>
    Create Microsoft Exchange Transport Rules
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Configure Enterprise DLP
    4. Email DLP
    5. Onboard Microsoft Exchange Online
    6. Create Microsoft Exchange Transport Rules
    Download PDF
    Enterprise DLP

    Create Microsoft Exchange Transport Rules

    Table of Contents

    Create Microsoft Exchange Transport Rules

    Create Microsoft Exchange transports rule to forward emails to Enterprise Data Loss Prevention (E-DLP) for inspection, and to specify what actions Microsoft Exchange takes based on the Enterprise DLP verdicts.
    Where Can I Use This?What Do I Need?
    • Data Security
    • One of the following licenses that include the Enterprise DLP license
      Review the Supported Platforms for details on the required license for each enforcement point.
      • Prisma Access CASB license
      • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
      • Data Security license
    • Email DLP license
    Create Microsoft Exchange email transport rules to forward emails from Microsoft Exchange to the Enterprise Data Loss Prevention (E-DLP) cloud service for inspection to prevent exfiltration of sensitive data. Additionally, you must create transport rules to specify the actions Microsoft Exchange takes based on the verdicts rendered by Enterprise DLP. The following transport rules are required:
    • Email Transport
      Required to forward all outbound emails from Microsoft Exchange to the Enterprise Data Loss Prevention (E-DLP) cloud service for inline email inspection and verdict rendering. The email transport rule is required in all cases regardless of the verdict Enterprise DLP renders.
      Enterprise DLP adds x-panw-inspected: true to the email header for all inspected emails. If an outbound email already includes this header, it will not be forwarded to Enterprise DLP again. Instead, Microsoft Exchange will take the action specified in the hosted quarantine, admin approval, manager approval, encrypt, or block transport rules based on the verdict already rendered by Enterprise DLP.
    • Hosted Quarantine
      Instructs Microsoft Exchange to quarantine and forward the email to the spam quarantine mailbox hosted by Microsoft Exchange when Enterprise Data Loss Prevention (E-DLP) cloud service returns a Quarantine verdict for an email that contains sensitive data.
      Enterprise DLP adds x-panw-action: quarantine to the email header for inspected emails. The email is transported back to Microsoft Exchange and forwarded to the hosted quarantine spam inbox so an email administrator can review the email contents and decide whether to approve or block the email. Any future emails with this header already included will not be forwarded to Enterprise DLP again. Instead, Microsoft Exchange will take the action specified in the quarantine transport rule.
    • Admin Approval
      Instructs Microsoft Exchange to forward the email to the specified email administrator when Enterprise Data Loss Prevention (E-DLP) cloud service returns a Forward email for approval admin verdict for an email that contains sensitive data.
      Enterprise DLP adds x-panw-action: fwd_to_admin to the email header for inspected emails. The email is transported back to Microsoft Exchange so an email administrator can review the email contents and decide whether to approve or block the email. Any future emails with this header already included will not be forwarded to Enterprise DLP again. Instead, Microsoft Exchange will take the action specified in the transport rule.
    • Manager Approval
      Instructs Microsoft Exchange to forward the email to the sender's manager when Enterprise Data Loss Prevention (E-DLP) cloud service returns a Forward email for approval by end user's manager verdict for an email that contains sensitive data.
      Enterprise DLP adds x-panw-action: fwd_to_manager to the email header for inspected emails. The email is transported back to Microsoft Exchange so a manager can review the email contents and decide whether to approve or block the email. Any future emails with this header already included will not be forwarded to Enterprise DLP again. Instead, Microsoft Exchange will take the action specified in the transport rule.
    • Encrypt
      Instructs Microsoft Exchange on the action to take when Enterprise DLP returns a Encrypt verdict for an email that contains sensitive data.
      Enterprise DLP adds x-panw-action: encrypt to the email header for inspected emails. The email is either transported back to Microsoft Exchange or to your Proofpoint server for encryption based on the encryption settings you configure in the transport rule. Any future emails with this header already included will not be forwarded to Enterprise DLP again. Instead, Microsoft Exchange will take the action specified in the encrypt transport rule.
      Forwarding an email to both Microsoft Exchange and your Proofpoint server for encryption is not supported.
    • Block
      Instructs Microsoft Exchange on the action to take when Enterprise DLP returns a Block verdict for an email that contains sensitive data.
      Enterprise DLP adds x-panw-action: block to the email header for all inspected emails. Any future emails with this header already included will not be forwarded to Enterprise DLP for inspection. Instead, Microsoft Exchange takes the action specified in the Block transport rule.

    Create a Microsoft Exchange Email Transport Rule

    Create a Microsoft Exchange email transport rule to forward traffic to the Enterprise Data Loss Prevention (E-DLP)cloud service for inline email inspection.
    1. Log in to the Microsoft Exchange Admin Center.
    2. Create the outbound and inbound connectors.
      Skip this step if you have already created both the outbound and inbound connectors.
    3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
    4. Configure the email transport rule conditions.
      1. Enter a Name for the email transport rule.
      2. Specify the email recipient.
        This instructs Microsoft Exchange to forward the email to Enterprise DLP before it leaves your network when the email recipient is outside your organization.
        1. For Apply this rule if, select The recipient.
        2. For the recipient, select is external/internal. When prompted to select the recipient location, select Outside the organization
          Click Save to continue.
      3. Specify Microsoft Exchange Connector you created as the transport target for email inspection.
        1. For Do the following, select redirect the message to.
        2. For the transport target, select the following connector. When prompted, select the outbound connector.
          Click Save to continue.
      4. Add an exception for emails that exceed the maximum message size supported by Enterprise DLP.
        Enterprise DLP supports inspection of email messages up to 20 MB in size. Larger email messages are not supported and should not be forwarded to Enterprise DLP.
        1. In the s Except If field, select The message.
        2. Select size is greater than or equal to. When prompted, enter the following maximum-supported message size KB:
          20480
      5. Add an exception for emails that were already inspected by Enterprise DLP.
        1. In the Except if condition, click the add symbol (
          ) to add a new Or condition.
        2. Select the The message headers condition.
        3. For the Or condition action, select matches any of these words.
        4. Click Enter text to set the message header to x-panw-inspected.
        5. Click Enter words and enter true.
          Click Add and select the word you added. Click Save to continue.
      6. Click Next to continue.
    5. Configure the email transport rule settings.
      1. For the Rule mode, ensure Enforce is selected.
        This setting is enabled by default when a new transport rule is created.
      2. (Optional) Configure the rest of the email transport rule settings as needed.
      3. Click Next to continue.
      4. Save.
    6. Review the email transport rule configuration and click Finish.
      Click Done when prompted that the email transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
    7. Modify the email transport rule priority as needed.
      To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
      A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
      • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
      • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
      • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
        After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.

    Create a Microsoft Exchange Hosted Quarantine Transport Rule

    Create a Microsoft Exchange Quarantine transport rule to quarantine and forward a quarantined email to Microsoft Exchange hosted quarantine for approval after inspection by Enterprise Data Loss Prevention (E-DLP).
    Microsoft supports email approvals on the web browser-based Microsoft Exchange only. Approving or rejecting emails on the Microsoft Exchange mobile application or desktop client is not supported.
    1. Log in to the Microsoft Exchange Admin Center.
    2. Create the outbound and inbound connectors.
      Skip this step if you have already created both the outbound and inbound connectors.
    3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
    4. Configure the quarantine transport rule conditions.
      1. Enter a Name for the quarantine transport rule.
      2. Add the quarantine email message header.
        The quarantine header is added by the DLP cloud service when an email contains sensitive information that needs to be approved by your email administrator.
        1. For Apply this rule if, select The message headers....
        2. Select match these text patterns.
        3. Click Enter Text. When promoted, enter the following.
          x-panw-action
          Click Save to continue.
        4. Click Enter words. When prompted, enter the following and Add:
          quarantine
          Select the word you added. Click Save to continue.
      3. Specify the action Microsoft Exchange takes when an email header includes the quarantine header added by Enterprise DLP.
        1. For Do the following, select Redirect the message to.
        2. Select hosted quarantine.
      4. Click Next to continue.
    5. Configure the quarantine transport rule settings.
      1. For the Rule mode, ensure Enforce is selected.
        This setting is enabled by default when a new transport rule is created.
      2. (Optional) Configure the rest of the quarantine transport rule settings as needed.
      3. Click Next to continue.
    6. Review the quarantine transport rule configuration and click Finish.
      Click Done when prompted that the quarantine transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
    7. Modify the email transport rule priority as needed.
      To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
      A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
      • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
      • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
      • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
        After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.
    8. An email administrator must review and approve or reject quarantined emails forwarded to the hosted quarantine mailbox.

    Create a Microsoft Exchange Admin Approval Transport Rule

    Create a Microsoft Exchange transport rule to forward an email to the specified email administrator for approval after inspection by Enterprise Data Loss Prevention (E-DLP).
    Microsoft supports email approvals on the web browser-based Microsoft Exchange only. Approving or rejecting emails on the Microsoft Exchange mobile application or desktop client is not supported.
    1. Log in to the Microsoft Exchange Admin Center.
    2. Create the outbound and inbound connectors.
      Skip this step if you have already created both the outbound and inbound connectors.
    3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
    4. Configure the transport rule conditions.
      1. Enter a Name for the transport rule.
      2. Add the email message header.
        The fwd_to_admin email header is added by the DLP cloud service when an email contains sensitive information requiring email administrator approval.
        1. For Apply this rule if, select The message headers....
        2. Select match these text patterns.
        3. Click Enter Text. When promoted, enter the following.
          x-panw-action
          Click Save to continue.
        4. Click Enter words. When prompted, enter the following and Add:
          fwd_to_admin
          Select the word you added. Click Save to continue.
      3. Specify the action Microsoft Exchange takes when an email header includes the header added by Enterprise DLP.
        1. For Do the following, select Forward the message for approval.
        2. Select to these people.
      4. Click Next to continue.
    5. Configure the transport rule settings.
      1. For the Rule mode, ensure Enforce is selected.
        This setting is enabled by default when a new transport rule is created.
      2. (Optional) Configure the rest of the transport rule settings as needed.
      3. Click Next to continue.
    6. Review the transport rule configuration and click Finish.
      Click Done when prompted that the transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
    7. Modify the transport rule priority as needed.
      To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
      A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
      • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
      • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
      • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
        After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.

    Create a Microsoft Exchange Manager Approval Transport Rule

    Create a Microsoft Exchange email transport rule to forward an email to the sender's manager for approval after inspection by Enterprise Data Loss Prevention (E-DLP).
    Microsoft Exchange Active Directory is required to assign a manager to a user. To successfully send an email for manager approval if sensitive data is detected by Enterprise DLP, the sender must have a manager assigned.
    If no manager is assigned to the sender, then the email is sent to the recipient because no manager is assigned to approve or reject the email.
    Additionally, Microsoft supports email approvals on the web browser-based Microsoft Exchange only. Approving or rejecting emails on the Microsoft Exchange mobile application or desktop client is not supported.
    1. Log in to the Microsoft Exchange Admin Center.
    2. Create the outbound and inbound connectors.
      Skip this step if you have already created both the outbound and inbound connectors.
    3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
    4. Configure the transport rule conditions.
      1. Enter a Name for the transport rule.
      2. Add the email message header.
        The fw_to_manager header is added by the DLP cloud service when an email contains sensitive information requiring manager approval.
        1. For Apply this rule if, select The message headers....
        2. Select match these text patterns.
        3. Click Enter Text. When promoted, enter the following.
          x-panw-action
          Click Save to continue.
        4. Click Enter words. When prompted, enter the following and Add:
          fwd_to_manager
          Select the word you added. Click Save to continue.
      3. Specify the action Microsoft Exchange takes when an email header includes the header added by Enterprise DLP.
        Microsoft Exchange Active Directory is required to assign a manager to a user. To successfully forward a sender's email if sensitive data is detected by Enterprise DLP, a user must have a manager assigned.
        If no manager is assigned to a user, then the email is sent to the recipient because no manager is assigned to approve or reject the email.
        1. For Do the following, select Forward the message for approval.
        2. Select to the sender's manager.
      4. Click Next to continue.
    5. Configure the transport rule settings.
      1. For the Rule mode, ensure Enforce is selected.
        This setting is enabled by default when a new transport rule is created.
      2. (Optional) Configure the rest of the transport rule settings as needed.
      3. Click Next to continue.
    6. Review the transport rule configuration and click Finish.
      Click Done when prompted that the transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
    7. Modify the email transport rule priority as needed.
      To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
      A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
      • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
      • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
      • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
        After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.

    Create a Microsoft Exchange Encrypt Transport Rule

    Create a Microsoft Exchange Encrypt transport rule to encrypt an outbound email to Microsoft Exchange after inspection by Enterprise Data Loss Prevention (E-DLP).
    1. Log in to the Microsoft Exchange Admin Center.
    2. Create the required Microsoft Exchange connectors.
      Skip this step if you have already created both the outbound, inbound, and Proofpoint server connectors.
    3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
    4. Configure the encrypt transport rule conditions.
      1. Enter a Name for the encrypt transport rule.
      2. Add the encrypt email message header.
        The encrypt header is added by the DLP cloud service when an email contains sensitive information that should be encrypted.
        1. For Apply this rule if, select The message headers....
        2. Select match these text patterns.
        3. Click Enter Text. When promoted, enter the following.
          x-panw-action
          Click Save to continue.
        4. Click Enter words. When prompted, enter the following and Add:
          encrypt
          Select the word you added. Click Save to continue.
      3. Specify the action Microsoft Exchange takes when an email header includes the encrypt header added by Enterprise DLP.
        1. For Do the following, select Modify the message security.
        2. Select Apply Office 365 Message Encryption and rights protection.
        3. Select the RMS template you want to use for outbound email encryption and Save.
      4. Click Next to continue.
    5. Configure the encrypt transport rule settings.
      1. For the Rule mode, ensure Enforce is selected.
        This setting is enabled by default when a new transport rule is created.
      2. (Optional) Configure the rest of the encrypt transport rule settings as needed.
      3. Click Next to continue.
    6. Review the encrypt transport rule configuration and click Finish.
      Click Done when prompted that the encrypt transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
    7. Modify the email transport rule priority as needed.
      To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
      A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
      • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
      • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
      • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
        After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.

    Create a Microsoft Exchange Proofpoint Encrypt Transport Rule

    Create a Microsoft Exchange Encrypt transport rule to forward an email to your Proofpoint server for encrypting after inspection by Enterprise Data Loss Prevention (E-DLP).
    This procedure assumes you have already setup your Proofpoint server and created the required Proofpoint connector.
    1. Log in to the Microsoft Exchange Admin Center.
    2. Create the required Microsoft Exchange connectors.
      Skip this step if you have already created both the outbound, inbound, and Proofpoint server connectors.
    3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
    4. Configure the encrypt transport rule conditions.
      1. Enter a Name for the Proofpoint encrypt transport rule.
      2. Add the encrypt email message header.
        The encrypt header is added by the DLP cloud service when an email contains sensitive information that should be encrypted.
        1. For Apply this rule if, select The message headers....
        2. Select match these text patterns.
        3. Click Enter Text. When promoted, enter the following.
          x-panw-action
          Click Save to continue.
        4. Click Enter words. When prompted, enter the following and Add:
          encrypt
          Select the word you added. Click Save to continue.
      3. Specify the action Microsoft Exchange takes when an email header includes the encrypt header added by Enterprise DLP.
        1. For Do the following, select Redirect the message to.
        2. Select the following connector.
        3. Select the Proofpoint connector and Save.
      4. Click the Add Action icon (+) to add an additional rule condition.
      5. Instruct Microsoft Exchange to further modify the email header.
        1. For Do the following, select Modify the message properties.
        2. Select set a message header.
        3. Click Enter Text. When promoted, enter the following.
          x-proofpointencryptdesktop
          Click Save to continue.
        4. Click Enter words. When prompted, enter the following and Add:
          encrypt
          Select the word you added. Click Save to continue.
      6. Click Next to continue.
    5. Configure the Proofpoint encrypt transport rule settings.
      1. For the Rule mode, ensure Enforce is selected.
        This setting is enabled by default when a new transport rule is created.
      2. (Optional) Configure the rest of the encrypt transport rule settings as needed.
      3. Click Next to continue.
    6. Review the encrypt transport rule configuration and click Finish.
      Click Done when prompted that the encrypt transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
    7. Modify the email transport rule priority as needed.
      To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
      A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP.
      • The email transport rule should always be the highest priority rule relative to the other transport rules required for Email DLP.
      • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Email DLP. Enterprise DLP cannot inspect encrypted emails.
      • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
        After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.
      • If you want to ensure emails are forwarded to your Proofpoint server for encryption, Palo Alto Networks recommends disabling your existing Encrypt or assigning a higher priority to the Proofpoint encrypt rule.
        You can forward an email for encryption to either your Proofpoint server or to Microsoft Exchange for encryption, but not both.

    Create a Microsoft Exchange Block Transport Rule

    Create a Microsoft Exchange Block transport rule to specify the action Microsoft Exchange takes when an email contains sensitive data and is blocked.
    1. Log in to the Microsoft Exchange Admin Center.
    2. Create the outbound and inbound connectors.
      Skip this step if you have already created both the outbound and inbound connectors.
    3. Select Mail flowRulesAdd a ruleCreate a new rule to create a new email transport rule.
    4. Configure the Block transport rule conditions.
      1. Enter a Name for the Block transport rule.
      2. Add the Block email message header.
        The Block header is added by the DLP cloud service when an inspected email contains sensitive information that is blocked.
        1. For Apply this rule if, select The message headers....
        2. Select includes any of these words.
        3. Click Enter Text. When promoted, enter the following.
          x-panw-action
          Click Save to continue.
        4. Click Enter words. When prompted, enter the following and Add:
          block
          Select the word you added. Click Save to continue.
      3. Specify the action Microsoft Exchange takes when an email header includes the Block header added by Enterprise DLP.
        1. For Do the following, select Block the message.
        2. Select reject the message and include an explanation. When prompted, enter the explanation for why the email was blocked.
          This is the response members of your organization receive when an outbound email is blocked.
          Click Save to continue.
      4. Click Next to continue.
    5. Configure the Block transport rule settings.
      1. For the Rule mode, ensure Enforce is selected.
        This setting is enabled by default when a new transport rule is created.
      2. (Optional) Configure the rest of the Block transport rule settings as needed.
      3. Click Next to continue.
      4. Save.
    6. Review the Block transport rule configuration and click Finish.
      Click Done when prompted that the Block transport rule was successfully created. You are redirected back to the Microsoft Exchange Rules page.
    7. Modify the email transport rule priority as needed.
      To change the priority of a transport rule, select the transport rule and Move Up or Move Down as needed.
      A proper rule hierarchy is recommended to ensure emails successfully forward to Enterprise DLP for inspection.
      • The email transport rule should always be the highest priority rule relative to the other transport rules required for Enterprise DLP inspection.
      • Any email encryption rules not created as part of the Email DLP configuration must be ordered below the transport rules created for Enterprise DLP inspection. Enterprise DLP cannot inspect encrypted emails.
      • There is no impact in regards to priority between the quarantine transport rules, block transport rule, encrypt transport rule, or any other transport rules that exist.
        After Enterprise DLP inspects and returns the email back to Microsoft Exchange, the appropriate transport rule action will occur based on the email header.

    © 2024 Palo Alto Networks, Inc. All rights reserved.