Support Center

:Email Policy Settings

Last Updated: Nov 26, 2019 08:58PM PST
This article explains SSProtect :Email Policy Settings available from within Microsoft Outlook.

SSProtect :Email capabilities execute from the inclusion of an Outlook Add-In managed by the SSProtect :Foundation Client. This is described in the article, Getting Started with :Email. You should be familiar with its' content before proceeding.

Add-In Settings
From the Outlook ribbon, locate the SSProtect:Email control group then click Settings:

This displays Policy options available for use with this instance of Outlook. More specifically, controls are not (today) centrally managed, though this will change in the near future.

If you use a single SSProtect Account and associated Outlook instances on multiple host computers, these Settings will be different on each host. This will change with central management, though for now you will need to manually adjust these Settings on each Host computer to experience consistent operation.

Policy Settings
After you click Settings, you will be presented with the following dialog:

Operating Context
The top left of the display shows your email address, with the matching SSProtect Profile shown on the right. This reflects the active SSProtect Login Session managed by the :Foundation Client. This determines which of many potential Email Accounts you can use with SSProtect at any point in time. You can, of course, Login to any SSProtect Profile of interest, matching the Profile with a different Outlook Email Account, as described in the prerequisite article, Getting Started with :Email.

Protection Scheme
When you compose a new message, you must check the, Protect on Send checkbox in order to encrypt content before sending. The two controls in this section provide options that allow the software to do this for you.

The first option, Automatically select, "Protect on Send" for new messages, means the checkbox will always been configured to deliver encrypted email once you Compose a new Message. You can of course uncheck the box before you send the message, so it's for you to determine which option results in fewer mouse clicks. This will be determined based on the number of protected vs. unprotected messages you typically send.

The second option, Automatically protect when All Recipients are Authorized, will not have any impact until you Send a message. If, as noted, all Recipients are members of your SSProtect Organization (when applicable) or configured as Third Party Trust sharing peers, the message will be protected before it's sent.

Automatic Protection Considerations
Your set of :Collaborate sharing peers changes over time, and updates are applied when you and others Refresh Login from the :Foundation Client. As a result, if someone in your SSProtect Organization configures a Third Party Trust but the sharing peer hasn't performed Refresh Login on their host computer - AND - you have not done the same, the intended sharing peer will show up as untrusted. If you are relying on the automatic protection capabilities offered by this second Protection Scheme option, you may not immediately achieve intended results.

For this reason, you should not rely on this option until you are working with a relatively static set of sharing peers. If you are a Privileged User for an SSProtect Organization, work with your team(s) to make sure they know when they can and should use this option. If you're an Unprivileged User, follow the policy lead offered by those managing SSProtect.

Replying To/Forwarding Plaintext Versions of Protected Messages
This section controls the way :Email handles delivery of responses to - or forwarding of - protected content. Operation is straightforward and as-noted - choose the option that best suits your preferred mode of operation and Policy - one of DenyConfirmAuto, or Permit. Changes are applied immediately, and the next email Send operation will consult these settings when and as necessary, before delivering the related message.

Save Policy
Outlook implements an Auto Save feature that helps you retain message content if, before Sending, something happens and Outlook is unexpectedly terminated. This is a configurable feature that is often enabled in many settings.

When working with sensitive content, this is often undesired since these interim results will be stored in plaintext. Though SSProtect protects certain Outlook cache areas from external access, it isn't an assurance that plaintext won't be more available to an attacker (than it is while you compose the plaintext content).

Choose, Never Auto-Save messages in Drafts; ignore Outlook settings to bypass the Outlook configuration and avoid saving message content in plaintext form. When active, the Auto Save feature is bypassed.

You can also use, Prevent Save from overwriting protected content to make certain that, while viewing and replying to a protected message, the plaintext content doesn't overwrite protected content already associated with the message. This offers an alternative to the first option, though without complete coverage since it doesn't apply to New Messages.

System Log Output
These controls determine how much content is stored in debug logs that can be used for troubleshooting. Use this when directed by an SSProtect administrator or Support personnel while troubleshooting. Otherwise, it's best to leave the System Threshold at the, "least verbose" level of System. Use Show Log to view the current day's content, which is retained for one additional day consistent with other Host Debug Log information. For details, refer to the article, Accessing Host Debug Logs.

CAUTION: Lowering the System Threshold will impact the performance of your system when working with managed content. As such, you should only use this when absolutely necessary.

Sending Protected Mail to Unauthorized Recipients
When you deliver a Protected message (by checking, Protect on Send), :Email checks Recipients to make certain they are authorized to access/ decrypt managed content. This combines both Organization sharing peers and Third Party Trusts using the associated Server Email Address described below (and managed by KODiAC for all participants).

If a Recipient isn't authorized to view content, :Email will by default use the, Confirm; List unauthorized users for selective removal setting. This results in a prompt with the set of Recipients that may not be able to decrypt content. This changes of course, over time, and you can deliver a message to a Recipient that will later be authorized to read content.

However, if you do NOT wish to be prompted and thus notified of potentially unintended Recipients, you can instead choose, Auto: Protect/send even to unauthorized recipients and Protected content will be delivered without Recipient validation or prompts.

Attaching Plaintext Files to Protected Messages
When sending Protected content, you will often include Attachments. These may or may not be included in protected form. This set of configuration options allows you to determine the way :Email manages this reality, as described in the article, Message and Attachment Protection.


Display protected account status in the Explorer subpane turns the status overlay on and off, shown here when presented beneath the Inbox messages list:

This is helpful when you have multiple SSProtect Profiles and/ or Outlook Email Accounts, which helps determine which association is active at any given point in time.

Choose, Warn for Protected Attachments with unprotected messages if you wish to receive a warning prompt when Sending a plaintext message that includes protected attachments (on the chance this wasn't the intent, perhaps preferring to protect message content as well). When not checked, :Email will deliver a plaintext message with protected Attachments without prompts.

Attachment Location
This option defines the target location for plaintext Attachment conversion to managed content, and also the location for in-place activated access of protected content as described in the article, Message and Attachment Protection.

Server Email Address

Refresh updates your Server Email Address, which is required when working with an Outlook Account managed on the back-end by Microsoft Exchange. In general, your email address will be username@host, though with Exchange it differs. This association is shared with KODiAC and necessary for message delivery to determine which recipients are authorized sharing peers and which will be unable to decipher encrypted content.

If this is not updated, it will show, [failed]. Refresh addresses this problem, not shown in the presented dialog.

Additional Resources
You can search this site for more information on various topics, or use 
this link to submit a specific request. You can also send email directly to, and our staff will respond to your needs as soon as possible.

This article was updated w/ v3.9.1 of SSProtect :Email

Contact Us
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found