Enterprise DLP Administrator’s Guide
    : How Does Email DLP Work?
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administrator’s Guide
    4. Configure Enterprise DLP
    5. Email DLP
    6. How Does Email DLP Work?
    Download PDF

    Enterprise DLP Administrator’s Guide

    How Does Email DLP Work?

    Table of Contents

    How Does Email DLP Work?

    Learn more about the Email DLP architecture and how emails are transported to and from
    Enterprise Data Loss Prevention (E-DLP)
     for inspection.
    Where Can I Use This?
    What Do I Need?
    • Strata Cloud Manager
    • Enterprise Data Loss Prevention (E-DLP)
       license
    • Data Security
       license
    • Prisma Access
       license
    • AIOps for NGFW Premium
       license
    • AIOps for NGFW Free
       license
    To prevent sensitive data exfiltration,
    Enterprise Data Loss Prevention (E-DLP)
     needs to perform inline inspection of all outbound emails. To do this, an inbound and outbound connectors are used to transport outbound emails to and from
    Enterprise DLP
     for inspection and verdict rendering. You must also create allow, block, and quarantine transport rules to specify the actions Microsoft Exchange takes based on the verdicts rendered by
    Enterprise DLP
    .
    When
    Enterprise DLP
     inspects an email, an email header is added to indicate that
    Enterprise DLP
     has already inspected the email. If
    Enterprise DLP
     renders a
    Block
     or
    Quarantine
     verdict for inspected email, an email header to indicate the verdict is added as well. Emails that are already inspected are not transported to
    Enterprise DLP
     a second time and Microsoft Exchange takes action based on the existing email headers.
    After
    Enterprise DLP
     inspects an email, it is returned back to Microsoft Exchange for further action based on the rendered verdict.
    The email flow for inline inspection of emails using
    Enterprise DLP
     is as follows:
    1. An email is sent from within your organization to a recipient outside your organization.
      The outbound email can be sent from a desktop mail client, a web-based mail client, or a mobile device.
    2. The email transport rule instructs Microsoft Exchange to forward the outbound email to
      Enterprise DLP
       for inspection using the outbound connector.
    3. Enterprise DLP
       inspects the email subject line, body, and attachments against your Email DLP policies and renders a verdict.
      Enterprise DLP
       adds email headers to mark that it's been inspected and what verdict was rendered.
      Enterprise DLP
       does not support inspection of document links contained in either the email subject or body.
    4. The email is returned back to Microsoft Exchange using the inbound connector.
    5. Microsoft Exchange takes action based on the respective transport rules.
    6. Microsoft Exchange send the allowed email to the intended recipient if allowed.
      An email is allowed if
      Enterprise DLP
       did not detect any sensitive data or if the email was quarantined and approved.

    What Microsoft Exchange Online Licenses are Required for Email DLP?

    Email DLP supports any Microsoft Exchange Online license, including Microsoft 365 Defender, Microsoft 365, and Office 365 E5 licenses for inline inspection of outbound emails using
    Enterprise DLP
    .
    The type of Microsoft Exchange Online license you have activate determines the supported Email DLP functionality available to your Microsoft Exchange Online deployment.
    The MSDN license is not supported for Email DLP. MSDN does not support the use of inbound connectors to route emails, which is required for
    Enterprise DLP
     to forward outbound emails back to Microsoft Exchange after inspection.

    What Functionality Do Microsoft Exchange Licenses Support?

    Email DLP supports the following functionality based on your active Microsoft Exchange license.
    • Any Microsoft Exchange Online licenses except MSDN
      • Inspect outbound emails
      • Block outbound emails containing sensitive data
      • Send outbound emails containing sensitive data for admin approval
      • Send outbound emails containing sensitive data for manager approval
    • Microsoft 365 Defender license
      See the Microsoft 365 Defender prerequisites for more information.
      • Inspect outbound emails
      • Block outbound emails containing sensitive data
      • Send outbound emails containing sensitive data for admin approval
      • Send outbound emails containing sensitive data for manager approval
      • Send outbound emails containing sensitive data to hosted quarantine for approval
    • Microsoft 365 or Office 365 E5 license
      • Inspect outbound emails
      • Block outbound emails containing sensitive data
      • Send outbound emails containing sensitive data for admin approval
      • Send outbound emails containing sensitive data for manager approval
      • Send outbound emails containing sensitive data to hosted quarantine for approval
      • Encrypt outbound emails containing sensitive data before they are sent to the recipient

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.