Skip to content

Add an SPX template

You can create or edit SPX templates for email encryption.

When you apply SPX templates to email policies or when senders trigger encryption, Sophos Firewall converts emails and attachments into PDFs and encrypts them.

To add an SPX template, do as follows:

  1. Go to Email > Encryption > SPX templates and click Add.
  2. Enter a name.


    You can't use these characters (’/,\”).

  3. Enter the organization name to show in SPX notifications.

  4. Select the encryption standard.
  5. Select the PDF page size.
  6. In Password type, select the method of generating the password.

    Option Description
    Specified by sender Applied by senders in the email header. The sender must enter a password in the email subject in the format [secure:<password>]<subject text>, for example, [secure:secretp@ssword]. The sender must share the password securely with the recipient. Sophos Firewall removes the password when sending the email and doesn’t store the password.
    To encrypt emails, senders must do as follows:

    Microsoft Outlook: They must go to the user portal, download the Sophos Outlook Add-in and install it. In Outlook, they must click Encrypt for the emails they want to encrypt.
    To download Sophos Outlook Add-in, go to Authentication > Client downloads.

    Other mail clients: Users must set the email header field X-Sophos-SPXEncrypt to yes. When Sophos Firewall finds the SPX header in emails, it applies the specified SPX template.
    Generate one-time password for every email Sophos Firewall generates a password and emails it to the sender. The sender must share the password securely with the recipient. The password isn’t stored.
    Generated and stored for recipient Sophos Firewall generates a recipient-specific password and emails it to the sender. The sender must share the password securely with the recipient. The password is stored and used until it expires.
    Specified by recipient Sophos Firewall emails a password registration link to recipients not already registered for a password. When recipients register, Sophos Firewall sends an encrypted email to them, using the recipient’s password. It stores the password until expiry.
    Recipients decrypt emails from the organization with this password.


    To reply, recipients must click the reply button in SPX-encrypted emails and go to the SPX reply portal.

    Note for MTA mode

    To apply this SPX template in MTA mode, you must select the template in the SMTP route and scan policy under Domains and routing target or Data control list. If you don't want to specify a protected domain, you can use a dummy domain, such as You must also select Enable SPX reply portal on this page.


    If recipients receive different emails with passwords generated through Generated and stored for recipient and Specified by recipient, they must use the corresponding passwords to decrypt the emails.

  7. (Optional) Customize the notification subject and body.

  8. (Optional) Specify recipient instructions. Sophos Firewall emails these to the recipient with the encrypted email.


    To reset to the default notification, click Reset Reset button.

    You can use simple HTML markup, hyperlinks, and variables, for example, %ORGANIZATION_NAME%. You can use the following variables:

    • ENVELOPE_TO: Recipient of password
    • PASSWORD: Password to open SPX-encrypted emails
    • ORGANIZATION_NAME: Organization name that you’ve specified
    • SENDER: Sender of the email
    • REG_LINK: Link to the registration portal for registering the password
  9. Specify the SPX portal settings. (MTA mode only)

    1. Select Enable SPX reply portal. Users can then use the portal to reply to SPX-encrypted emails.
    2. Select Include original body into reply if you want.
  10. Click Save.

More resources