Policy-Based Encrypted Email service allows customers to set up filters based on the content of a message, if the message meets the set criteria it will be encrypted. Once the service is enabled, all messages sent from Smarsh Hosted Services mailboxes to external recipients are processed according to configured policies and encrypted if required.

What happens when an email is encrypted?
Mailflow changes with the Email Encryption service
How to enable Email Encryption
Managing Email Encryption settings

What happens when an email is encrypted?

  1. A sender gets 'Your message has been encrypted' email. The email has information about the encrypted message, such as subject, date and time. The mail also contains a link to the web portal message. Using Web Portal sender can check delivery status or recall the email.
  2. A recipient also gets an email from Web Portal:
    • If the recipient has not been activated in the Web Portal, he or she must activate a new account in the Web Portal to read encrypted message. The activation information (activation password and link) is provided in the message. To activate the account the recipient will need to follow the activation link and enter the name and activation password. The recipient will also create a new password for the Web Portal.
    • If a recipient was using Web Portal before, he or she will get a message with the subject 'You have a new encrypted message from [sender's address]'. This email will have information about encrypted message, such as subject, sent and expiration date, along with the link to access the encrypted message. The recipient should follow the link and enter his or her email address and password (created during activation) to login. After that the recipient will have access to the message.

      If the activation info was not sent or the recipient forgot the password, activation can be reset. To reset activation the recipient should do the following:
      • Navigate to Web Portal
      • Click Forgot your password? link
      • Enter the email address of the mailbox where encrypted message was delivered
      • New activation email will be sent to that email address

Mailflow changes with the Email Encryption service

  1. All messages to external recipients are routed to a special gateway.
  2. At the gateway, all messages are checked according to policy settings.
  3. The gateway has a list of policies for handling messages that fall under certain conditions. Possible actions are: encrypt, send unencrypted, discard, or return to sender.
  4. If a message should be encrypted, possible actions are: deliver to Inbox as a password-protected PDF file, or to send email with a Web Portal link. Web Portal then sends a a notification with a URL to read the message after registration.

When email is sent from our server and Web Portal delivery is enabled, the recipient can view and reply to the encrypted email using their Web Portal in their web browser. When the recipient replies to an encrypted message, through the website interface, the message is sent using an encrypted connection to Smarsh Hosted Services servers. Smarsh Hosted Services servers have the appropriate software installed to decrypt the email so that the recipient won't need to use the Web Portal to read the email, but instead can read it using Outlook or Outlook Web App. And when a desktop Outlook application connects to Smarsh Hosted Services Exchange server to view email it uses a TLS-encrypted connection, so the message cannot be intercepted by a third party.

Important: if recipient replies to the encrypted message from Outlook or OWA, it will not be encrypted automatically. It will only be encrypted if the encryption policy is triggered.

How to enable Email Encryption

  1. Log in to CONTROL PANEL.
  2. Navigate to Services > Compliance > Encrypted Email.
    Encrypted Email service
  3. Choose one of the available templates for settings.
  4. Click Enable Policy-based Encryption. Now all outbound emails to external recipients will be checked against encryption policies.
    Enable Email Encryption

Note: Once Email Encryption is enabled you can see some pre-defined policies enabled in the Encrypted Mail Gateway console.

Manage Policies

Managing Email Encryption settings

Policy-based Encryption is managed through web interface. In order to customize Email Encryption for your business’ requirements, you must first create check policies that will “filter” messages for specific content.

To log in to the Encrypted Email console, navigate to Services > Compliance > Encrypted email > click Encrypted mail gateway.

Encrypted Email Console is broken into four sections. For more information about each section click on its name:

Email Encryption Profile Management


  • All messages coming through the Encrypted Mail Gateway have a 36 MB size limit. The size of the original message will increase while it is routed; therefore, the attachment size is limited to 25 MB depending on the rest of a message.
  • Policy-Based Encryption is account-wide. Messages sent from each mailbox are forwarded through the gateway.
  • All changes to the policies and other settings are made through the administrative interface.