Outbound Data Loss Prevention (DLP)

Compatibility

Outbound DLP is only compatible with Microsoft 365.

Outbound Data Loss Prevention ensures the protection of sensitive information in outbound emails with Cloudflare Data Loss Prevention (DLP). Outbound Data Loss Prevention integrates with your inbox, and it proactively monitors your email to prevent unauthorized data leaks.

Get started

To begin using outbound DLP, install the Cloudflare add-in in Microsoft 365:

1. In Zero Trust ↗, go to Email Security > Outbound DLP.
2. In Protect sensitive data in outbound emails, select Get started.
3. Select Download add-in to download the Cloudflare add-in.
4. Configure Microsoft 365 to use the Cloudflare add-in:
   1. In the Microsoft 365 Apps admin center ↗, go to Microsoft 365 Admin Center > Settings > Integrated Apps.
   2. Select Upload custom apps. For the application type, choose Office Add-in.
   3. Select Upload manifest file (.xml) from device.
   4. Upload the Cloudflare add-in file.
   5. Verify and complete the wizard.
5. Confirm the Cloudflare add-in was configured in Microsoft 365.

After configuring the Cloudflare add-in in Microsoft 365, you can select Add a policy to create an outbound DLP policy.

Note

The Cloudflare add-in can take up to 24 hours to propagate after install.

Create an outbound policy

An outbound policy allows you to control outbound email flow.

To create an outbound DLP policy:

1. In Zero Trust ↗, go to Email Security > Outbound DLP.

2. Select Add a policy.

3. Name your policy.

4. Build an expression to match specific email traffic. For example, you can create a policy that blocks outbound emails containing identifying numbers:

   Selector	Operator	Value	Logic	Action
   Recipient email	not in	example.com	And	Block
   Matched DLP profile	in	Social Security, Insurance, Tax, and Identifier Numbers

5. (Optional) Choose whether to use the default block message or a custom message.

6. Select Create policy.

After creating your policy, you can modify or reorder your policies in Email Security > Outbound DLP.

Selectors

Selector	Description
Recipient email	The intended recipient of an outbound email.
Email sender	The user in your organization sending an email.
Matched DLP profile	The DLP profile that content of an email matches upon scan.

DLP Assist add-in

The Data Loss Prevention (DLP) Assist add-in allows Microsoft O365 users to deploy a DLP solution for free using Cloudflare's Email Security.

To set up DLP Assist add-in:

1. In Zero Trust ↗, go to Email Security > Outbound DLP.
2. Select View Microsoft add-in instructions > Select Download add-in. This downloads a .xml file necessary to install the add-in on the client side.
3. Set up the add-in in Microsoft 365:
   • Log in to the Microsoft admin panel ↗ and go to Microsoft 365 Admin Center > Settings > Integrated Apps.
   • Choose Upload custom apps and select Office Add-in for the application type.
   • Select Upload manifest file (.xml) from device.
   • Upload the Cloudflare add-in file you downloaded in step three. Then, verify and complete the wizard. It can take up to 24 hours for an add-in to propagate.

The add-in works by inserting headers into the EML ↗ on the client side before the message is sent out.

To block, encrypt, or send approval, you can configure rules within Microsoft Purview DLP:

1. Go to Microsoft Purview ↗.
2. Select Policies > Create policy.
3. Do not choose any templates or custom policy. Select Next.
4. Choose a name and description for the policy: You can choose any name. However, this guide will use Cloudflare Assist Block.
5. Select Next on Admin Units:
   • Choose to only apply to Exchange Email.
   • Choose Create or customize advanced DLP Rules.
6. Select Create rule:
   • Create a policy name.
   • Add the following conditions:
     • Header contains words or phrases: Key: cf_outbound_dlp with Value: BLOCK
     • Select AND.
     • Content is shared from Microsoft 365: Select with people from outside my organization.
7. Under Actions, the admin can choose what to do with the message. You can use the Restrict access or encrypt the content in Microsoft 365 locations to block the message or encrypt it.
8. Under User notifications, turn on notifications. Admins can also edit the message if they want to. You can also configure if the admin wants to receive a notification under Incident reports > Use this severity level in admin alerts and reports.
9. Select Save.
10. Select Turn the Policy On Immediately.

Set up DLP profiles

1. In Zero Trust ↗, go to Email Security > Outbound DLP.
2. Select Add a policy:
   • Name your policy.
   • Build an expression.
   • (Optional) Configure message type: Create a custom message to be be displayed when a violation occurs.
3. Select Save.