Use case: Block outbound messages with confidential content unless they are sent to a specified domain Outbound messages are blocked if they contain the word Confidential, unless the recipient is exempt from the rule. Expected behavior Email contents Recipient Expected result Body: Confidential email@example.com The message is blocked because it contains the word Confidential. Body: Confidential firstname.lastname@example.org The message is not blocked because the exception settings mean that confidential material can be sent to people at example.com. Body: Attachment: Confidential email@example.com firstname.lastname@example.org The message is blocked because one of the recipients is not allowed to receive it. Task Create an email address list definition for a domain that is exempt from the rule. In the Data Protection section in McAfee ePO, select DLP Policy Manager and click Definitions. Select the Email Address List definition and create a duplicate copy of the built-in My organization email domain. Select the email address list definition you created, and click Edit. In Operator, select Domain name is and set the value to example.com. Click Save. Create a rule set with an Email Protection rule. Click Rule Sets, then select Actions → New Rule Set. Name the rule set Block Confidential in email. Create a duplicate copy of the built-in Confidential classification. An editable copy of the classification appears. Click Actions → New Rule → Email Protection Rule. Name the new rule Block Confidential and enable it. Enforce the rule on DLP Endpoint for Windows and DLP Prevent. Select the classification you created and add it to the rule. Set the Recipient to any recipient (ALL). Leave the other settings on the Condition tab with the default settings. Add exceptions to the rule. Click Exceptions, then select Actions → Add Rule Exception. Type a name for the exception and enable it. Set the classification to Confidential. Set Recipient to at least one recipient belongs to all groups (AND), then select the email address list definition you created. Configure the reaction to messages that contain the word Confidential. Click Reaction. In DLP Endpoint, set the Action to Block for computers connected to and disconnected from the corporate network. In DLP Prevent, select the Add header X-RCIS-Action option and click the Block value. Save and apply the policy.