Create an email data loss prevention rule

Add email Data Loss Prevention (DLP) rules to control information allowed in emails.

To create a new rule, you must edit an existing policy, or create a new policy.

Email Data Loss Prevention policies contain rules that describe what information to look for in emails and the action to take when matched. To create a rule:

  1. Click Settings.
  2. Click either Inbound or Outbound to set the direction of emails this rule checks.
  3. Click Add rule.
  4. Give the rule a Name and Description.
  5. Choose the rule type.

    You can use templates provided by Sophos to protect your data. Templates protect common types of sensitive information. You can also customize rules using content control lists (CCLs), whole message size or message attachment size, and keywords or phrases.

    Choose from:

    • Protect financial information (FI)
    • Protect confidential information (CI)
    • Protect health information (HI)
    • Protect personally identifiable information (PII)
    • Protect using attachment file types
    • Protect using Sophos content control lists (CCLs)
    • Protect using message size
    • Protect using keywords.
  6. Click Next.

    Add items appears.

  7. Choose the lists for the rule.

    For most rule types you can use lists provided by Sophos or build custom lists specific to your needs.

    1. If you chose Protect using attachment file types, we recommend you use the default Sophos list.

      If you use a custom list, you can choose to filter by File extensions or File group.

      If you filter by File group, you can select groups of file types from the list. You can't choose individual file extensions. The rule matches against the file types we detect, not extensions.

      If you filter by File extensions, you can select individual file extensions. You can't choose a file group. You can also add a comma-separated list of file extensions to filter against in Include extensions. The rule matches against file extensions, not the file types we detect.

    2. If you chose Protect using keywords, enter strings to search for. You can also import keywords.
    3. If you chose Protect using message size, you can set size limits for email attachments, or the whole email, or both. Attachment size limits apply to individual attachments, not the total size of all the attachments.

    If you use the message size rule with another rule type, the match is against both types. For example, if you choose attachment size and keyword type, the rule is only matched if the keyword is found in the attachment and the size limit is met.

    We calculate attachment size using the email's MIME-encoding. We don't use the size of the raw files. This means attachment file sizes are often reported as larger than the actual file. You must take this into account when filtering on attachment size. See Calculating email attachment file sizes.

  8. Click Next.

    If you're creating an inbound rule, External senders appears. For an outbound rule, External recipients appears.

  9. Add email addresses or domains that you want to include or exclude from the rule. The default is Include all.

    You can add individual items or import a list.

    Inclusions and exclusions are absolute. For example if you include a domain, the rule applies to all emails using that domain name, it doesn't apply to those using any other domain. Or if you exclude an email address, the rule applies to all emails except those using that email address.

  10. Click Next.

    Choose action appears.

  11. Choose the actions to take when the rule is triggered, who to notify, and additional options.

    Options change depending on the rule type and direction (Inbound or Outbound).

    For example if you select Inbound, the Bounce action doesn't appear in the list of actions.
    For outbound rules you can override the default encryption method set in Overview > Global Settings > Email Encryption.

    If you select Protect using keywords, you can choose to filter on words and phrases, or use a regular expression. You must use PCRE Boost Perl syntax for your regular expression. See Perl syntax.

    You can test your regular expression with BRegexTest, a Windows executable available from Google Code. See Google Code Archive: bregextest.

    You can combine different rule types by selecting actions that allow processing to continue to the next rule. If you select an action that allows this, Continue processing appears and you can turn it on.

  12. Turn the rule on or off.
  13. Click Save.