Add an SPX template

You can create or edit SPX templates for email encryption.

When you apply SPX templates to email policies or when senders trigger encryption, XG Firewall converts emails and attachments into PDFs and encrypts them.
  1. Go to Email > Encryption > SPX templates and click Add.
  2. Type a name.
    Note Don’t use these characters (’/,\”).
  3. Enter the organization name to show in SPX notifications.
  4. Select the encryption standard.
  5. Select the PDF page size.
  6. In Password type, select the method of generating the password.
    OptionDescription
    Specified by sender Applied by senders in the email header. Sender must enter a password in the email subject in the format [secure:<password>]<subject text>, for example, [Secure:secretp@ssword]. Sender must share the password securely with the recipient.
    Note XG Firewall removes the password when sending the email and doesn’t store the password.
    Note You can use this method with any SPX encryption trigger.
    To encrypt emails, senders must follow these steps:
    • Microsoft Outlook
      1. Go to the user portal. Download and install Sophos Outlook Add-in.
      2. In Outlook, click Encrypt for each email that you want to encrypt.
    • Other mail clients: Set the email header field X-Sophos-SPXEncrypt to yes.
    Note When XG Firewall finds the SPX header in emails, it applies the specified SPX template.
    Generate one-time password for every email XG Firewall generates a password and emails it to the sender. Sender must share the password securely with the recipient.
    Note Password isn’t stored.
    Generated and stored for recipient

    XG Firewall generates recipient-specific password and emails it to the sender. Sender must share the password securely with the recipient. The password is stored and used until it expires.

    Specified by recipient To recipients who aren’t registered for a password, XG Firewall emails a password registration link.

    When the recipient registers, it sends an encrypted email to the recipient, using the recipient’s password. It stores the password until expiry.

    Recipients decrypt emails from the organization with this password.

    Note If a recipient receives different emails with a password generated through Generated and stored for recipient and Specified by recipient, they must use the appropriate passwords to decrypt the emails.
    Note To reply, recipients must click the reply button in SPX-encrypted emails and go to the SPX reply portal..
    Note Applying SPX encryption to outbound emails modifies the email. The modification breaks the DKIM hash, which will result in DKIM verification failure at the recipient MTA.
  7. Optional Customize the notification subject and body.
  8. Optional Specify recipient instructions. XG Firewall emails these to the recipient with the encrypted email.
    Note To revert to the default notification, click .
    Note You can use simple HTML markup, hyperlinks, and variables, for example, %ORGANIZATION_NAME%.

You can use these variables:

  • ENVELOPE_TO: Recipient of password
  • PASSWORD: Password to open SPX-encrypted emails
  • ORGANIZATION_NAME: Organization name that you’ve specified
  • SENDER: Sender of email
  • REG_LINK: Link to registration portal for registering the password

  1. Specify SPX portal settings.
    1. Select Enable SPX reply portal if you want users to reply to SPX-encrypted emails, using the portal.
    2. Optional Select to include the original body in the reply.
  2. Click Save.