ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Cannot bounce messages to internal users who do not have Desktop Email Encryption installed


Article ID: 238717


Updated On:


Desktop Email Encryption Encryption Management Server Gateway Email Encryption


Encryption Management Server can be used to manage Desktop Email Encryption users and, if it is licensed to do so, it can encrypt and decrypt messages itself. In other words, it can operate in Gateway Email Encryption mode.

A user who does not have Desktop Email Encryption installed may still have a key on Encryption Management Server and the server encrypts and decrypts messages on behalf of that user.

This represents a problem if some internal users do have Desktop Email Encryption installed:

  1. A user with Desktop Email Encryption sends an encrypted message to multiple internal users, some of whom do not have Desktop Email Encryption.
  2. Because the recipients without Desktop Email Encryption have a valid key, the message is encrypted to all recipients.
  3. Because the recipients are internal, the message does not pass through Encryption Management Server. It is encrypted on the desktop and processed only by Microsoft Outlook and Exchange.
  4. The users without Desktop Email Encryption receive an encrypted message but have no method of decrypting it.


Desktop Email Encryption prior to release 10.5.1.


Upgrade to release 10.5.1 or above.

In release 10.5.1, functionality was added to allow messages sent by Desktop Email Encryption to be processed based on the recipient's consumer policy.

For example, if users who do not have Desktop Email Encryption installed are in a consumer group associated with a specific consumer policy, a rule can be added to Mail Policy in order to bounce messages sent to such users:

  1. In the Encryption Management Server management console, navigate to Mail / Mail Policy.
  2. Click on Outbound: Secure Message.
  3. Click on the Add Rule button.
  4. Give the rule a Name. For example, Bounce to Gateway only users.
  5. Optionally give the rule a Description. For example, Bounce encrypted mail sent from Desktop Email Encryption users to Gateway only users.
  6. Create some Conditions. Select If all of the following are true in order for the rule to match only if all conditions are true.
  7. The first condition will be Application is internal Symantec Encryption Desktop.
  8. If the Gateway only users are in a policy called Gateway, the second condition may be Recipient consumer policy is Gateway.
  9. Click on the Action tab and choose Bounce message.
  10. From the Policy Chain: Outbound: Secure Message page, change the priority of the rule to 1 so that it is evaluated first.

Now if a user with Desktop Email Encryption sends an encrypted message to multiple internal users, some with Desktop Email Encryption and some without, the message will bounce only to those recipients who do not have Desktop Email Encryption.

Additional Information