DLP — Data Loss Prevention
Protect outbound emails from unintentional disclosure of sensitive data. DLP detects confidential content and responds automatically.
What is DLP?
Data Loss Prevention (DLP) monitors outbound emails and prevents sensitive or confidential information from leaving your organization unintentionally. Typical use cases:
- An employee accidentally sends an IBAN or credit card number to an external address.
- A confidential document is sent to the wrong recipient.
- Internal information is sent to too many external recipients at once.
DLP detects such situations automatically and responds according to your configuration — e.g. by blocking, redacting or quarantining.
Structure
DLP is based on rule sets. Each rule set contains one or more rules that define:
- IF — What content should be detected (detection)
- WHERE — Which parts of the email to scan (scope)
- THEN — What happens when a match is found (action)
Rule sets are assigned to specific senders and recipients via Routing.
Creating a Rule Set
- Navigate to MailGuard > DLP.
- Click + to create a new rule set.
- Enter a name and select the mode:
- Enforce: Actions are actually executed.
- Audit: Matches are only logged, the email is delivered normally.
- Add one or more rules.
- Save the rule set.
- Assign the rule set to an outbound route via MailGuard > Routing.
Detection Types
Category: Content
| Detection Type | Description |
|---|---|
| Keywords | Detect specific words or phrases (e.g. "confidential", "payroll"). Optionally case-sensitive. |
| Regex Patterns | Regular expressions for complex patterns (e.g. phone numbers, project codes). |
| Sensitive Data | Predefined data types such as IBAN, credit card numbers (Visa, Mastercard, Amex), ID numbers, tax IDs, social security numbers and more. With automatic checksum validation. |
| Data Matching (EDM) | Match against your own CSV data list (e.g. customer numbers, contract numbers). Upload the CSV and select the columns to check. |
| Document Fingerprint | Detects documents similar to a reference document (e.g. a confidential template). Even slightly modified versions are detected. |
Category: Files
| Detection Type | Description |
|---|---|
| File Type | Detect specific file categories: Office, PDF, archives, executables, scripts, images. |
| Encrypted Files | Detect password-protected PDF, ZIP or Office files. |
| Disguised Files | Detect files whose actual type doesn't match their extension (e.g. an EXE file disguised as PDF). |
Category: Recipients
| Detection Type | Description |
|---|---|
| Recipient Count | Triggers when an email is sent to too many recipients at once (e.g. more than 5 external recipients). |
Combined Conditions
You can combine multiple conditions with AND. All conditions must be met for the rule to trigger. Example: "IBAN in text AND more than 3 external recipients".
Scan Scope
For each rule, you can specify where to scan:
| Scope | Description |
|---|---|
| Email Body | The message content |
| Subject | The subject line |
| Attachments | File attachments — supported formats: Office (DOCX, XLSX, PPTX etc.), PDF, TXT, CSV, JSON, XML, HTML, and images (via automatic text recognition). |
| Headers | Email headers (e.g. custom X-headers) |
Actions
| Action | Description |
|---|---|
| Block | The email is rejected and not delivered. The sender receives a non-delivery report. |
| Quarantine | The email is held for administrator review. The admin can release or reject it. The sender is notified. |
| Redact | Sensitive data is replaced with a placeholder (e.g. [REDACTED] or DE** **** 00). The email is delivered. Works in email body as well as Office, PDF, text and image attachments. |
| Strip Attachment | Affected attachments are removed from the email, the rest is delivered. |
| Strip Metadata | Author, comments, track changes and other metadata are removed from Office and PDF attachments. |
| BCC Copy | A copy of the email is sent to a compliance address (e.g. compliance@yourdomain.com). |
| Redirect | The email is redirected to a different address instead of the original recipient. |
| Log | The email is delivered normally, the match is recorded in the incident log. |
Redaction Modes
| Mode | Example |
|---|---|
| Full | DE89 3704 0044 0532 0130 00 becomes [REDACTED] |
| Partial | DE89 3704 0044 0532 0130 00 becomes DE** **** **** **** **** 00 |
Quarantine
When using the Quarantine action, you can configure in the rule set's Quarantine tab:
- Notify sender: The sender receives an email that their message has been held.
- Rejection notification: When an administrator rejects the quarantined mail, the sender receives a notification.
- Notification templates: You can use custom HTML templates with placeholders.
The quarantine feature requires that global quarantine is enabled in the MailGuard settings.
Priority and Multiple Matches
When multiple rules within a rule set match an email, the rule with the strictest action is applied. The order (from strict to mild):
Block > Redirect > Quarantine > Redact > Strip Attachment > Strip Metadata > BCC Copy > Log
Audit Mode
In audit mode, all rules are evaluated and matches are logged, but no actions are executed. The email is delivered normally. Use this mode to test new rules before enforcing them.
Incidents
All DLP matches are logged under Overview > Incidents. There you can see:
- Which rule triggered
- Which data was detected (redacted)
- Which action was taken
- Sender, recipients and timestamp
Routing
Rule sets must be assigned to an outbound route via MailGuard > Routing before they become active. You can specify which senders and recipients the rule set applies to.
Important: Rule sets with a recipient count detection must be assigned to a route with the recipient type "All mailboxes".
Requirements
- Active MailGuard subscription.
- Correctly configured domain and mail server connection.
- At least one outbound routing rule.