You can configure your Exchange account to leverage the best of both Microsoft Purview and EchoMark's invisible watermarks on your email and file attachments. This article details how to create a sensitivity label that encrypts a message while also applying invisible watermarks.
Introduction
Server-side message encryption applied through Purview Security labels ensure that email messages cannot be read "in-transit" from the original sender to the final recipient. I.E. message encryption protects against so-called "man-in-the-middle" attacks.
However, since EchoMark manipulates the content of messages, it needs access to an unencrypted message to operate. This means that message encryption must be removed and then reapplied so that EchoMark can apply invisible watermarks.
The guide below details the process needed to apply a sensitivity label to email, remove encryption, apply watermarks, then reapply encryption.
1. Configure EchoMark integration
Before applying DRM/DLP on top of EchoMark's invisible watermarks, you'll need to configure an email integration in Exchange, if you haven't already, making sure to complete the final step and implement a mail flow rule to mark your email.
2. Create a mail flow rule to remove encryption
It's important that this rule is applied before the rule you created to route mail through EchoMark in Step 1. Set priority in mail flow rules so that this rule applies just before EchoMark.
- Navigate to Exchange Admin Center > Mail flow > Rules
- Press Add a rule, then Create a new rule
- Set the following conditions:
Name Remove Purview Access Control Apply this rule if The sender is external/internal: InOrganization Do the following Modify the message security... Remove Office 365 Message Encryption... And Modify the message security... Remove attachment rights protection applied by... Except if The message headers... includes any of these words:
'x-personalized-for' message header includes 'recipient' - Press Next and then Save the rule.
3. Get sensitivity label ID(s)
In order to reapply encryption comprehensively, you'll need to get sensitivity label IDs for each sensitivity label that you're using within Exchange and repeat this step and step 4 for each label.
- Open Outlook and start a new message.
- Add yourself to the to-line, add a subject, and apply the sensitivity label you created in previous steps from the sensitivity label menu
- Send the message to yourself.
- Open the message, then choose Save as... from the more menu to save the message as a .eml file on your computer.
- Locate the file on your computer and open it using a plain text editor like Notepad or TextEdit.
- Search the file using Ctrl-F (Cmd-F on Mac) for "msip_labels" and then look for the id with "Enabled=true" next to it. Copy this entire text string to use in your mail flow rule.
4. Create a mail flow rule to reapply encryption
It's important that this rule is applied after the rule you created to route mail through EchoMark in Step 1. Set priority in mail flow rules so that this rule applies just after.
As noted in step 3, you'll need to repeat step 3 and this step for each sensitivity label that you're using in your email setup.
- Navigate to Exchange Admin Center > Mail flow > Rules
- Press Add a rule, then Create a new rule
- In the rule conditions set a name corresponding to the security label you're reapplying encryption for.
- Under Apply this rule if, choose The message headers... and then includes any of these words. Set the message header to msip_labels, then paste the id string from step 3 for the header (see example above).
- Under Do the following, choose Modify the message security, and then Apply Office 365 Message Encryption... Then you'll want to select the RMS template corresponding to the Sensitivity Label you used in step 3.
- Press Next, then press Save to apply the rule.
- Finally, using priority level, ensure that this mail flow rule is listed after the mail flow rule that routes messages through EchoMark so that it executes in that order.