Open with table of contents

Mail encryption endpoints overview

What's a mail encryption endpoint?

A mail encryption endpoint is a package of encryption settings that are specific to one or more recipient email addresses. An endpoint can apply to a single email address, an address list, or a domain.

The endpoint tells the Email Gateway which Partner public key to use to encrypt messages and (if necessary) which Corporate private key to use to digitally sign messages.

Where are encryption endpoints used?

You configure policy routes and policy content rules to specify that an email message must be delivered using encryption endpoints:

• Mail policy route
  You enable encryption by changing the default delivery action.

• Mail policy content rule
  You enable encryption by changing the delivery disposal action.

How many endpoints do I need?

If encryption is enabled on a mail policy route, then mail to all recipients in the address list for that route is potentially encrypted. You need to create encryption endpoints that match all of those recipients.

For example, one message could have recipients that match different endpoints such that one is encrypted using SMIME, one signed with PGP, and one sent unencrypted. This is known as message splitting.

Which endpoint is used?

The Email Gateway matches the recipient's email address by searching the endpoints in the order defined on the Mail Encryption Endpoints page. Endpoints that are higher in the list take precedence over lower ones.

For example, you could have an endpoint for all users in the My Company address list that does not encrypt their email messages, and then higher-priority entries for individual users who need encryption to be applied to their email messages.

If an endpoint is found that cannot be used (because the key is expired, for example), encryption fails.

What else do I need to know?

• If you have nominated a PGP or S/MIME certificate to encrypt the message, you may only choose a certificate of the same type to sign it (or use “sender’s key”).
• If a password is chosen to encrypt a message, you cannot sign it.
• You can sign a message even if you have chosen not to encrypt it.

• For any given mail recipient, only one endpoint is used. If you want the message to be signed and encrypted for that recipient, the first endpoint that matches that recipient address must specify both signing and encryption.

See also...

• Enable encryption on a mail policy route
• Encrypt email using mail policy content rules