The setting "All recipient must match (Email only)" is confusing and difficult to understand.
Symantec Data Loss Prevention (DLP) Network Prevent for Email
Symantec Data Loss Prevention (DLP) Cloud Prevent for MS Office 365
Here we explain a number of test cases which demonstrate how the setting works.
Email Test | Incident | |||
1 | [email protected] | [email protected] | [email protected] | Yes |
2 | [email protected] | [email protected] | Yes | |
3 | [email protected] | Yes |
Email Test | Incident | ||||
1 | [email protected] | [email protected] | [email protected] | [email protected] | No |
2 | [email protected] | [email protected] | [email protected] | No | |
3 | [email protected] | [email protected] | No |
With regards to the other setting “At least (#) recipient must match” the outcome is different as we could enable that option with the value of # = 1 and have the following results:
Email Test | Incident | ||||
1 | [email protected] | [email protected] | [email protected] | [email protected] | Yes |
2 | [email protected] | [email protected] | [email protected] | Yes | |
3 | [email protected] | [email protected] | Yes | ||
4 | [email protected] | No |
So the email would, in that case, need to contain at least 1 of the 3 recipients [email protected], [email protected], [email protected] but can also include any other email recipients outside of those listed in the rule which will trigger an incident whereas the “All recipient must match” cannot.