Forcepoint Email Encryption

Email Encryption | Forcepoint Email Security | Updated: 29-Apr-2022


Applies To:	Forcepoint Email Security v8.5.x

The email hybrid service can perform cloud-based message encryption on outbound messages if your subscription includes both the Forcepoint Email Security Hybrid Module and Forcepoint Email Security - Encryption Module.

The email hybrid service must be registered and enabled in order to use Forcepoint Email Encryption. See Forcepoint Email Security Administrator Help for details about hybrid service registration.

After Forcepoint Email Encryption is enabled, configure advanced email encryption by selecting the Forcepoint Email Encryption option in the pull-down menu Encryption method (Settings > Inbound/Outbound > Encryption).

Because Forcepoint Email Encryption does not function properly with the self-signed certificate provided with Forcepoint Email Security, a trusted third-party certificate from a CA is required. See Trusted third-party certificates for a list of trusted certificates to use with the Forcepoint Email Encryption function. See Generating encryption keys and a CSR for information regarding CSR generation.

Message encryption process

A content policy that specifies the conditions under which an outbound message should be encrypted is configured in the Security Manager Data Security module. See Forcepoint DLP Administrator Help for details about configuring an outbound email data loss prevention (DLP) policy with an encryption action plan. See Creating an email DLP policy for encryption for a high-level procedure for email DLP policy configuration.


	Important The outbound DLP policy mode set in the Email Security module must be set to Enforce for Forcepoint Email Encryption to work properly (Main > Policy Management > Policies > Outbound > Data Loss Prevention).

When an email DLP policy identifies an outbound message for encryption, the message is sent to the email hybrid service via a TLS connection. If a secure TLS connection is not made, the message is placed in a delayed message queue for a later delivery attempt.

The email hybrid service analyzes a message for threats in email routed for encryption. If threats are detected, the email hybrid service sends a non-delivery receipt (NDR) to the Email Security module.

If the analyses determine that a message contains no email-borne threats, the hybrid service encrypts the email, which is then sent as an HTML message attachment to the email recipient. Encrypted content is not stored in the cloud during this process. After the email hybrid service encrypts a message, it is forwarded directly to its recipient.


	Important The email hybrid service checks the email appliance FQDN for a valid public "A" record. This record should contain the FQDN IP address. The email hybrid service also checks the public IP address for an associated PTR, or reverse DNS lookup record. This record must point to the FQDN referenced in the certificate subject and set in the Email Security module, in the field Fully Qualified Domain Name on the page Settings > General > System Settings.

When opened in a browser, the message attachment displays a button that allows the recipient to access a secure encryption network via HTTPS. The email recipient must register an email address and password with the encryption network on first access. This password is used to open all subsequent encrypted messages to this email address.

Encryption is not performed on inbound or internal email messages, although the email security system can forward inbound email to an encryption gateway for decryption. The DLP policy must designate only outbound messages for encryption when Forcepoint Email Encryption is used. See Forcepoint DLP Administrator Help.

When decryption is enabled (Settings > Inbound/Outbound > Encryption), the email hybrid service attempts to decrypt inbound encrypted mail, and adds an x-header to the message to indicate whether the decryption operation succeeded. Message analysis is performed regardless of whether message decryption is successful.