Skip to content

Data control policy


This Data control policy protects against data loss through email. If you want to protect against other types of data loss, you should use Data Loss Prevention Rules (DLP). See Data Loss Prevention Rules.

Data control allows you to inspect emails and take actions depending on their contents.

In Data control policies, you add rules to restrict the information that can be included in emails. Rules can be applied to inbound or outbound emails and you can add up to 25 rules to a policy.

You can apply rules to different users, groups of users, and domains. For example, you could set up a rule to prevent any financial information going out of the organization for most users. You could then apply a less strict rule to accounting staff.

You can add external users and domains to policies, not just those in your organization. See External users and domains.

You can also clone policies. See Cloning a policy.

The Data control policy doesn't send quarantine summary messages. Notifications for these events are sent directly to the administrator. For more information on quarantined emails users can manage, see End User Quarantine.

You can watch the following video for a step-by-step guide on how to set up email policies. It covers Email Security policies and then Data control policies.

Create a Data control policy

To create a Data control policy, do as follows:

  1. Go to My Products > Email Protection > Policies.
  2. Click Add Policy.
  3. Select Data control, and then click Continue.
  4. Enter a name for the policy.
  5. Add Internal users, groups, or domains for the policy.

    The policy applies to users in any of the users, groups, or domains lists. You can hover over a user's name to see their email address.

  6. Add External users and domains for the policy, if you want to.

    The policy applies if accounts in the internal users, groups, or domains lists send messages to addresses or domains in your external list. See External users and domains.

  7. Click Settings.

A new Data control policy has no rules. To control the actions taken with messages going in or out of your organization, you add rules. See Create a Data control rule.

Data control rules

In existing Data control policies, click Settings to see the rules associated with a policy. Rules can be applied to inbound or outbound messages. You can change the priority order of the rules. Sophos Central looks through these rules from top to bottom and applies the first rule it finds. You can also turn them on or off. To view or edit rule settings, click the rule name.

When you create a rule, you can use templates provided by Sophos to protect your data. You can also customize rules as follows:

  • You can choose the action you want to take when sensitive information is found in an email.
  • You can choose who to notify.

    If you delete a mailbox that receives notifications, you must select a different one, or turn notifications off.

  • You can filter messages by whole message size, or just the size of message attachments.

  • You can set a default encryption method for outbound messages.
  • You can override the default encryption method for outbound messages in the settings for individual rules.


The encryption action in a rule for outbound messages applies the encryption method specified in the Secure Message Policy. You can select another method to override it.

Go to My Products > Email Protection > Policies, and then click Data control to manage information restrictions in email. See Create or Edit a Policy.

External users and domains

You can use external users and domains in Data control as well as your own users and domains. You can use them at policy level and rule level.


When we analyze senders and recipients of messages, we use their SMTP envelope sender and recipient addresses, not their from-header and to-header addresses.

Policy level

To use external users and domains at policy level, click the External tab when you create or edit a policy.

You can add individual email addresses or domains, or import them from a file. You can include or exclude your list from the rule. The default is Include all.

Rule level

When you add or edit a rule you define how the rule applies to external domains and addresses. See Create a Data control rule.


You can use templates to filter emails for financial, confidential, health and personally identifiable information. You can also filter emails by their attachment file types. See Sophos blocked email attachments.


You can customize Data control rules using content control lists (CCL), keywords or phrases.

A CCL defines data that you can use to filter emails and take actions.

You can specify keywords or phrases you want to use to filter emails. You can add a maximum of 200. Keywords and phrases aren't case-sensitive.

Cloning a policy

If you want to make similar changes to a number of users you can clone a policy.

Cloned policies are set to Policy Bypassed by default.

To clone a policy, do as follows:

  1. Go to My Products > Email Protection > Policies.
  2. Select the policy you want to clone.
  3. Click Clone.
  4. In Clone Policy, edit the name of the new policy, and then click Continue.

    The new policy appears.

    When the base policy is cloned, the new policy has no users, groups, or domains. You must select these before using the policy cloned from base policy.

  5. Click Save.

  6. Check that the cloned policy is correct, and then click Policy Bypassed > Policy is enforced to turn it on.

By default the cloned policy takes priority over the original policy. You can change the priority. See How are policies prioritized?.

More resources

You can watch the following videos that take you through setting up Sophos Email Security: