When Symantec Messaging Gateway (SMG) is integrated with Data Loss Prevention (DLP), and the setting "Enable bypass when all DLP servers are unreachable" is active, you may notice unusual routing patterns in the Message Audit Logs (MAL).

Understanding these delivery "hops" is critical for verifying whether your outbound mail is being successfully scanned for sensitive data or if it is bypassing your security controls due to connectivity issues.

Log Patterns & Interpretation

The Delivery section of the Message Audit Logs will show different destination IP addresses depending on the health of the connection to the DLP server.

1. Normal Flow (DLP Scanning Active)

If SMG successfully connects to the DLP server, the message is handed off for inspection before final delivery.

• Log Sequence: You will see a delivery attempt to the DLP Server IP Address, followed by a delivery to the Recipient’s Mail Server IP.

• Result: The message was successfully inspected.

2. Bypass Flow (DLP Unreachable)

If SMG cannot establish a connection with any configured DLP servers, the bypass mechanism triggers to prevent mail queueing or loss.

• Log Sequence: You will see a delivery attempt made to the IP address of the SMG Scanner itself (Loopback), followed by the delivery to the Recipient’s Mail Server IP.

• Result: The message bypassed DLP inspection. The internal "hop" to its own IP indicates the SMG has re-injected the message into the local delivery queue after failing to reach the DLP cluster.