Secure PDF exchange (SPX) is clientless email encryption that converts email and attachments to a PDF file and encrypts it with a password.

You can encrypt outbound emails of specific domains, based on content match, or when a sender triggers encryption. Recipients can decrypt the email and then read it, using a PDF reader on their device, including mobile phone platforms with PDF file support, for example, Android, iOS, Blackberry, or Windows.

To reply, recipients must click the reply button in SPX-encrypted emails and go to the SPX reply portal.

SPX encryption triggers

If you’ve specified more than one method of triggering SPX encryption, XG Firewall applies encryption settings in the following order:

  • On outbound emails from specified domains
  • When it finds content or data protection match
  • When SPX is triggered by senders.

There are two ways to apply SPX encryption in XG Firewall

  • FromEmail > Encryption > SPX configuration > Default SPX template. SPX encryption will apply only to outbound emails with the flag “X-Sophos-SPX-Encrypt: yes”.
  • FromEmail > Policy > SMTP policy. SPX encryption will apply to all outbound emails (from protected domains), regardless of the flag “X-Sophos-SPX-Encrypt: yes”.
Note S/MIME isn't supported in XG Firewall. For S/MIME encrypted emails, the mail will be SPX encrypted the same as any other, if the SPX criteria have been met.

SPX configuration

Specify the SPX template, password, reply, and notification settings.

Name Description

Default SPX template

Template applied if senders SPX-encrypt emails, and if you don’t select SPX encryption in the SMTP policy.

Select None if you don’t want to encrypt emails.

Keep unused password for

Period for which passwords remain valid if no SPX-encrypted email is sent to a specific recipient. For example, if you specify three days, the password expires at midnight at the end of the third day.

Allow secure reply for

Days within which recipients can reply to SPX-encrypted email, using the SPX reply portal.

Send error notification to

Recipients of SPX error notification.

Error messages are listed in the SMTP log.

Allow password registration for

Link to password registration portal expires at the end of this period.

SPX portal settings

Specify the password registration settings.

Name Description

IP address or domain on which the password registration portal is hosted.

Allowed networks

Networks from which password registration requests are accepted.

This should be set to Any so that anyone users send an SPX-encrypted message can access it.


Port on which the SPX password registration portal listens. Default: 8094

SPX password reset

Enter the email address of the recipient for whom you want to reset password.
Note The sender must send the new password to the recipient for future SPX-encrypted emails.

SPX templates

SPX template specifies the encryption standard, PDF layout, password settings, and recipient instructions.
Tip You can use customized SPX templates for different customer domains with customer-specific text and company logos.