Nucleuz KB Article 2020012201 :
Automatic Decryption Not Working


Nucleuz has determined a recent change rolled out in Microsoft Office 365 (O365) may cause your organization's auto-decryption to stop working.


  1. Your organization sends a message that is encrypted to external recipients.
  2. An external recipient accesses the encrypted message via the Microsoft Office Message Encryption (OME) portal and replies to it.
  3. The response is not decrypted back to the originating sender. Instead it arrives still encrypted, requiring users inside your organization to access the message via the OME portal.

Applies To

Organizations using Office Message Encryption (OME) to encrypt & decrypt messages in one or more of these environments:

  • Nucleuz DLP Policies installed & running inside Microsoft Exchange (Microsoft Office 365 (O365) and Microsoft Exchange Online)
  • (Note: Nucleuz DLP Policies installed & running inside Microsoft Security & Compliance Center may not be affected. Please contact Nucleuz if you experience problems in this environment.)

Time Frame

This issue appeared around Jan 20, 2020. According to Microsoft's announcement the change which causes this issue will be completely rolled out by Feb 1, 2020. Organizations which are not yet affected by this change may not have the change yet.


This issue appears to be caused by Microsoft's change described in Office 365 notification MC196886 published on November 27, 2019.

The problem seems to be due to the change now using the tenant's domain for encrypted messages.

The issue seems to be confined to Nucleuz DLP Policies running within Exchange Admin Center.


Nucleuz has confirmed that this behavior can be fixed by changing the "... Decrypt" rule in the Nucleuz DLP Policy to not require that the sender be External.
Please follow these steps and see the screenshot below depicting part of this change procedure:

  1. Log into your O365 Admin Center.
  2. Navigate to Exchange Admin Center.
  3. Navigate to the compliance management section from the left-hand side.
  4. Navigate to the data loss prevention section near the top.
  5. Select your Nucleuz DLP Policy, and edit it.
  6. Locate the "... Decrypt" rule in the list, and edit it.
  7. Remove the condition "The sender is located... Outside the organization".
  8. Ensure the condition "The recipient is located... Inside the organization" exists (add it if necessary).
  9. Save the changes to the Rule.
  10. Save the changes to the Policy.
  11. Wait up to 1 hour for the changes to take effect.

The screenshot below depicts part of this change procedure:

Screenshot of Rule Changes

Additional Help

Please contact your Nucleuz Account Manager or Nucleuz Support for additional help with this issue.