The last gate before anything leaves
Detect card numbers, government IDs, and secrets in outbound mail — then block, redact, or hold for a second person's sign-off. Fails closed, checked twice.
Outbound mail, inspected on the way out
Email DLP here is an enforcement point, not an after-the-fact report: an outbound data-loss-prevention gateway that fails closed — card numbers, government IDs, and secrets can be blocked, redacted, or held for a second person's sign-off before anything leaves.
How it works
- Define a policy: which detectors — card numbers, government IDs, secrets and API keys — apply to which mail.
- Choose the action per rule: block outright, redact the match and send, or require TLS for delivery and hold the message when that can't be assured.
- Held messages need a second person. Maker-checker release means the sender can't approve their own exception.
- Evaluation happens twice: at admission and again at send time, so nothing that changed in between — a template edit, a variable value — can slip past the first check.
The failure behavior is the headline: an evaluator error blocks rather than leaks. And until you define a policy, the gateway is inert — no latency tax, no surprise blocks.
The evidence
admission --[DLP evaluate]--> durable queue --[DLP re-evaluate]--> send
error? block error? blockThe second evaluation exists because time passes between accepting a message and sending it. Whatever changed in that window faces the policy again before anything leaves.
Honest limits
Detectors match structure, and structure has lookalikes — a sixteen-digit order number can trip a card-number check, so expect a tuning period with false positives. Maker-checker adds human latency to held mail by design; the pause is the control functioning. And fail-closed means an evaluator bug stops your mail instead of leaking your data — availability traded for containment, deliberately.
Where to go next
DLP composes with customer-held keys — one governs what leaves, the other who can read what's stored — and with the compliance machinery around both. The enterprise door shows the full control set, and if you're weighing security-first vendors, the Paubox comparison is the relevant one.
Questions, answered plainly
What can the detectors find?
Card numbers (PANs), government identifiers such as SSNs, and secrets — API keys and credentials. Detectors apply according to the policy you define; without one, the gateway is inert.
Who releases a held message?
A second person. Maker-checker release means the sender can't approve their own exception — the four-eyes control regulators mean when they say separation of duties.
Does DLP slow sending if we don't use it?
No — the gateway is inert until you define a policy. No policy, no evaluation, no latency, no surprise blocks.
What happens if the policy evaluator itself errors?
The message is blocked: an outbound data-loss-prevention gateway that fails closed — card numbers, government IDs, and secrets can be blocked, redacted, or held for a second person's sign-off before anything leaves. An evaluator failure stops mail rather than leaking data — fail-closed is the design invariant, not a configuration option.