Why do some Outlook messages fail to trigger Data Protection Policies

Document ID : KB000097222
Last Modified Date : 21/05/2018
Show Technical Document Details
Question:
Why do some mail messages which were originally sent from Microsoft Outlook fail to trigger CA Data Protection Policies?

When these events are ingested as part of an import job the event appears to be "excluded".  Further examination of the event import logs shows

"Reason: '0x65630ddb' (Policy did not cause the event to be captured. )"

 
Environment:
CA Data Protection 14.x\15.x
Answer:
In general the key to importing and viewing events in the iConsole is address matching. Email addresses and aliases are defined for users in the Data Protection hierarchy to enable mail events to be associated with them.  You must ensure that all valid email addresses are added to ensure that any email address presented is matched correctly.  For example:

SMTP addresses (i.e. AUser@ADomain,com)  
x500 - LegacyExchangeDN Address (i.e. /o=MyOrg/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=17b78f903e274e489bf5ebb6c8ca76e6-AUser). 

Looking at this in more detail, when Exchange routes messages internally it uses the MTA (Message Transfer Agent) in the Hub to decide on the routing path. If the hub decides to route the event internally it will use the Legacy Exchange (x500) Address and if it is routing it externally it will use the SMTP address (This is a very simplistic explanation and there are many other scenarios). 

When CA Data Protection processes an email, it uses the first address that is handed to it at the point of processing (i.e. an importer or Outlook Endpoint Client Agent).  This could be either an SMTP or LegacyExhangeDN address. By default all aliases are matched for the Sender but not all recipient addresses are retrieved for outgoing mail. 

To cover all scenarios you should ensure that x500 (LegacyExchnageDN) and SMTP addresses are added to Data protection Users in order to apply policy against .msg files.
Additional Information:
For more information on email address matching see: https://docops.ca.com/ca-data-protection/15-2/en/reviewing/policy/protecting-emails-with-control-triggers/email-address-matching