Email remains one of the most common channels for unintentional or unauthorized data exposure. To help organizations protect sensitive information shared over email, Cisco provides Email Data Loss Prevention (DLP) capabilities through the integration of Cisco Secure Access (SA) and Cisco Email Threat Defense (ETD).
In this architecture, all Email DLP policy creation, configuration, and enforcement actions are performed in Cisco Secure Access. Cisco Email Threat Defense provides email visibility and message tracking, while Cisco Secure Access serves as the policy engine for defining DLP rules and enforcement behavior.
This article explains how to create an Email DLP policy in Cisco Secure Access, using either a pre-defined DLP template or a custom DLP template.
Before beginning the configuration process, ensure the following requirements are met:
Important: Although this solution uses both Cisco Secure Access and Cisco Email Threat Defense, all Email DLP rule configuration steps described in this article are performed only in Cisco Secure Access.
To successfully implement an Email DLP policy, the following components are utilized:
When creating an Email DLP policy in Cisco Secure Access, you can configure:

NOTE: In the above picture the exhange server is O365, but this DLP configuration can be done on any exchange server that supports SMTP.
NOTE: Please refer to article "Steps to integrate Cisco Email Threat defense(ETD) with Cisco Secure Access:" to integrate Cisco Email threat Defense and Cisco Secure Access through API.
Configure an Email DLP Policy in Cisco Secure Access
Sign in to the Cisco Secure Access (SA) console using an administrator account with the required permissions.
From the Secure Access dashboard, navigate to:
Secure > Policy > Data Loss Prevention Policy > Add Rule > Email DLP Rule
This opens the Add New Email Rule page.
Cisco Secure Access provides two methods to create an Email DLP rule:
Figure 1. Navigate to Email DLP Rule creation
Navigate to ADD RULE > Email DLP Rule window,
In the Add New Email Rule window, enter the following details:
Rule Name
Enter a descriptive name for the Email DLP rule.
Description
Provide a brief summary of the purpose of the rule.
Severity
Select the appropriate severity level for the policy:
These fields help categorize the rule for administration, reporting, and operational visibility.

Under Data Classifications, select the pre-defined DLP template that will be used to inspect email content for potential DLP violations.
Next, choose where the selected classifications should be matched. Supported inspection locations include:
This allows the policy to inspect both message content and attachments for sensitive information.

Under Files Control, configure the file-based inspection criteria for the rule.
This includes support for:
These settings are useful when DLP enforcement must consider sensitivity labels or metadata associated with attached files.

In the Senders section, specify which senders the policy applies to.
Available options include:
This enables you to apply the rule broadly or restrict it to selected users or groups.

In the Recipients section, choose the users or groups that should be included or excluded from policy evaluation.
Available options include:
This helps tailor policy enforcement based on intended recipients.

In the Action section, choose how Cisco Secure Access should handle emails that are positively identified as violating the DLP rule.
Available actions are:
Monitor
The email is allowed, and the event is logged for visibility and reporting.
Block
The email is dropped to prevent the transmission of sensitive data.

Note: At present, positively identified emails can either be allowed through the Monitor action or dropped through the Block action.
Important: Email DLP actions are configured only in Cisco Secure Access. If an email is blocked by Secure Access, the event is also visible in Cisco ETD message tracking.
The notification option is just available for the Recipinets.
Under User Notifications, configure whether users should be notified when an email matches the DLP policy.
There is an option to notify "Actor's Manager" or a "Custom Recipient". A "Custom Recipient" can be anyone.
Configure Email message template from Default to Custom notification as per your need.
If enabled, notifications can help improve user awareness and reduce repeated policy violations. Configure this setting according to your organization’s operational and compliance requirements.
User notifications are a powerful tool for promoting security awareness and ensuring compliance. By alerting users or administrators when an email triggers a DLP policy, you can provide immediate feedback and context regarding the violation.
Note: Notification settings are primarily intended for the email recipients and designated stakeholders.
To configure notifications:
Best Practice: Enabling these notifications is an effective way to reduce repeat policy violations by educating users in real-time about sensitive data handling procedures.

Note: Notification options may vary based on tenant configuration and policy settings.
After completing the rule configuration:
The Email DLP policy is now active in Cisco Secure Access.
Creating a custom DLP template involves two primary phases: defining a Custom Identifier and configuring the Data Classification.
Note: The Data Classification engine is highly flexible, allowing you to build policies using a single Custom Identifier or a combination of Custom and Pre-defined Identifiers linked by AND/OR boolean operators.
To define a new data pattern for detection, follow these steps:

Once your Custom Identifier is saved, you can integrate it into a Data Classification object:

This configuration ensures that your organization can detect sensitive information tailored specifically to your internal data structures and compliance requirements.
If the Email DLP rule does not behave as expected, review the following:
Consider the following best practices when deploying Email DLP policies:
Cisco Secure Access is the central platform for configuring Email DLP policies in an integrated Cisco Secure Access and Cisco Email Threat Defense deployment. While ETD provides visibility and message tracking, all DLP rule creation, classification selection, enforcement action, and notifications are configured in Secure Access.
By using either pre-defined or custom DLP templates, administrators can inspect email content and attachments, define sender and recipient scope, and apply Monitor or Block actions to help prevent sensitive data loss through email.
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
22-Jun-2026
|
Initial Release |