Administration
  • Administration
  • Enterprise DLP Documentation
  • All Documentation
>
Create Microsoft Exchange Transport Rules
Focus
Download PDF
Focus
  1. Home
  2. Enterprise DLP
  3. Configure Enterprise DLP
  4. Email DLP
  5. Onboard Microsoft Exchange Online
  6. Create Microsoft Exchange Transport Rules
Download PDF
Enterprise DLP

Create Microsoft Exchange Transport Rules

Table of Contents

Create Microsoft Exchange Transport Rules

Create Microsoft Exchange transports rule to forward emails to Enterprise Data Loss Prevention (E-DLP) for inspection, and to specify what actions Microsoft Exchange takes based on the Enterprise DLP verdicts.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
Where Can I Use This?What Do I Need?
  • Data Security
  • One of the following licenses that include the Enterprise DLP license
    Review the Supported Platforms for details on the required license for each enforcement point.
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
  • Email DLP license
Create Microsoft Exchange email transport rules to forward emails from Microsoft Exchange to the Enterprise Data Loss Prevention (E-DLP) cloud service for inspection to prevent exfiltration of sensitive data. Additionally, you must create transport rules to specify the actions Microsoft Exchange takes based on the verdicts rendered by Enterprise DLP. The following transport rules are required:
    Expand all
    Collapse all
  • Email Transport
  • Hosted Quarantine
  • Admin Approval
  • Manager Approval
  • Encrypt
  • Block

Create a Microsoft Exchange Email Transport Rule

Create a Microsoft Exchange email transport rule to forward traffic to the Enterprise Data Loss Prevention (E-DLP)cloud service for inline email inspection.
  1. Log in to the Microsoft Exchange Admin Center.
  2. Create the outbound and inbound connectors.
    Skip this step if you have already created both the outbound and inbound connectors.
  3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
  4. Configure the email transport rule conditions.
    1. Enter a Name for the email transport rule.
    2. Specify the email recipient.
      This instructs Microsoft Exchange to forward the email to Enterprise DLP before it leaves your network when the email recipient is outside your organization.
      1. For Apply this rule if, select The recipient.
      2. For the recipient, select is external/internal. When prompted to select the recipient location, select Outside the organization
        Click Save to continue.
    3. Specify Microsoft Exchange Connector you created as the transport target for email inspection.
      1. For Do the following, select redirect the message to.
      2. For the transport target, select the following connector. When prompted, select the outbound connector.
        Click Save to continue.
    4. Add an exception for emails that exceed the maximum message size supported by Enterprise DLP.
      Enterprise DLP supports inspection of email messages up to 20 MB in size. Larger email messages are not supported and should not be forwarded to Enterprise DLP.
      1. In the s Except If field, select The message.
      2. Select size is greater than or equal to. When prompted, enter the following maximum-supported message size KB:
        20480
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
    5. Add an exception for emails that were already inspected by Enterprise DLP.
      1. In the Except if condition, click the add symbol (
        ) to add a new Or condition.
      2. Select the The message headers condition.
      3. For the Or condition action, select matches any of these words.
      4. Click Enter text to set the message header to x-panw-inspected.
      5. Click Enter words and enter true.
        Click Add and select the word you added. Click Save to continue.
    6. Click Next to continue.
  5. Configure the email transport rule settings.
    1. For the Rule mode, ensure Enforce is selected.
      This setting is enabled by default when a new transport rule is created.
    2. (Optional) Configure the rest of the email transport rule settings as needed.
    3. Click Next to continue.
    4. Save.
  6. Review the email transport rule configuration and click Finish.
    Click Done when prompted that the email transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
  7. Modify the email transport rule priority as needed.
    To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
    A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
    • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
    • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
    • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
      After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.

Create a Microsoft Exchange Hosted Quarantine Transport Rule

Create a Microsoft Exchange Quarantine transport rule to quarantine and forward a quarantined email to Microsoft Exchange hosted quarantine for approval after inspection by Enterprise Data Loss Prevention (E-DLP).
Microsoft supports email approvals on the web browser-based Microsoft Exchange only. Approving or rejecting emails on the Microsoft Exchange mobile application or desktop client is not supported.
  1. Log in to the Microsoft Exchange Admin Center.
  2. Create the outbound and inbound connectors.
    Skip this step if you have already created both the outbound and inbound connectors.
  3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
  4. Configure the quarantine transport rule conditions.
    1. Enter a Name for the quarantine transport rule.
    2. Add the quarantine email message header.
      The quarantine header is added by the DLP cloud service when an email contains sensitive information that needs to be approved by your email administrator.
      1. For Apply this rule if, select The message headers....
      2. Select match these text patterns.
      3. Click Enter Text. When promoted, enter the following.
        x-panw-action
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Click Save to continue.
      4. Click Enter words. When prompted, enter the following and Add:
        quarantine
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Select the word you added. Click Save to continue.
    3. Specify the action Microsoft Exchange takes when an email header includes the quarantine header added by Enterprise DLP.
      1. For Do the following, select Redirect the message to.
      2. Select hosted quarantine.
    4. Click Next to continue.
  5. Configure the quarantine transport rule settings.
    1. For the Rule mode, ensure Enforce is selected.
      This setting is enabled by default when a new transport rule is created.
    2. (Optional) Configure the rest of the quarantine transport rule settings as needed.
    3. Click Next to continue.
  6. Review the quarantine transport rule configuration and click Finish.
    Click Done when prompted that the quarantine transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
  7. Modify the email transport rule priority as needed.
    To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
    A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
    • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
    • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
    • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
      After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.
  8. An email administrator must review and approve or reject quarantined emails forwarded to the hosted quarantine mailbox.

Create a Microsoft Exchange Admin Approval Transport Rule

Create a Microsoft Exchange transport rule to forward an email to the specified email administrator for approval after inspection by Enterprise Data Loss Prevention (E-DLP).
Microsoft supports email approvals on the web browser-based Microsoft Exchange only. Approving or rejecting emails on the Microsoft Exchange mobile application or desktop client is not supported.
  1. Log in to the Microsoft Exchange Admin Center.
  2. Create the outbound and inbound connectors.
    Skip this step if you have already created both the outbound and inbound connectors.
  3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
  4. Configure the transport rule conditions.
    1. Enter a Name for the transport rule.
    2. Add the email message header.
      The fwd_to_admin email header is added by the DLP cloud service when an email contains sensitive information requiring email administrator approval.
      1. For Apply this rule if, select The message headers....
      2. Select match these text patterns.
      3. Click Enter Text. When promoted, enter the following.
        x-panw-action
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Click Save to continue.
      4. Click Enter words. When prompted, enter the following and Add:
        fwd_to_admin
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Select the word you added. Click Save to continue.
    3. Specify the action Microsoft Exchange takes when an email header includes the header added by Enterprise DLP.
      1. For Do the following, select Forward the message for approval.
      2. Select to these people.
    4. Click Next to continue.
  5. Configure the transport rule settings.
    1. For the Rule mode, ensure Enforce is selected.
      This setting is enabled by default when a new transport rule is created.
    2. (Optional) Configure the rest of the transport rule settings as needed.
    3. Click Next to continue.
  6. Review the transport rule configuration and click Finish.
    Click Done when prompted that the transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
  7. Modify the transport rule priority as needed.
    To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
    A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
    • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
    • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
    • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
      After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.

Create a Microsoft Exchange Manager Approval Transport Rule

Create a Microsoft Exchange email transport rule to forward an email to the sender's manager for approval after inspection by Enterprise Data Loss Prevention (E-DLP).
Microsoft Exchange Active Directory is required to assign a manager to a user. To successfully send an email for manager approval if sensitive data is detected by Enterprise DLP, the sender must have a manager assigned.
If no manager is assigned to the sender, then the email is sent to the recipient because no manager is assigned to approve or reject the email.
Additionally, Microsoft supports email approvals on the web browser-based Microsoft Exchange only. Approving or rejecting emails on the Microsoft Exchange mobile application or desktop client is not supported.
  1. Log in to the Microsoft Exchange Admin Center.
  2. Create the outbound and inbound connectors.
    Skip this step if you have already created both the outbound and inbound connectors.
  3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
  4. Configure the transport rule conditions.
    1. Enter a Name for the transport rule.
    2. Add the email message header.
      The fw_to_manager header is added by the DLP cloud service when an email contains sensitive information requiring manager approval.
      1. For Apply this rule if, select The message headers....
      2. Select match these text patterns.
      3. Click Enter Text. When promoted, enter the following.
        x-panw-action
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Click Save to continue.
      4. Click Enter words. When prompted, enter the following and Add:
        fwd_to_manager
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Select the word you added. Click Save to continue.
    3. Specify the action Microsoft Exchange takes when an email header includes the header added by Enterprise DLP.
      Microsoft Exchange Active Directory is required to assign a manager to a user. To successfully forward a sender's email if sensitive data is detected by Enterprise DLP, a user must have a manager assigned.
      If no manager is assigned to a user, then the email is sent to the recipient because no manager is assigned to approve or reject the email.
      1. For Do the following, select Forward the message for approval.
      2. Select to the sender's manager.
    4. Click Next to continue.
  5. Configure the transport rule settings.
    1. For the Rule mode, ensure Enforce is selected.
      This setting is enabled by default when a new transport rule is created.
    2. (Optional) Configure the rest of the transport rule settings as needed.
    3. Click Next to continue.
  6. Review the transport rule configuration and click Finish.
    Click Done when prompted that the transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
  7. Modify the email transport rule priority as needed.
    To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
    A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
    • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
    • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
    • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
      After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.

Create a Microsoft Exchange Encrypt Transport Rule

Create a Microsoft Exchange Encrypt transport rule to encrypt an outbound email to Microsoft Exchange after inspection by Enterprise Data Loss Prevention (E-DLP).
  1. Log in to the Microsoft Exchange Admin Center.
  2. Create the required Microsoft Exchange connectors.
    Skip this step if you have already created both the outbound, inbound, and Proofpoint server connectors.
  3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
  4. Configure the encrypt transport rule conditions.
    1. Enter a Name for the encrypt transport rule.
    2. Add the encrypt email message header.
      The encrypt header is added by the DLP cloud service when an email contains sensitive information that should be encrypted.
      1. For Apply this rule if, select The message headers....
      2. Select match these text patterns.
      3. Click Enter Text. When promoted, enter the following.
        x-panw-action
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Click Save to continue.
      4. Click Enter words. When prompted, enter the following and Add:
        encrypt
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Select the word you added. Click Save to continue.
    3. Specify the action Microsoft Exchange takes when an email header includes the encrypt header added by Enterprise DLP.
      1. For Do the following, select Modify the message security.
      2. Select Apply Office 365 Message Encryption and rights protection.
      3. Select the RMS template you want to use for outbound email encryption and Save.
    4. Click Next to continue.
  5. Configure the encrypt transport rule settings.
    1. For the Rule mode, ensure Enforce is selected.
      This setting is enabled by default when a new transport rule is created.
    2. (Optional) Configure the rest of the encrypt transport rule settings as needed.
    3. Click Next to continue.
  6. Review the encrypt transport rule configuration and click Finish.
    Click Done when prompted that the encrypt transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
  7. Modify the email transport rule priority as needed.
    To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
    A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
    • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
    • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
    • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
      After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.

Create a Microsoft Exchange Proofpoint Encrypt Transport Rule

Create a Microsoft Exchange Encrypt transport rule to forward an email to your Proofpoint server for encrypting after inspection by Enterprise Data Loss Prevention (E-DLP).
This procedure assumes you have already setup your Proofpoint server and created the required Proofpoint connector.
  1. Log in to the Microsoft Exchange Admin Center.
  2. Create the required Microsoft Exchange connectors.
    Skip this step if you have already created both the outbound, inbound, and Proofpoint server connectors.
  3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
  4. Configure the encrypt transport rule conditions.
    1. Enter a Name for the Proofpoint encrypt transport rule.
    2. Add the encrypt email message header.
      The encrypt header is added by the DLP cloud service when an email contains sensitive information that should be encrypted.
      1. For Apply this rule if, select The message headers....
      2. Select match these text patterns.
      3. Click Enter Text. When promoted, enter the following.
        x-panw-action
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Click Save to continue.
      4. Click Enter words. When prompted, enter the following and Add:
        encrypt
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Select the word you added. Click Save to continue.
    3. Specify the action Microsoft Exchange takes when an email header includes the encrypt header added by Enterprise DLP.
      1. For Do the following, select Redirect the message to.
      2. Select the following connector.
      3. Select the Proofpoint connector and Save.
    4. Click the Add Action icon (+) to add an additional rule condition.
    5. Instruct Microsoft Exchange to further modify the email header.
      1. For Do the following, select Modify the message properties.
      2. Select set a message header.
      3. Click Enter Text. When promoted, enter the following.
        x-proofpointencryptdesktop
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Click Save to continue.
      4. Click Enter words. When prompted, enter the following and Add:
        encrypt
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Select the word you added. Click Save to continue.
    6. Click Next to continue.
  5. Configure the Proofpoint encrypt transport rule settings.
    1. For the Rule mode, ensure Enforce is selected.
      This setting is enabled by default when a new transport rule is created.
    2. (Optional) Configure the rest of the encrypt transport rule settings as needed.
    3. Click Next to continue.
  6. Review the encrypt transport rule configuration and click Finish.
    Click Done when prompted that the encrypt transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
  7. Modify the email transport rule priority as needed.
    To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
    A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
    • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
    • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
    • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
      After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.
    • If you want to ensure emails are forwarded to your Proofpoint server for encryption, Palo Alto Networks recommends disabling your existing Encrypt or assigning a higher priority to the Proofpoint encrypt rule.
      You can forward an email for encryption to either your Proofpoint server or to Microsoft Exchange for encryption, but not both.

Create a Microsoft Exchange Block Transport Rule

Create a Microsoft Exchange Block transport rule to specify the action Microsoft Exchange takes when an email contains sensitive data and is blocked.
  1. Log in to the Microsoft Exchange Admin Center.
  2. Create the outbound and inbound connectors.
    Skip this step if you have already created both the outbound and inbound connectors.
  3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
  4. Configure the Block transport rule conditions.
    1. Enter a Name for the Block transport rule.
    2. Add the Block email message header.
      The Block header is added by the DLP cloud service when an inspected email contains sensitive information that is blocked.
      1. For Apply this rule if, select The message headers....
      2. Select includes any of these words.
      3. Click Enter Text. When promoted, enter the following.
        x-panw-action
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Click Save to continue.
      4. Click Enter words. When prompted, enter the following and Add:
        block
        Code copied to clipboard
         
        Unable to copy due to lack of browser support.
        Select the word you added. Click Save to continue.
    3. Specify the action Microsoft Exchange takes when an email header includes the Block header added by Enterprise DLP.
      1. For Do the following, select Block the message.
      2. Select reject the message and include an explanation. When prompted, enter the explanation for why the email was blocked.
        This is the response members of your organization receive when an outbound email is blocked.
        Click Save to continue.
    4. Click Next to continue.
  5. Configure the Block transport rule settings.
    1. For the Rule mode, ensure Enforce is selected.
      This setting is enabled by default when a new transport rule is created.
    2. (Optional) Configure the rest of the Block transport rule settings as needed.
    3. Click Next to continue.
    4. Save.
  6. Review the Block transport rule configuration and click Finish.
    Click Done when prompted that the Block transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
  7. Modify the email transport rule priority as needed.
    To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
    A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP for inspection.
    • The email transport rule should always be the highest priority rule relative to the other transport rules required for Enterprise DLP inspection.
    • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Enterprise DLP inspection. Enterprise DLP cannot inspect encrypted emails.
    • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
      After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.