Netskope Help

DLP Behavior with SMTP Proxy

  1. Netskope predefined PII and GDPR DLP profiles contain rules that match the email names and addresses of objects that are inspected. For the SMTP DLP use case, these rules are applied against both the content and metadata of emails where the metadata includes the SMTP header. As the SMTP header can contain multiple instances of sender or recipient email names, DLP scans can result in matches that may be unexpected. The specific predefined DLP profiles are:

    • EU General Data Protection Regulation (GDPR)

    • EU General Data Protection Regulation (GDPR) (narrow)

    • DLP-PII

    If you are enabling these three DLP profiles, then the simplest solution is to clone the profiles and remove the email rules.

    • For “EU General Data Protection Regulation (GDPR)” profile, remove “EU-Name-email” and “EU-Name-email (narrow)” rules.

    • For “EU General Data Protection Regulation (GDPR) (narrow)” profile, remove “EU-Name-email (narrow)” rule.

    • For “DLP-PII” profile, remove “Name-Email” rule.

    Note

    Disabling the metadata inspection may still result in a profile match as email name and addresses can be present in an email thread.

  2. Earlier, emails inspected by DLP included the SMTP header fields - to, from, cc, attachment, and subject in the metadata and content. This behavior is now modified to eliminate the duplication of fields in metadata and content. Now, the SMTP header fields - to, from, cc, and attachment will be inspected in the metadata. The subject along with the email body will be inspected in the content.

  3. When admins create a custom DLP rule to match on the text in the Subject of an email and choose both the Metadata and Content options, the system returns three DLP Violations when using a Microsoft Exchange email client.

    This happens because the text in the Subject appears in the following order. For example, the subject of the email is “dlp smtp is really good”.

    1. In Metadata, we get a string subject: dlp smtp is really good

    2. In Metadata, we get another string thread-topic: dlp smtp is really good

    3. In the Content, we get the string dlp smtp is really good