Proofpointadvanced

How to Configure DLP Rules in Proofpoint

Set up Data Loss Prevention (DLP) rules in Proofpoint to protect sensitive data. Learn to detect PII, financial data, and enforce compliance policies.

14 min readUpdated January 2025

Want us to handle this for you?

Get expert help →

Data Loss Prevention (DLP) in Proofpoint helps organizations prevent sensitive information from leaving via email. DLP rules scan outbound (and optionally inbound) messages for patterns matching credit cards, social security numbers, protected health information, and custom data patterns.

Prerequisites

Before configuring DLP rules, ensure you have:

  • Administrator access to Proofpoint with DLP permissions
  • DLP feature enabled in your subscription
  • Clear data classification policy defining what data to protect
  • Compliance requirements documented (PCI-DSS, HIPAA, GDPR, etc.)
  • Stakeholder approval for DLP enforcement actions

Understanding Proofpoint DLP Architecture

Proofpoint DLP uses multiple detection methods:

Detection MethodDescriptionUse Case
Smart IdentifiersPre-built patterns for common data typesCredit cards, SSN, phone numbers
DictionariesKeyword and phrase listsIndustry terms, project names
Regular ExpressionsCustom pattern matchingCustom account numbers, codes
Document FingerprintingMatch document templatesContracts, forms, policies
Machine LearningBehavioral analysisUnusual data transfer patterns

Step 1: Access DLP Configuration

  1. Log in to the Proofpoint Admin Console
  2. Navigate to Security Settings or Data Loss Prevention
  3. Click on DLP Policies or Content Filtering
  4. You'll see existing policies and options to create new ones

Step 2: Create a DLP Policy

Basic Policy Setup

  1. Click New Policy or Create DLP Rule
  2. Enter a descriptive Policy Name (e.g., "PCI-DSS Credit Card Protection")
  3. Add a Description explaining the policy purpose
  4. Select Direction: Outbound (most common for DLP)
  5. Set Scope: Company, Group, or specific users
  6. Click Continue

Configure Detection Criteria

Define what sensitive data to detect:

Using Smart Identifiers (Pre-built Patterns)

  1. In the detection section, click Add Smart Identifier
  2. Select from available identifiers:
Smart IdentifierDetectsCompliance
Credit Card NumberVisa, MasterCard, Amex, etc.PCI-DSS
Social Security NumberUS SSN patternsPrivacy
Bank Account NumberABA routing + accountFinancial
HIPAA IdentifiersPHI patternsHIPAA
Driver's LicenseUS state DL formatsPrivacy
Passport NumberInternational passport formatsPrivacy
  1. Set the Minimum Match Count (e.g., trigger if 3+ credit cards found)
  2. Click Add to include in the policy

Using Custom Dictionaries

Create keyword lists for industry-specific detection:

  1. Navigate to DLP > Dictionaries
  2. Click Create Dictionary
  3. Enter a Name (e.g., "Confidential Project Keywords")
  4. Add keywords, one per line:
Project Apollo
Classified
Internal Use Only
Do Not Distribute
Patent Pending
  1. Click Save
  2. Return to your DLP policy and add the dictionary as a detection criterion

Using Regular Expressions

For custom patterns like internal account numbers:

  1. Click Add Custom Pattern or Regular Expression
  2. Enter your regex pattern:
# Example: Internal Account Number (ACT-XXXXXX)
ACT-[0-9]{6}

# Example: Employee ID (EMP followed by 5 digits)
EMP[0-9]{5}
  1. Test the pattern with sample data
  2. Add to your policy

Combine Detection Criteria

Use AND/OR logic to reduce false positives:

Example: Credit Card Policy with Reduced False Positives

Trigger when:
  Credit Card Number detected
  AND
  (Dictionary match: "payment", "invoice", "charge", "billing")
  AND
  Attachment present

This prevents triggering on random number strings that happen to match credit card patterns.

Step 3: Configure DLP Actions

Define what happens when sensitive data is detected:

Primary Actions

ActionDescriptionUse When
BlockPrevent message deliveryStrict compliance requirements
QuarantineHold for admin reviewModerate risk data
EncryptAutomatically encrypt messageSensitive but allowed data
AllowPermit with notificationMonitoring mode

Secondary Actions

ActionDescription
Notify SenderAlert user their email was flagged
Notify AdminSend alert to compliance team
Notify ManagerAlert sender's supervisor
Add HeaderInsert compliance header
Log OnlyRecord without action

High Risk (Block + Notify):

Primary: Block
Secondary: Notify Sender, Notify Compliance Officer
Use for: SSN, large credit card batches, HIPAA data

Medium Risk (Encrypt + Log):

Primary: Encrypt automatically
Secondary: Log event, Notify Sender
Use for: Financial data to authorized external parties

Low Risk (Allow + Monitor):

Primary: Allow
Secondary: Log event only
Use for: Initial monitoring phase, false positive analysis

Step 4: Configure Policy Exceptions

Not all sensitive data transfers are violations:

Recipient Exceptions

Whitelist trusted recipients:

  1. In the policy, find Exceptions section
  2. Add trusted domains or addresses:
@trustedbank.com
[email protected]
[email protected]

Sender Exceptions

Exempt specific users or groups:

# Users authorized to send sensitive data
[email protected]
[email protected]

Content Exceptions

Exclude specific document types or patterns:

# Exclude redacted documents
Attachment name contains: "_REDACTED"
Subject contains: "[APPROVED]"

Step 5: Enable Encryption for DLP

Automatic encryption for sensitive outbound emails:

  1. Navigate to Security Settings > Email Encryption
  2. Enable Policy-Based Encryption
  3. Link encryption to your DLP policy:
When DLP Policy "PCI-DSS Protection" triggers:
  Action: Encrypt with Proofpoint Encryption
  Encryption type: Portal pickup
  Notification: Send secure message notification to recipient

Encryption Options

TypeDescriptionBest For
Portal PickupRecipient accesses via web portalExternal recipients
PDF EncryptionAttach as encrypted PDFOne-time secure delivery
TLS EnforcedRequire TLS connectionB2B with configured partners
S/MIMECertificate-based encryptionHigh-security environments

Step 6: Test DLP Policies

Before enforcing, test thoroughly:

Monitor-Only Mode

  1. Create your DLP policy
  2. Set primary action to Allow or Monitor Only
  3. Enable all logging and notifications
  4. Run for 1-2 weeks
  5. Review logs for:
    • False positives (legitimate emails flagged)
    • False negatives (sensitive data not caught)
    • Volume of detections

Test with Sample Data

  1. Create test emails containing:

    • Test credit card numbers (use standard test numbers: 4111111111111111)
    • Sample SSN patterns
    • Dictionary keywords

  2. Send to test accounts

  3. Verify detection and action

  4. Adjust thresholds and patterns

Review and Refine

Based on testing:

  • Add exceptions for false positives
  • Strengthen patterns for missed detections
  • Adjust minimum match counts
  • Fine-tune notification recipients

Step 7: Deploy DLP Policies

Phased Rollout

  1. Pilot Group (Week 1-2)

    • IT department only
    • Monitor mode with notifications
    • Gather feedback

  2. Extended Pilot (Week 3-4)

    • Add Finance, HR, Legal
    • Enable soft enforcement (warn but allow)
    • Continue monitoring

  3. Full Deployment (Week 5+)

    • Company-wide rollout
    • Full enforcement
    • Ongoing monitoring and refinement

User Communication

Notify users before enforcement:

Subject: New Email Security Policy - Sensitive Data Protection

Starting [date], our email system will automatically detect and protect sensitive data including credit card numbers, social security numbers, and confidential business information.

What this means for you:

  • Emails containing sensitive data may be automatically encrypted
  • You'll receive notifications if an email is blocked for review
  • Legitimate business needs are supported with approved processes

To send sensitive data securely:

  • Use the [SECURE] tag in your subject line for automatic encryption
  • Contact [[email protected]] for bulk data transfer requests

Step 8: Monitor DLP Effectiveness

Key Metrics to Track

MetricTargetAction if Off-Target
Detection RateBased on data volumeAdjust patterns
False Positive Rate< 5%Add exceptions, refine patterns
Policy ViolationsTrending downUser training, process improvement
Encryption AdoptionTrending upUser awareness

Regular Review Schedule

FrequencyActivity
DailyReview quarantined messages
WeeklyFalse positive/negative analysis
MonthlyPolicy effectiveness report
QuarterlyCompliance audit, policy updates

Troubleshooting DLP Issues

High False Positive Rate

Symptoms: Legitimate emails consistently flagged.

Solutions:

  1. Review detection patterns for over-matching
  2. Increase minimum match thresholds
  3. Add recipient/sender exceptions
  4. Combine detectors (require multiple matches)
  5. Use more specific dictionaries

Sensitive Data Not Detected

Symptoms: Known sensitive content passes through.

Solutions:

  1. Verify policy is enabled and active
  2. Check policy scope includes affected users
  3. Test Smart Identifiers with sample data
  4. Add custom patterns for edge cases
  5. Review attachment scanning settings

Encryption Failures

Symptoms: Messages flagged but not encrypted.

Solutions:

  1. Verify encryption service is properly configured
  2. Check encryption policy is linked to DLP rule
  3. Test encryption with manual [SECURE] trigger
  4. Review encryption logs for errors

Best Practices for DLP

  1. Start with monitoring - Never enforce untested policies
  2. Layer detection - Combine multiple detectors for accuracy
  3. Document exceptions - Record why each exception exists
  4. Train users - Explain DLP purpose and secure alternatives
  5. Review regularly - Update policies as data types change
  6. Integrate with HR - Align with employee data handling policies
  7. Test continuously - Regular false positive testing

Compliance Mapping

ComplianceProofpoint DLP Features
PCI-DSSCredit card detection, encryption, logging
HIPAAPHI identifiers, encryption, audit trails
GDPRPII detection, consent tracking, data portability
SOXFinancial data protection, audit logging
GLBAFinancial privacy, encryption requirements

Next Steps

After configuring DLP:

  1. Set up email filtering - Configure filter policies
  2. Manage quarantine - Handle DLP-quarantined messages
  3. Configure URL Defense - Enable click-time protection
  4. Manage sender lists - Safe senders and block lists

Additional Resources

Need help implementing Proofpoint DLP? Inventive HQ provides expert data loss prevention consulting, policy development, and compliance alignment. Contact us for a free DLP assessment.

Frequently Asked Questions

Find answers to common questions

Proofpoint DLP can detect credit card numbers, Social Security numbers, bank account details, healthcare information (HIPAA), personal identifiable information (PII), custom keywords and patterns, document classifications, and files containing sensitive metadata.

Need Professional IT & Security Help?

Our team of experts is ready to help protect and optimize your technology infrastructure.

Learn About Risk AssessmentExplore vCISO Services

Related Articles

How to Configure Email Filtering Policies in Proofpoint

Learn how to create and manage email filtering policies in Proofpoint Essentials. Step-by-step guide covers inbound, outbound filters, and security rules.

Read More →

How to Manage the Quarantine Console in Proofpoint

Master Proofpoint quarantine management with this guide. Learn to release emails, configure digests, set retention policies, and manage false positives.

Read More →

How to Add Safe Senders and Block Lists in Proofpoint

Manage Proofpoint safe senders and blocked senders lists at user, group, and organization levels. Includes best practices for allowlisting and blocklisting.

Read More →
Back to Proofpoint