed emails to the top of the list.

See also:

Was this information useful?