Symantec Encryption Management Server (AKA PGP Server) has the ability to observe keys during its processing operations. Keys that are observed can then be "cached" in the Key Cache on the PGP server. When these keys are cached, they can be used for encryption to help speed up the processes.
When a key is cached, the PGP server may not encrypt to it. This article will discuss why this may be happening.
The PGP server can cache keys in two different methods:
Method 1 - Keyserver: One method is if the PGP server sends a message, it can search external keyservers for the recipient key, and if it finds the key, it will cache the key to the Key Cache.
Method 2 - Mailflow: The other method is via mailflow. If an inbound email is sent, and a key is attached, the PGP server can harvest this key. As an example, if an SMIME message is signed, and the PGP server receives this email as an inbound message, it will cache the key and then put the key in the key cache.
You can tell which method the key was cached, by looking at the "Source" under the Key Cache. For example, the screenshot below shows a key was cached via the mailflow, meaning, an inbound message was received by the PGP server, and the PGP server harvested it:
If a key/certificate was harvested via Method 1 above, then the keys will be used and encrypted to automatically.
If a key/certificate was harvested via Method 2 above, then the key will not be used by default to encrypt, because it will not encrypt to keys that it caches as part of the mailflow. In order to enable the PGP server to encrypt to keys observed in the mailflow, adjust the encryption rule so that it will also look at keys "Observed in the Mailflow" in your encryption mail rule. Enable the shown in the screenshot below: