Enforced TLS needs to be set up on the server that is establishing connection with the recipient server. That is why if there is enabled Policy-Based Encryption on the account, Enforced TLS should be enabled from Encrypted Mail Gateway console.

EMG treats enforced TLS as an alternative to the Message Pickup Center encryption and delivery method. Message sent via enforced TLS will be delivered directly to the recipient's mailbox. When TLS is blocked, or not available at the receiving end, the next enabled delivery method is used. 

To set up Enforced TLS via EMG:

  1. Log in CONTROL PANEL and navigate to Services > Compliance > Encrypted email > click Encrypted mail gateaway.
    1
  2. Go to Profile Settings > Update profile:
    2
  3. On the TLS Encryption tab:
    1. check the Enable TLS Encryption box
    2. chose the Enable for listed domains ONLY option
    3. add recipient domains that require enforced TLS and click Add
    4. click Save Settings
      3

  4. Go to Policies > Recipient & Sender Groups and click Add an email list
    4

  5. Enter the list name and description and add the domains you specified on step 3 to the Email List field or load the list from your machine. Click Save
    5

  6. Go to Policies > Email Policies and click Add policy
    6

  7. Create and save the policy with the following settings:
    1. Status: Enabled
    2. Match Conditions: Any
    3. Conditions: Enable > If: Recipients > Contains: Any > From: Recipient & Sender Groups > List: list you created on step 5 > More than: 0 Times
    4. Mail action: Encrypt
      7

The Message Report will show the DELIVER_TRUSTED_TLS_DIRECT_DOMAIN action for message sent via enforced TLS:

8