DLP Network Prevent for Email Server is analyzing the duplicate emails from Messaging Backbone even NPE advance setting L7.discardDuplicateMessagesis is set to FALSE to avoid duplicate incidents.

Release: 15.x

Component: DLP Network Prevent for Email

Enable incident reconciliation on the Enforce Server computer on Windows

1. On the computer that hosts the Enforce Server, log on as Admin.
2. Change directory to C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\config.
3. Open the IncidentPersister.properties file.
4. Change persister.enable.incident.reconciliation=false to equal true -> persister.enable.incident.reconciliation=true
5. Restart the Symantec Data Loss Prevention services as appropriate for your version of Windows services on the server computer.

Incident reconciliation should be enabled if the upstream MTA splits emails, whether that is based on domain or internal vs external recipient or other criteria. Setting discardDuplicateMessages to FALSE (which is default for NPE) makes sure that when these split emails are received we do detection on all parts of them, where as incident reconciliation caches the incidents from SMTP and merges incidents from split emails. It is commomn in cloud based MTAs like O365 and Gmail, but some other MTAs seem to do this as well.