If Encryption Management Server receives an outbound message from a domain that is not listed in the management console under Consumers / Managed Domains, it proxies the message unmodified and does not apply message rules.

This can result in sensitive messages being sent in the clear.

The proxy log contains a message like this where the domain pgptest.co.uk is not a managed domain:

2014/04/23 17:56:57 +01:00  NOTICE pgp/messaging[6517]:       SMTP-00001: message <[email protected]> from [email protected] (1 recipient):
2014/04/23 17:56:57 +01:00  NOTICE pgp/messaging[6517]:       SMTP-00001: recipient 1/1 ([email protected]): passing through unmodified [0x21b2578]

To avoid this issue, ensure that all outbound email domains that may be processed by Encryption Management Server are added in the management console under Consumers / Managed Domains.

Alternatively, Encryption Management Server 3.3.2 MP3 and above can be configured to bounce outbound messages from unmanaged domains. 

Once the new setting is enabled, an entry like this appears in the Mail Log when a message is sent from an unmanaged domain:

2014/08/22 11:12:51 +01:00  NOTICE pgp/messaging[4984]:       SMTP-00000: recipient 1/1 ([email protected]): unmanaged domain blocked: bouncing message from [email protected]

The sender will receive a message from Encryption Management Server explaining that the message bounced. By default, the message subject is "Message undeliverable" and the message contains the recipient's address and the connection ID. The connection ID can be used to search the Mail Log. The Message Template used for the bounce notification is:

Message Bounced -- Internal Server Error

Searching the Message Log for unmanaged domain blocked will reveal how many unmanaged domains have attempted to send email through the Encryption Management Server.

For assistance implementing this configuration change, please contact Symantec Technical Support.