Decrypt Journal Message DLP

Copper Contributor

Hello! We are currently in the process of setting up our first DLP policy for sensitive information. Everything seems to be working well, except for 1 issue. We have a specific group of people who's emails are journaled out to a third party. I cannot seem to figure out how to get these messages decrypted. 


We do have this set. Set IRM Configuration - Journal Report Decryption Enabled $true


I have tried making Not statements, and add in a rule in the policy if sent from inside to the journal address remove the encryption... Nothing.


Any suggestions or pointers?


Thank you!


6 Replies

Hi @mlittman 


You could be looking at a priority order issue here. Where in the list of policies/rules does the exception for journal group lie?



Hello! I had it second rule after the first one which was to check for sensitive info and encrypt. Then the next rule was unless its from inside to the journal address, then decrypt it. I removed it this morning as it has been in place for couple days and wasn't doing anything so back at the drawing board. This is how the current policy looks (attaching pic). In the main rule i have tried to add the journal address and domain with the rest of my NOT objects as well and it did not work. 


Hi @mlittman 


So, when you say not working, do you mean that all emails, even to the exclusions in the new policy are being encrypted? Or no email is being encrypted?


So in the screenshot, that is our main policy I have been testing and adding on to. It works great. I have had to add exclusions (the NOT part) for some domains we use and everything is working good. Where I am running into trouble now is, that we have an transport rule that sends emails from a specific set of users off to a third party site via journaling. Those emails are encrypting. I cant figure out how to get the emails to that specific location without being encrypted. Hope that helps? (i have tried to add that journal domain and address in the current rule with the other domains and it did not work). I tried to make an additional rule below the rule in the screenshot to decrypt any messages from internal to the specific journal address and or domain and still encrypts the journaled email.



Got it, so where is the transport rule configured? Seems like it's exchange online mail flow rule, but I don't want to be mistaken on that assumption.


If I'm right, is there anything in your mail flow rules that enforces encryption?

In exchange there is a connector for it. I don't believe there is any mail flow rule. I couldn't find any mail flow rule pointing to the connector. I put in a screenshot of the trace and the connector. As far as any other encryption rules in exchange we have one setup but you have to use the word [secure] in the subject line to encrypt. Ill eventually move that over to compliance center. 

Screenshot 2023-06-20 151440.png

Screenshot 2023-06-20 150615.png