Hi,

 we're starting with Exchange DLP rules. I've configured a rule to block 10 or more IP addresses in an email using the below settings:

- Detect when content shared outside my organisation

- Location = Exchange online

- Sensitive info types = IP Addresses

- instance count = min 10, any max with an 85% min match accuracy

I then tested with an email by sending 22 IP addresses in a blank email

10.2.100.20

..... all the way to 

10.2.100.41

On the 28/3/19 the email was blocked by the policy.

Today, I copied and pasted the same IP address list into a brand new email, the email sent successfully (no block). I then tried forwarding the original email again, it still gets blocked.

I have a few questions:

1. Why does sending the same IP address list get blocked on some emails and not others?

2. I've noted that simply adding the words "IP" or "IP Address" can result in a previously sent email being blocked. I don't want my DLP policy to rely on a specific word or phrase, do I need to create custom sensitive information types for this?

3. Is it possible to audit and review who's made changes to DLP rules?

4. I've created an exception distribution group for the Exchange location and added myself as a member. However, when I try to send a previously blocked email, it's still blocked. Why is the excluded distribution group applying?

5. I've noticed that the tool tips display intermittently, I've got the mail tip notifications turned on in Outlook 365 (File, options, mail, mail tips section: all on), but I'm not getting Outlook notifications such as "your email message conflicts with a policy in your organization", this worked fine last week, but not now - I have not changed settings. Should mail tips work consistently across different devices such as laptops, thin clients, Citrix and mobile devices?

Our current experience is that the DLP policies are unreliable. Please advise.

Thanks