How to Encrypt Emails Sent from a Designated Source in FortiMail


You want to send emails containing sensitive information, but you’re afraid that someone could intercept the message and read the information.

Thankfully, your FortiMail unit can encrypt all email messages sent from a designated source. For example, you could configure your FortiMail unit to encrypt every email sent from your financial department.

  • Content-based encryption: The FortiMail unit can find key words in an email’s subject header or message body to determine if a message should be encrypted. For example, if you add “Confidential” in your subject header, FortiMail will encrypt the email message.
  • Rule-based encryption: The FortiMail unit encrypts all email sent from specific sources. For example, you could configure FortiMail to encrypt every email sent from the financial department.

This recipe covers rule-based encryption.

To encrypt all emails from a designated source:

Enable the IBE service

  1. Navigate to Encryption > IBE > IBE Encryption.

 2.  Enable IBE service and configure the other settings.

Enabling the IBE service.
Enabling the IBE service.

Configure the encryption profile

 1. Navigate to Profile > Security > Encryption.

 2.  Select New.

Creating a new encryption profile.
Creating a new encryption profile.

 3.  Enter a descriptive name for the encryption profile in the Profile name text field.

 4. Select either IBE from the Protocol dropdown menu.

Note: For more information on additional settings in the Encryption Profile, see the FortiMail Administrator guide. 

 5.  Select Create.

Configuring delivery rules

The Delivery tab displays a list of delivery rules that apply to SMTP sessions being initiated by the FortiMail unit in order to deliver email.

 1.  Go to Policy > Access Control > Delivery. 

 2.  Select New. 

 3.  Enter a complete or partial envelope sender (MAIL FROM:) email address to match in the Sender pattern textbox.

Note: Wild card characters allow you to enter partial patterns that can match multiple sender email addresses. The asterisk (*) represents one or more characters. The question mark (?) represents any single character.

 4.  Select your previously created profile in the Encryption profile dropdown menu.

Configure Policies

The last step is to configure a policy to use the content profile.

Depending on whose email you want to encrypt, you can use either the IP-based or recipient-based policies. For example, if you want to apply encryption to everyone’s outgoing email in the whole company, you can create a recipient-based policy that uses sender as *

6-1 Policy Configure
Implementing the newly created policy.