Skip to main content
日本語 简体中文 繁體中文

[Email DLP] Filtering Based on Bcc Is Not Processed as Expected

Question

When filtering emails with Email DLP, I would like to use Bcc recipients as filter conditions as shown below.
However, when I actually configure the settings, the processing does not work as expected. Why is this?

  1. Apply the same filter processing (suspend, approve, send unmodified, etc.) to all To/Cc/Bcc recipients, with the condition that a specific recipient is included in the Bcc of the sent email
  2. Apply filter processing with the condition that the sent email includes 10 Bcc recipients

Answer

Due to the specifications of Bcc processing in Microsoft 365 (Exchange Online) and Google Workspace (Gmail), the processing differs from when To or Cc are used as filter conditions.

When configuring filtering based on Bcc recipients, you need to consider the specifications of the email system.
Filtering rules that use specific Bcc addresses as filter conditions only apply to emails delivered to the Bcc recipient themselves.
Therefore, it is not possible to process emails addressed to To/Cc recipients in Email DLP based on the condition "Bcc exists" (such as excluding from encryption or deleting).

This article explains an overview of Bcc, how it is processed in actual email systems, and examples of behavior when Bcc is set as a filter condition in Email DLP.

Table of Contents

  • What is Bcc?
  • Behavior when sending emails with Bcc from Exchange Online or Gmail
  • Notes on filtering Bcc with Email DLP

Content

What is Bcc?

Bcc is a mechanism that delivers a copy of the email to specified recipients while hiding their information from other recipients (To/Cc).
In email delivery systems, in addition to the "Recipient (Header To/Cc)" displayed on the recipient's screen, the Envelope To address is used for delivery control.

When using Bcc, the system separates the emails addressed to Bcc recipients from the To/Cc data based on the Envelope To address.
At that time, the Bcc field is completely removed from the email data delivered to each recipient, so the email data received by To/Cc recipients contains no trace of Bcc. This is the main characteristic of Bcc.

* In the diagram below, recipient C can tell they are a Bcc recipient because their address is not in To or Cc.
However, recipients A and B cannot know that the same email was also sent to C as a Bcc recipient.

Behavior when sending emails with Bcc from Exchange Online or Gmail

When the mail server delivers emails, the emails are separated internally for each recipient.
When sending emails using Bcc, the following behavior occurs.

Bcc recipient data

Only the data delivered to the Bcc recipient themselves will not have their address in To/Cc, so the recipient can recognize that "I was included in Bcc."

To/Cc recipient data

Bcc information is completely removed during delivery, so To/Cc recipients cannot know that the sender also sent the email to Bcc recipients.
Therefore, Email DLP, like To/Cc recipients, cannot detect Bcc content (email addresses, count, etc.) when filtering emails received from Exchange Online or Gmail.

Notes on filtering Bcc with Email DLP

When Email DLP performs filtering, it cannot completely identify which addresses are Bcc, so it determines that "addresses not in To/Cc but present in Envelope To are Bcc".
Therefore, there are the following limitations.

Example: Do not encrypt or suspend emails with a specified Bcc recipient (exception processing)

Example: Target is Bcc:, Predicate is matches regular expression, Pattern is A@example.com, Count is 1

As described above, since sent emails are separated for each recipient, only the Bcc recipient themselves can be determined as Bcc.
Therefore, the filtering results differ between emails where a Bcc address can be determined and emails where Bcc cannot be detected.

Email addressed to Bcc

If the email address in Bcc matches the pattern, the rule will apply and exception processing will be performed.

Email addressed to To/Cc

Since Bcc information used as filter conditions is completely removed during delivery, such emails cannot match this rule and will not be subject to exception processing.

Delete if there are 10 or more Bcc recipients

Example: Target is Bcc:, Predicate is matches regular expression, Pattern is @, Count is 10

Due to system specifications, it is not possible to detect emails with this condition.

As described above, since emails are separated and sent for each recipient, the maximum number of addresses that can be determined as Bcc is 1.
Therefore, even if you set 10 Bcc recipients, at the time Email DLP receives the email, the maximum number of Bccs that Email DLP can detect is 1, so there will be no emails that match this rule.