Skip to content

Data control policy


This Data control policy protects against data loss through email. If you want to protect against other types of data loss, you should use Data Loss Prevention Rules (DLP). See Data Loss Prevention Rules.

Data control allows you to inspect emails and take actions depending on their contents.


This option is only available with an Email Advanced license.

In Data control policies you add rules to restrict the information that can be included in emails. Rules can be applied to inbound or outbound emails and you can add up to 25 rules to a policy.

You can apply rules to different users, groups of users and domains. For example, you could set up a rule to prevent any financial information going out of the organization for most users. You could then apply a less strict rule to accounting staff.

You can add external users and domains to policies, not just those in your organization. See External users and domains.

You can also clone policies. See Cloning a policy.

Create a Data control policy

To create a Data control policy, do as follows.

  1. Go to Email Security > Policies.
  2. Click Add Policy.
  3. Select Secure Message and click Continue.
  4. Enter a name for the policy.
  5. Add Internal users, groups, or domains for the policy. The policy applies to users in any of the users, groups, or domains lists.

    You can hover over a user's name to see their email address.

  6. Add External users and domains for the policy, if you want to. The policy applies if accounts in the internal users, groups, or domains lists send messages to addresses or domains in your external list. See External users and domains.

  7. Click Settings.

A new Data control policy has no rules. To control the actions taken with messages going in or out of your organization, you add rules. See Create a Data control rule.

Data control rules

In existing Data control policies, click Settings to see the rules associated with a policy. Rules can be applied to inbound or outbound messages. You can change the order of the rules, and turn them on or off. To view or edit rule settings, click on the rule name.

When you create a rule you can use templates provided by Sophos to protect your data. You can also customize rules as follows.

  • You can choose the action you want to take when sensitive information is found in an email.
  • You can choose who to notify.

    If you delete a mailbox that receives notifications, you must select a different one, or turn notifications off.

  • You can filter messages by whole message size, or just the size of message attachments.

  • You can set a default encryption method for outbound messages.
  • You can override the default encryption method for outbound messages in the settings for individual rules.


The encryption option in rules for outbound messages only works if encryption is turned on in Encryption settings.

Go to Email Security > Policies and click Data control to manage information restrictions in email. See Create or Edit a Policy.

External users and domains

You can use external users and domains in Data control as well as your own users and domains. You can use them at policy level and rule level.


When we analyze senders and recipients of messages, we use their SMTP envelope sender and recipient addresses, not their from-header and to-header addresses.

Policy level

To use external users and domains at policy level, click the External tab when you create or edit a policy.

You can add individual email addresses or domains, or import them from a file. You can include or exclude your list from the rule. The default is Include all.

Rule level

When you add or edit a rule you define how the rule applies to external domains and addresses. See Create a Data control rule.


You can use templates to filter emails for financial, confidential, health and personally identifiable information. You can also filter emails by their attachment file types. See Sophos blocked email attachments.


You can customize Data control rules using content control lists (CCL), keywords or phrases.

A CCL defines data that you can use to filter emails and take actions.

You can specify keywords or phrases you want to use to filter emails. You can add a maximum of 200. Keywords and phrases aren't case-sensitive.

Cloning a policy

This feature might not be available to all users yet.

If you want to make similar changes to a number of users you can clone a policy.

Cloned policies are set to Policy Bypassed by default.

To clone a policy, do as follows.

  1. Go to Email Security > Policies.
  2. Select the policy you want to clone.
  3. Click Clone.
  4. In Clone Policy edit the name of the new policy if you want to, then click Continue.

    The new policy appears.

    When the base policy is cloned, the new policy has no users, groups, or domains. You must select these before using the policy cloned from base policy.

  5. Click Save.

  6. Check that the cloned policy is correct, then click Policy Bypassed > Policy is enforced to turn it on.

By default the cloned policy takes priority over the original policy. You can change the priority. See How are policies prioritized?.

More resources

This video explains how to set up email policies. It covers Email Security policies and then Data control policies.

You can also view this video on the Sophos Techvids page. See Sophos Email: Get Started with Sophos Email.

We also have other videos that take you through setting up Sophos Email Security.