Exclude messages from being scanned by DLP policies

Copper Contributor

I am utilizing the EAC mail flow rule setup by Microsoft to allow users to encrypt messages by typing encrypt into the subject line of their email when sending out emails with sensitive information. Since not all users will remember this, I have enabled DLP policies to help catch these emails and encrypt them when needed.


The problem is, these policies don't interact with each other like I thought they would. Even if an email is encrypted, it's still being scanned and flagged by DLP policies. As far as I can tell my only option is to turn on the DLP policies and set the action to "encrypt" anytime the information it's monitoring for is found. Whether the email is already encrypted or not.


Is there anyway to omit emails that have already been encrypted by the end user from being scanned by the DLP policies? Or for the DLP policies to detect that it has been encrypted and just let the email send through without reporting those instances?


It seems like the Encryption rule Microsoft enabled for users to encrypt their own emails is completely pointless if DLP is being utilized. End user training isn't even needed to teach them how to encrypt their own emails, but instead just enable DLP and have it encrypt everything that is being sent out with sensitive information.


Similar to what this user is commenting on: https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/18628825-al...

9 Replies


Did you get anywhere with this?

I am looking into this as well. Super helpful to have a DLP send a notification to the user stating "We have detected information in the message that contains PII, and BLOCK it the first time, please send as an encrypted message and continue to block it until encryption is applied


  I know the safe guards of just encrypting random messages to get around the DLP. 



I figured this out.  You have to add another rule, in position 0, that explicitly does NOTHING to an encrypted email.  The Except Message Type Encrypted does not work. You have to create an additional rule. 




Hi! where did you create the rule in Complaince or Exchange.  Please provide more info on condition and action applied so that we can try,

use PermissionControlled instead of Encrypted.
Encrypted: Encrypted messages.
PermissionControlled: Messages that have specific permissions configured.
PermissionControlled :It is usually the emails that have been controlled by information security management services, such as the previous Active Directory Rights Management Service (RMS) and Azure Information Protection (AIP) service.
Still having this issue in 2023. Following up on where the rule needs to be added like Robin_Poulose mentioned. Please and thank you!
Same, I followed the suggestions the best I can from the post but I'm still not having any luck. Thanks
yes Robin_Poulose if you could tell us where in compliance you created this rule


The key to this is to create a custom DLP policy that looks for the key word(s) in the Subject (in the case below "Secure:").  This policy needs to be in priority 0 and once matched, stops processing additional DLP policies.  See below: