Why Are Emails Not Being Blocked?

Review your Email DLP logs to confirm that the email you believe contains sensitive data really contained sensitive data.
If the email you want to investigate is listed here, it means that Email DLP configuration for Microsoft Exchange or Gmail are configured correctly. An Email DLP incident and log indicate that the email was forwarded to
Enterprise DLP
.
If you can't find the email you want to investigate, it might mean that something is wrong with the Email DLP configurations for Microsoft Exchange or Gmail.
Review your Email DLP incidents to confirm the email was allowed to leave your network.
Select
Add Filter
Action
and for the
Action
filter, select
Monitored
to quickly filter for emails that were allowed to leave your network. If the email you are interested in is listed, view the Incident Details to gather the email
Created On
date,
Sender
, and
Subject
for the email. You can also download the email for your review.
Additionally, make note of the
Policy
the email matched against. As part of the investigation, you need to review your Email DLP policy to ensure it is configured correctly.
Select
Manage
Configuration
SaaS Security
Data Security
Logs
.
In the
Email DLP Logs
, click
View Logs
.
Locate the email you want to investigate using the
Time Captures
and
Sender User
columns.
Review the
Subject
column for the email to understand whether sensitive data was detected in the email.
Review the
Status Note
to gather additional information about the email.
If the
Email did not match with an Email DLP Policy
or
Email matched with a DLP Profile in a policy and evaluation was completed
are displayed, it might mean you need to review and modify your data profile match criteria or Email DLP policy.
If the
Email DLP policy evaluation timed out
is displayed, you might need to modify the Max Latency and Action on Max Latency settings.
For example, if the
Action on Max Latency
is set to
Allow
, it means that
Enterprise DLP
allowed the outbound email to leave your network even though the forwarded email evaluation timed out.
Review the Email DLP policy the email matched against to ensure it is configured correctly.
Important Email DLP configurations to verify are the email sender conditions, the sender email domain, email recipient conditions, and recipient email domains to confirm that they are defined correctly. If these are not configured correctly, Email DLP is unable to inspect for and prevent exfiltration of outbound emails containing sensitive data.
Additionally, you can review the Recommendations for Security Policy Rules for more information on recommendations and best practices for writing Security policy rules and managing your policy rulebase.
Review the data patterns and data profiles associated with your Email DLP policy.
For example, review your custom and file property data patterns to ensure the match criteria defined in them are configured correctly to inspect for and block the correct sensitive data. Incorrectly defined match criteria results in
Enterprise DLP
being unable to inspect for and prevent exfiltration of outbound emails containing sensitive data.
If you are using predefined data patterns in your data profiles, you can add custom match criteria like proximity keywords to increase detection accuracy.
Review the Email DLP configuration for your email provider.
Microsoft Exchange Online or Gmail are unable to forward emails to
Enterprise DLP
if they are incorrectly configured and are unable forward outbound emails for inspection. Additionally, Email DLP is designed to inspect outbound emails only. Inspection of emails from within your network is not supported.
When reviewing your Email DLP configurations, consider the following:
Have you updated your SFP record to add the required
Enterprise DLP
service IP addresses for Microsoft Exchange Online or Gmail?
This is required to successfully forward outbound emails to
Enterprise DLP
.
(
Microsoft Exchange Online only
) Are your transport rules enabled?
In some cases, a newly created Microsoft Exchange transport rule might be disabled and require you to manually enable it. All transport rules, especially the transport and block rules, must be enabled to successfully forward outbound emails to
Enterprise DLP
and for Microsoft Exchange to take action based on the verdict rendered.
Is the transport rule for Microsoft Exchange Online or Gmail configured correctly?
If your email provider is unable to forward outbound emails to
Enterprise DLP
, then the email continues to its intended recipient.
Is the block transport rule for Microsoft Exchange Online or Gmail configured correctly?
For example, if there is a typo when you define the
x-panw-action: block
header that your email provider should take a block action on then the email continues to its intended recipient.
(
Microsoft Exchange Online only
) Are managers assigned correctly in Active Directory configured?
By default, Microsoft Exchange sends the outbound email to the target recipient if a manager isn't correctly assigned for the sender when you create a transport rule for manager approval.