Messages undergo processing by the DLP Module on all corporate mail servers where the DLP Module is installed.
After the DLP Module receives a message, it checks whether the message falls within the scope of each one of the existing policies. If the message does not fall within the scope of any one of the policies, the DLP Module skips the message without scanning. If the message falls within the scope of any of the policies, the DLP Module searches the message for data corresponding to the category of this policy. The search includes the message subject, message body, and all of the message attachments.
If the search is successful (matches to the policy category are found in the message), this means that the policy has been violated. The DLP Module creates an incident with the specified priority and performs on the message the actions set by the policy settings: it deletes the message or lets it further to the recipient; it also sends a policy violation notification to the specified recipients.
A message copy can be attached to the incident for subsequent incident investigation. Information about the action taken on the message is saved in the incident details.
If the search failed (the message contains no matches with the policy category), the DLP Module proceeds to the message scan against the next policy.
If the message violates information security according to several policies at once, the DLP Module generates several incidents matching the number of policies violated.
Incidents generated on all corporate mail servers appear in a common list of incidents. If the topology of your mail infrastructure causes the message to pass through two or more mail servers with the DLP Module installed, the message undergoes scanning for data leaks only on one of the servers. This rules out any duplicate incident records and distortion of report statistics.