Skip to content


Secure PDF exchange (SPX) is clientless email encryption that converts email and attachments to a PDF file and encrypts it with a password.

You can encrypt outbound emails of specific domains, based on content match, or when a sender triggers encryption. Recipients can decrypt the email and then read it, using a PDF reader on their device, including mobile phone platforms with PDF file support, for example, Android, iOS, Blackberry, or Windows.

SPX encryption triggers

If you've specified more than one method of triggering SPX encryption, Sophos Firewall will apply encryption settings in the following order:

  • On outbound emails from specified domains.
  • When it finds content or data protection match.
  • When senders trigger SPX.

There are two ways to apply SPX encryption in Sophos Firewall:

  • From Email > Encryption > SPX configuration > Default SPX template. SPX encryption will apply only to outbound emails with the email message header X-Sophos-SPX-Encrypt: yes.
  • From Email > Policy > SMTP policy. SPX encryption applies to all outbound emails from protected domains. The email message header X-Sophos-SPX-Encrypt: yes will have no effect.

SPX configuration

Specify the SPX template, password, reply, and notification settings.

Option Description
Default SPX template The template is applied if senders SPX-encrypt emails, and if you don't select SPX encryption in the SMTP policy.
Select None if you don’t want to encrypt emails.
Keep unused password for The period for which passwords remain valid if no SPX-encrypted email is sent to a specific recipient. For example, if you specify three days, the password expires at midnight at the end of the third day.
Send error notification to Recipients of the SPX error notification.
Error messages are listed in the SMTP log.
Allow password registration for The link to the password registration portal expires at the end of this period.

SPX portal settings


We strongly recommend you use a unique port for the SPX reply portal. If you aren't using the SPX reply portal, you should disable it on the WAN zone. To do this, add a private, trusted IP address that's unused (for example, an Automatic Private IP Address (APIPA) such as to allowed networks. If you leave allowed networks empty, it defaults to Any because the SPX reply portal is turned on by default in the WAN zone.

Specify the password registration settings.

Name Description
Hostname IP address or domain on which the password registration portal is hosted.
Allowed networks Networks from which password registration requests are accepted.
Set this to Any if you want all recipients of SPX-encrypted emails to access the SPX portal.
Port Port on which the SPX password registration portal listens. Default: 8094

CAPTCHA: Users signing in to the SPX portal will always need to enter a CAPTCHA. The CAPTCHA is always active for the SPX portal and can't be turned off.

SPX password reset

Enter the email address of the recipient for whom you want to reset password.


The sender must send the new password to the recipient for future SPX-encrypted emails.

SPX templates

SPX template specifies the encryption standard, PDF layout, password settings, and recipient instructions.


You can use customized SPX templates for different customer domains with customer-specific text and company logos.

Back to top