There are 2 types of encryption rule available in Forcepoint Email Security Cloud:

Standard encryption is typically used to enforce encryption policy when the recipient's MTA does not support TLS. This functionality relies on a TLS connection with you to secure communications between your MTA and Forcepoint Email Security Cloud. Recipients require a manually-generated password to access the encrypted email.

Advanced encryption uses identity-based encryption (IBE) to protect data without the need for certificates. Protection is provided by a key server that controls the mapping of identities to decryption keys. The recipient of an encrypted email authenticates against the key server to receive the decrypted version of the message.

To enable advanced encryption, you must have the Email Security Encryption Module, and you must set the security on your outbound connection routes to Verify+CN. See Connections tab.