Policy-Based Encryption service allows customers to set up filters based on the content of the message, if the message meets the set criteria it will be encrypted. Once the service is enabled, all messages sent from Intermedia mailboxes to external recipients are processed according to configured policies and encrypted if required.

What happens when an email gets encrypted?


  1. A sender gets 'Your message was encrypted' email. The email has information about the encrypted message, such as subject, date and time.
  2. A recipient also gets an email from Message Pickup Center (MPC):
    • If the recipient has not been activated in the MPC before, he or she must activate a new account in the MPC to read encrypted message. The activation information (activation password and link) is provided in the message. To activate the account the recipient will need to follow the activation link and enter the name and activation password. The recipient will also create a new password for the MPC.
    • If a recipient was using Message Pickup Center (MPC) before, he or she will get a message from MPC with the subject 'You have a new encrypted message from [sender's address]'. This email will have information about encrypted message, such as subject, sent and expiration date, along with the link to access the encrypted message. The recipient should follow the link and enter his or her email address and password (created during activation) to login. After that the recipient will have access to the message.

      If the activation info was not sent or the recipient forgot the password, activation can be reset. To reset activation the recipient should do the following:
      • Navigate to Message Pickup center
      • Click Forgot your password? link
      • Enter the email address of the mailbox where encrypted message was delivered
      • New activation email will be sent to that email address

Mailflow changes with the Policy-Based Encryption service

  1. All messages to external recipients are routed to a special gateway.
  2. At the gateway, all messages are checked according to policy settings.
  3. The gateway has a list of policies for handling messages that fall under certain conditions. Possible actions are: encrypt, send unencrypted, discard, or return to sender.
  4. If a message should be encrypted, it is routed to the Message Pickup Center. Recipients get a notification with a URL to read the message after registration.

When an email is sent from our server and Policy-based Encryption is triggered, the recipient can view and reply to the encrypted email using their Message Pickup Center in their web browser. When the recipient replies to an encrypted message, through the website interface, the message is sent using an encrypted connection to Intermedia servers. Intermedia servers have the appropriate software installed to decrypt the email so that the recipient won't need to use the message pickup center to read the email, but instead can read it using Outlook or Outlook Web App. And when a desktop Outlook application connects to Intermedia Exchange server to view email it uses a TLS-encrypted connection, so the message cannot be intercepted by a third party.

Important: if the recipient replies to the encrypted message from Outlook or OWA, it will not be encrypted automatically. It will only be encrypted if the encryption policy is triggered.

How to enable Policy-Based Encryption

  1. Log in to HostPilotĀ® Control Panel.
  2. Navigate to Services > Compliance > Email Encryption.
  3. Choose one of the available templates for settings. Each template will provide you with a package of pre-configured policies;
  4. Click Enable Policy-based Encryption. Now all outbound emails to external recipients will be checked against encryption policies.

Important: By default, policies are NOT enabled in the Encrypted Mail Gateway console. Log in to the Encrypted Mail Gateway > click on a red button to enable policy as shown on the picture. 

Managing Policy-Based Encryption

Policy-based Encryption is managed through the web interface. In order to customize Policy-based Encryption for your business’ requirements, you must first create rules that will “filter” messages for specific content, such as if a message is sent to a specific email address, if it includes a credit card number or if it includes a spreadsheet attachment. These rules are easily created and maintained using the Administrative Console - a web-based tool for creating and managing encryption rules and policies.

To log in to the Encrypted Message Gateway console, navigate to Services > Compliance > Email Encryption > click Encrypted mail gateway.

To log in to Message Pickup Center, navigate to Services > Compliance > Email Encryption> click Message Pickup Center.

EMG console

For details download Policy-based Encryption Guide.


  • All messages coming through the Encrypted Mail Gateway have a 36 MB size limit. The size of the original message will increase while it is routed; therefore, the attachment size is limited to 25 MB depending on the rest of a message.
  • Policy-Based Encryption is account-wide. Messages sent from each mailbox are forwarded through the gateway.
  • Internal messages (messages, sent from one user on the account to another one) do not get encrypted. It's considered safe since internal mail never actually leaves the server.
  • All changes to the policies and other settings are made through the administrative interface.
  • Policy-Based Encryption does not require any software to be installed on the client computer. Message encryption and decryption is performed on the servers the message was routed to.
  • There is a 250 messages per hour limitation. It is hard-coded and can't be changed.
  • The policy package (Default, Legal, Finance, HIPAA) cannot be changed, however, you can disable and re-enable Policy-based Encryption to get a different one.