Protecting company emails in Microsoft 365

 

Introduction

The ideal setup when the Safetica Client, Outlook protection, and Exchange protection are active ensures maximum data classification coverage and policy protection across devices, Outlook versions, and your Microsoft 365 environment. When all these protections are active, Safetica allows you to:

• Audit all emails (with or without attachments) sent by your Microsoft 365 users.
• Block emails or notify users before sending emails that violate company policies via Outlook.
• Prevent sensitive attachments from leaving the company network via Outlook.
• Enforce policies both on your devices where Safetica Client is installed and the devices using your Microsoft 365 accounts.
• Have Data classification working to its full extent.
• Analyze email attachments, body, and subject for sensitive content. 
• Evaluate recipients (whether they belong to safe or untrusted destinations).

 

 

---

Prerequisites

For maximum protection:

• Have the Safetica Client installed on the devices you want to protect. Learn more here.
• Connect your Microsoft 365 tenant to Safetica. Learn more here.
• Activate Outlook protection. Learn more here.
• Activate Exchange protection. Learn more here.

 

 

---

How the individual layers protect your company emails

When all three protection layers are active, Safetica protects company email communication in Microsoft 365 like this:

Layer	BYOD/Company-managed devices	What it does	Applies to	Protection provided
Exchange protection	Suitable for BYOD devices (without Safetica Client)	Audits all outbound emails sent through Exchange Online.   Can analyze sensitive content in the email body and subject.   Can audit attachments based on Existing classification.	All users accounts under the connected tenant	Log
Outlook protection	Suitable for BYOD devices (without Safetica Client)	Adds the ability to protect emails instead of only auditing them.   Can analyze sensitive content in email body and subject.   Can protect attachments based on Existing classification.	Outlook on the web; Outlook for Windows (version 2206, build 15330.20196, or newer); Outlook for Mac (version 16.65.827.0 and newer)	Everything in the previous layer plus: Notify · Block with override · Block
Safetica Client	Company-managed devices only	Full local data classification and policy protection of emails and attachments.	Outlook Classic; Outlook on the web; Outlook for Windows; Non-M365 accounts in Outlook; Outlook for Mac (only with Outlook protection activated); Other email clients such as Apple Mail app or clients using SMTP/POP3/IMAP protocols	Everything in the previous layer plus: Full featured data classification and policy protection

 

 

---

Exchange protection: Basic audit of email communication including BYOD devices (without Safetica Client) and mobile devices

Exchange protection provides basic visibility into all outbound email communication in Exchange Online. It audits every email (with or without attachments) sent by your Microsoft 365 users.

 

How it works

1. A user sends an email through Exchange Online.
2. Exchange sends it to the intended destination.
3. Exchange adds Safetica to the email as a hidden (BCC) recipient – so a copy of every sent email is sent also to Safetica Cloud Protection. Since Safetica is added as a hidden recipient in Exchange Online, it is never visible to the email sender.
4. Safetica analyzes the email body and subject for sensitive content and extracts key metadata, such as sender and recipients, attachment Existing classification, email body and attachment size, or timestamps.
5. Safetica creates a DLP record.

 

Retention details

Type	Duration
Emails & attachments	Deleted immediately after processing (within seconds), 7 days at maximum
Records	Kept only until Safetica syncs them to your database (every 5 minutes for cloud, more often on-premises).

 

Exchange protection limitations

• Supports only Exchange Online (not Exchange On-Premises or Exchange in hybrid deployment).
• Audits only sent emails (not inbound messages).
• Shadow copies are not supported for email.
• Supports only auditing (i.e., logging policies). If you have blocking or notification policies for email, you must activate Outlook protection to extend them into Microsoft 365 environment. Otherwise, Safetica will only log the emails.

 

 

---

Outlook protection: Basic policy protection for BYOD devices (without Safetica Client) and Outlook for Mac

Outlook protection adds basic email protection:

• Audit and block emails that violate company policies before they are sent. You can also use Block (with override) to allow selected users to override applied restrictions.
• Notify users about potential policy violations before sending emails.
• Analyze email body and subject for sensitive content.
• Control email attachments based on Existing classification. 

Outlook protection supports the following Outlook versions via an Outlook add-in:

• Outlook on the web
• Outlook for Windows (desktop version 2206 (Build 15330.20196) and newer)
• Outlook for Mac (desktop version 16.65.827.0 and newer)

 

How it works

1. Outlook add-in intercepts outgoing emails from Outlook on the web, Outlook for Windows, or Outlook for Mac.
2. Analyzes email body and subject for data classifications based on sensitive content.
3. Controls email attachments based on Existing classification.
4. Verifies recipients against company-defined safe or untrusted domains.
5. Applies policies configured for Email.
6. Processing usually takes less than 5 seconds.

Example: If a file was previously classified by a tool that added classification identifiers into it (e.g. Microsoft MIP, Boldon James, or Tukan GREENmod), these identifiers will persist even when the file is transferred into the cloud, changed in the cloud, or has never been on a device with Safetica Client. Outlook protection can work with such classifications.

 

Outlook protection limitations

• Shadow copies are not supported for email.
• Protects only Microsoft 365 accounts in your connected tenant.
• Does not protect non-Microsoft 365 tenants and accounts (SMTP, POP3, or IMAP).
• 🍏 macOS: Outlook for Mac user notifications are in Beta due to Microsoft API limitations. 

 

Known issues

Learn more about the known issues in Outlook protection here.

 

 

---

Safetica Client: Full-featured local protection on managed Windows devices

The Safetica Client is the foundation for data protection on company-managed devices. It ensures that full-featured classifications and policies are applied before emails leave devices.

 

How it works

1. The Safetica Client intercepts outgoing emails from supported email clients such as Outlook Classic, Outlook for Windows, or Outlook on the web.
2. Analyses the email subject, body, and attachments for matching data classifications. Works with the full extent of data classifications available in Safetica.
3. Verifies recipients against company-defined safe or untrusted domains.
4. Applies policies that can:

• • Log or block emails.
  • Notify users about possible policy violations.
  • Allow users to override the block action (if allowed by admins).
    • 🍏macOS: You need to have the Outlook protection activated to be able to override blocking email policies. 

 

Safetica Client limitations

• Does not cover Outlook for Mac - Outlook protection must be activated.

1. When a user sends an email from Outlook for Mac, the Outlook add-in communicates with Safetica Client.
2. Safetica Client analyses data classifications and recipients and applies policies.
3. Processing usually takes less than 5 seconds.

 

 

---

What exactly is protected

Area	Protection when all three layers are active	Description	Requirements
Email body and subject	Full data classification and policy protection	Prevent sending sensitive data in email body or subject	At least Exchange protection needed for sensitive content analysis and audit.   At least Outlook protection needed for sensitive content analysis and protection (blocking and notifying).   Safetica Client needed for full data classification and policy protection.
Recipients	Checked against safe/untrusted destinations	Ensures emails are sent only to approved users or domains.	At least Exchange protection needed to audit recipients.   At least Outlook protection needed for recipient protection (blocking and notifying).
Email attachments	Full data classification and policy protection	Prevents sending sensitive files	At least Exchange protection needed to audit attachments based on Existing classification.   At least Outlook protection needed to protect attachments based on Existing classification.   Safetica Client needed for full data classification and policy protection.

 

 

---

Supported email clients and protocols

Platform	Supported clients	Requirements	Protection provided
Mobile phones and tablets	Any	Exchange protection	Log only
macOS (desktop)	Outlook for Mac (v16.65.827.0+)	At least Exchange protection for auditing.	Log
		At least Outlook protection for basic analyzing and protecting (blocking and notifying).	All above + Notify · Block with override · Block
		Outlook protection + Safetica Client for full data classification and policy protection.	All above + Full classification
Windows (desktop)	Outlook Classic (2016–2021)	Safetica Client	Log · Notify · Block · Block with override
	Outlook for Windows (v2206+, build 15330.20196)	At least Exchange protection for auditing.	Log
		At least Outlook protection for basic analyzing and protecting (blocking and notifying).	All above + Notify · Block · Block with override
		Safetica Client for full data classification and policy protection.	All above + Full classification
Web	Outlook on the web (only accounts from the synced M365 tenant)	At least Exchange protection for auditing.	Log
		At least Outlook protection for basic analyzing and protecting (blocking and notifying).	All above + Notify · Block with override · Block
		Safetica Client for full data classification and policy protection. 🍏macOS: You need Outlook protection + Safetica Client for full data classification and policy protection.	All above + Full classification
Other protocols	SMTP, POP3, IMAP clients	Safetica Client	Log · Notify · Block 🪟Win only: Block with override Full classification
	Non-Microsoft 365 accounts in Outlook

 

 

---

General limitations

• We protect non-Microsoft 365 accounts added to Outlook (e.g. a Gmail account) only on devices with Windows and Safetica Client newer than 11.23.
• 🍏macOS: Legacy Outlook is not supported.

• Other email clients, such as Apple Mail app or clients using SMTP/POP3/IMAP protocols may also be supported, but Safetica Client is required for their protection.

 

 

---

FAQ

Q: What does Safetica protect for email if there is no Safetica Client?

A: For BYOD devices without Safetica Client, you may activate Exchange protection and/or Outlook protection.

Exchange protection: Audits outbound emails sent through Exchange Online, analyzes sensitive content in body and subject, and analyzes attachments based on Existing classification.

Outlook protection: Protects (i.e., notifies, blocks) emails sent via the new Outlook for Windows, Outlook for Mac, and Outlook on the web. You can enforce general policies (without specific data classifications). You can also analyze sensitive content in email body and subject. Attachments are evaluated based on Existing (3^rd party) classification only (e.g., MIP labels). Recipients are evaluated (if they belong to safe destinations or not).

For details, please refer to the tables How the individual layers protect your company emails, What exactly is protected, and Supported email clients and protocols.

 

Q: What does Safetica protect for email if there is only Safetica Client installed on the device?

A: Safetica can protect emails sent via Outlook Classic, Outlook for Windows, and Outlook on the web. Data classification works as usual and to its full extent. All email attachments, body, and subject are analyzed for sensitive content. Recipients are evaluated (if they belong to safe destinations or not).

• With Outlook protection activated: On devices with Safetica Client, Outlook protection adds the protection of emails sent via Outlook for Mac.

 

Q: What does Safetica protect on mobile phones? Can I block emails sent via a mobile phone or tablet?

A: No, on mobile phones and tablets, you can only audit outgoing emails sent through Exchange Online (including sensitive content in body and subject, and attachments based on Existing classification), but you cannot block them. You must have Exchange protection active for this.

 

Q: Can we apply blocking policies to mobile devices if emails are routed through Exchange Online?

A: No, because Outlook protection (Outlook add-in) is not supported on mobile devices. You can only audit operations based on Exchange protection.

 

Q: On BYOD devices (devices without Safetica Client), does Outlook protection (Outlook add-in) check for sensitive data in email messages or in attachments?

A: On BYOD devices (devices without Safetica Client), the Outlook protection (Outlook add-in) analyzes the email subject and body for sensitive data. It can also control attachments based on Existing (3^rd party) classification (but cannot analyze sensitive content in attachments).

On company-managed devices (with Safetica Client installed), email attachments, body, and subject are under full data classification (including analyzing sensitive content ) and policy protection.

 

Q: On BYOD devices (devices without Safetica Client), is it true that email blocking is possible for the new Outlook on the web and Outlook for Windows, but not for Outlook Classic?

A : Yes. On BYOD devices (devices without Safetica Client), email blocking only works for Outlook on the web and the Outlook for Windows. It doesn't work in Outlook Classic. Only audit will work for Outlook Classic.

 

Q: Do I need to use the MAPI add-in for Outlook for Windows?

A: No, the MAPI add-in that was used for Outlook Classic, cannot be used for the new Outlook for Windows.

 

Q: I have added my personal email account (e.g., Gmail) to Outlook on a company laptop (with Safetica Client). What does Safetica protect?

A: In such a case, Safetica provides full local data classification and policy protection of emails and attachments.