Copied to clipboard

Mail Server Configuration

Follow the simple, step-by-step instructions to configure your corporate email server to work with StayPrivate. The whole setup process should take around 5-10 minutes and will not disrupt your current email service in any way.

Please note that to use StayPrivate you need to have already signed up to StayPrivate on behalf of your company and domain.

To see instructions for Microsoft mail servers, click here.
For Google Workspace mail servers, click here.
Or to see instructions for other mail servers, click here.

Your external MX record indicates that your mail server is managed by Microsoft. To access setup instructions for alternative providers, use the links in the navigation panel.

Your external MX record indicates that your mail server is managed by Google. To access setup instuctions for different mail servers, use the links in the navigation panel.

To see instructions for Microsoft mail servers, click here.
For Google Workspace mail servers, click here.
Or to see instructions for other mail servers, click here.
The instructions below are for Microsoft-based mail servers. To see instructions for Google Workspace mail servers, click here. Or to see instructions for other mail servers, click here.
The instructions below are for Google Workspace mail servers. To see instructions for Microsoft mail servers, click here. Or to see instructions for other mail servers, click here.
The instructions below are for generic mail servers. To see instructions for Microsoft mail servers, click here. Or to see instructions for Google Workspace mail servers click here.

Follow the simple, step-by-step instructions to configure your corporate email server to work with StayPrivate. The whole setup process should take around 5-10 minutes and will not disrupt your current email service in any way.

Please note that to use StayPrivate you need to have already signed up to StayPrivate on behalf of your company and domain.

1. Google Mail Server Access

You will require administrator access to your Google mail server in order to configure it to work with StayPrivate:

Log into the Google Admin console at: https://admin.google.com
Select 'Apps'.
Select 'Google Workspace' and from the list, click on 'Gmail'.

If you do not have administrator access to your email server, please send the following link to your IT administrator and ask them to complete the setup:

2. Configure Host

To send secure emails, StayPrivate needs to be first added as a host:

Click on 'Hosts'.
Click on 'ADD ROUTE' to add a new mail route.
Enter the name: StayPrivate
In the 'Enter host name or IP' field enter sendsecure.stayprivate.com and in the numeric field next to it, enter the port number: 587
Click 'Save'.

3. Outbound Email

The next step is to add two rules so that the email server can identify which emails to send via the StayPrivate host. The first rule checks the body of the message:

Go back to the Gmail settings page by clicking on 'Settings for Gmail' near the top.
Scroll down to near the bottom and click on 'Compliance'. Then scroll down to 'Content compliance' and click 'CONFIGURE' (or if you already have a rule specified, click 'ADD ANOTHER RULE').
Under 'Content compliance' enter the text: Identify messages to send via StayPrivate - 1'
Under '1. Email messages to affect' select both 'Outbound' AND 'Internal - sending'.
Under '2. Add expressions that describe...' select 'If ALL of the following match the message'. Then click on 'ADD'.
Click on 'Simple content match' and select 'Advanced content match'. Then under 'Location' select 'Body'.
Under 'Content' enter the keyword you want to use to identify secure emails: then click 'SAVE'.
Then again under '2. Add expressions that...' select 'ADD'.
Click on 'Simple content match' and select 'Advanced content match'. Then under 'Location' select 'Full Headers'.
Under 'Match type' select 'Not contains text'.
Under 'Content' enter the text: x-stayprivate-processed: true
Click 'SAVE'.
In '3. If the above expressions match, do the following' under 'Route' select 'Change route'.
Click on 'Normal routing' and select 'StayPrivate'.
Then under 'Spam' select 'Bypass the spam filter for this message'.
Click on 'SAVE' bottom right.

The second rule checks the message subject:

Go back to the Gmail settings page by clicking on 'Settings for Gmail' near the top.
Scroll down to near the bottom and click on 'Compliance'. Then scroll down to 'Content compliance' and click 'ADD ANOTHER RULE'.
Under 'Content compliance' enter the text: Identify messages to send via StayPrivate - 2'
Under '1. Email messages to affect' select both 'Outbound' AND 'Internal - sending'.
Under '2. Add expressions that describe...' select 'If ALL of the following match the message'. Then click on 'ADD'.
Click on 'Simple content match' and select 'Advanced content match'. Then under 'Location' select 'Subject'.
Under 'Content' enter the keyword you want to use to identify secure emails: then click 'SAVE'.
Then again under '2. Add expressions that...' select 'ADD'.
Click on 'Simple content match' and select 'Advanced content match'. Then under 'Location' select 'Full Headers'.
Under 'Match type' select 'Not contains text'.
Under 'Content' enter the text: x-stayprivate-processed: true
Click 'SAVE'.
In '3. If the above expressions match, do the following' under 'Route' select 'Change route'.
Click on 'Normal routing' and select 'StayPrivate'.
Then under 'Spam' select 'Bypass the spam filter for this message'.
Click on 'SAVE' bottom right.

The above steps will ensure that emails with the keyword in either the body or the subject are sent securely.

4. Inbound Email

After processing, StayPrivate sends secure emails back to your corporate email server for delivering onto the recipient. The email server needs to be configured to accept and relay secure emails sent by StayPrivate:

Go back to the Gmail settings page by clicking on 'Settings for Gmail' near the top.
Scroll down to the bottom and click on 'Routing'. Under 'Routing' scroll down and under 'SMTP relay service' click 'CONFIGURE' (or if you already have a rule specified, click 'ADD ANOTHER RULE').
Under 'SMTP relay service' enter the text Receive from StayPrivate.
Under '2. Authentication' select 'Only accept mail from the specified IP addresses'. Then click 'ADD'.
Under 'Description' enter the text StayPrivate and under 'Enter IP address/range' enter the text: 18.130.40.2
Click 'SAVE'.
Under '3. Encryption' select 'Require TLS encryption',
Click on 'SAVE' bottom right.

5. Secure Replies

To ensure that direct replies from secure corporate domains are included in StayPrivate, incoming secure replies are identified and blind copied to server@stayprivatemail.com. This is achieved by adding a further compliance rule:

Go to the Gmail settings page by clicking on 'Settings for Gmail' near the top.
Scroll down to near the bottom and select 'Compliance'. Under 'Content compliance' click 'ADD ANOTHER RULE'.
Under 'Content compliance' enter: Send secure replies to StayPrivate
Under '1. Email messages to affect' select 'Inbound'.
Under '2. Add expressions that...' select 'ADD'.
Click on 'Simple content match' and select 'Advanced content match'. Then under 'Location' select 'Body'.
Under 'Content' enter the keyword you want to use to identify secure emails: then click 'SAVE'.
Then again under '2. Add expressions that...' select 'ADD'.
Click on 'Simple content match' and select 'Advanced content match'. Then under 'Location' select 'Subject'.
Under 'Content' enter the keyword you want to use to identify secure emails: then click 'SAVE'.
In '3. If the above expressions match, do the following' under 'Route' select 'Modify message'.
Under 'Also deliver to' select 'Add more recipients' then select 'ADD'.
Under 'Recipient address:' enter: server@stayprivatemail.com
Select 'SAVE'.
Finally, click on 'SAVE' bottom right. This is important - otherwise your changes may be lost.

Follow the simple, step-by-step instructions to configure your corporate email server to work with StayPrivate. The whole setup process should take around 5-10 minutes and will not disrupt your current email service in any way.

Please note that to use StayPrivate you need to have already signed up to StayPrivate on behalf of your company and domain.

1. Microsoft Mail Server Access

You will require administrator access to your Microsoft 365 account or mail server in order to configure it to work with StayPrivate:

From the Office 365 home page, in the left-hand menu, select 'Admin'.
In the left-hand menu, select 'Show all'.
Scroll down and under 'Admin centers' select 'Exchange'.

If you do not have administrator access to your email server, please send the following link to your IT administrator and ask them to complete the setup:

We recommend that you use the latest version of the Microsoft Exchange Admin Center. If you are using the 'Classic' Exchange Admin Center you can still follow the instructions below, but please be aware that there are one or two slight differences in wording and layout.

2. Outbound Email

The first step is to add a secure connector to the StayPrivate relay server:

In the left-hand menu, select 'Mail flow'. Then select 'Connectors'.
Click on '+' to add a new connector.
Under 'From:' select 'Office 365'. Under To: select 'Partner organization'. Then click 'Next'.
Enter the name: Send to StayPrivate and ensure 'Turn it on' is selected. Then click 'Next'.
Select 'Only when I have a transport rule set up that redirects messages to this connector'. Then click 'Next'.
Select 'Route email through these smart hosts'. Then enter the domain name: sendsecure.stayprivate.com and click '+'.
Ensure that 'Always use Transport Layer Security...' and 'Issued by a trusted certificate authority (CA)' are selected. Click 'Next'.
To validate the connector, enter the test email address support@stayprivate.com and click '+'.
Click 'Validate'. Office 365 will validate the new connector. This may take a minute or so. When it has finished, click 'Close'.
Click 'Next'.
Click 'Create connector'.
Click 'Done'.

3. Inbound Email

Next add a secure connector to allow StayPrivate to send secure emails back to your corporate email server for delvering to the recipient.

In the left-hand menu, select 'Mail flow'. Then select 'Connectors'.
Click on '+' to add a new connector.
Under 'From:' select 'Your organization's email server'. Check that 'Office 365' is selected under 'Connection to'. Then click 'Next'.
Enter the name: Receive from StayPrivate
Ensure that 'Turn it on' is selected and click 'Next'.
Select 'By verifying that the subject name on the certificate….'. Then enter the text: *.stayprivate.com
Click 'Next'.
Click 'Create connector'.
Click 'Done'.

4. Create Rules

The next step is to add a rule so that the mail server can identify which emails to send to StayPrivate:

In 'Mail flow', select 'Rules'.
Select '+' and 'Create a new rule...'
Enter the name: Identify messages to send via StayPrivate
Under '*Apply this rule if...' select 'The subject or body includes' and enter the keyword you want to use to identify secure emails.:
Click '+' then click 'OK'.
Look a little further down the page and click on 'More options...'.
Click 'add condition' and select 'The sender...' then select 'domain is'. Enter your email domain (for example, mycompany.com) in the box.
Click '+' then click 'OK'.
Under 'Do the following...' select 'Redirect the message to...' then 'the following connector'. Select 'Send to StayPrivate' and click 'OK'.
Under 'Except if…' click 'add exception' and select 'The sender…' then 'IP address is in any of these ranges or exactly matches'. Enter 18.130.40.2 in the box.
Click '+' then click 'OK'.
Click 'Save'. It may take a few seconds for the rule to be saved.

Next add a rule to ensure that secure emails are not incorrectly identified as spam:

In 'Mail flow', select 'Rules'.
Select '+' and then 'Bypass spam filtering...'
Enter the name: StayPrivate Allow
Under '*Apply this rule if...' select 'The sender' then select 'IP address is in any of these ranges or exactly matches'. Enter 18.130.40.2 in the box.
Click '+' then click 'OK'.
Click 'Save'. It may take a few seconds for the rule to be saved.

5. Secure Replies

To ensure that direct replies from secure corporate domains are included in StayPrivate, incoming secure replies are identified and blind copied to server@stayprivatemail.com:

In the left-hand menu, select 'Recipients' then select 'Contacts'.
Select '+ Add a contact'.
Under Contact type select 'Mail contact'.
Under 'Display name' enter: StayPrivateServer
Under 'Email' enter: server@stayprivatemail.com
Click 'Add'. Then click 'Close'.
Now again in the left-hand menu, select 'Mail flow' and select 'Rules'.
Select '+' and 'Create a new rule...'
Enter the name: Send secure replies to StayPrivate
Under '*Apply this rule if...' select 'The subject or body includes' and enter the keyword you want to use to identify secure emails.:
Click '+' then click 'OK'.
Select 'More options...' from near the bottom left of the form.
Under 'Do the following...' select 'Add recipients...' then 'to the Bcc box'.
Find 'StayPrivateServer' in the list and double-click on it to add it to the box at the bottom. Click 'OK'.
Click 'add exception' and select 'The sender...' then select 'domain is'. Enter your email domain (for example, mycompany.com) in the box.
Click '+' then click 'OK'.
Click 'add exception' again and select 'The sender' then select 'IP address is in any of these ranges or exactly matches'. Enter 18.130.40.2 in the box.
Click '+' then click 'OK'.
Select 'Save'. It may take a few seconds for the rule to be saved.

That is it! You can start using StayPrivate right away.

Follow the simple, step-by-step instructions to configure your corporate email server to work with StayPrivate. The whole setup process should take around 5-10 minutes and will not disrupt your current email service in any way.

Please note that to use StayPrivate you need to have already signed up to StayPrivate on behalf of your company and domain.

1. Mail Server Access

You will require administrator access to your email server in order to configure it to work with StayPrivate.

If you do not have administrator access to your email server, please send the following link to your IT administrator and ask them to complete the setup:

2. Outbound Email

To connect with StayPrivate, outgoing secure emails need to be identified and relayed to https://sendsecure.stayprivate.com. For most email servers this means:

adding https://sendsecure.stayprivate.com as a host or connector; and
creating a conditional routing rule to route emails to this host if the email subject or body contains the keyword.text:

3. Inbound Email

In the standard setup, StayPrivate sends secure emails back to the corporate email server for forwarding onto the recipient. The corporate email server therefore needs to be configured to accept and relay secure emails sent by StayPrivate. You can identify secure emails in either of two ways:

by the sender IP address: 18.130.40.2; or
by the certificate used to sign the emails: *.stayprivate.com.

For alternative setup options, log into the admin dashboard at https://dashboard.stayprivate.com.

4. Secure Replies

To ensure that secure replies from secure corporate domains are included in StayPrivate, incoming secure replies should be identified and blind copied to server@stayprivatemail.com. For most email servers this is achieved by adding a compliance rule to add the above address to the 'bcc' field if an incoming email contains the keyword.text:

StayPrivate is designed so that it can work with any Secure Email Gateway or Email Data Loss Prevention tool. It is also possible to create more advanced logic using native email server logic. For more information, see below.

Secure Email Gateway Integration

To ensure that StayPrivate works with an email gateway:

Firstly, follow the relevant instructions for either Microsoft, Google or Other.
And secondly, ensure that the outbound StayPrivate email is NOT routed through your email gateway. Please note that outbound emails are processed by StayPrivate then relayed back to your email server for final delivery, so the actual sent email will still pass through your email security gateway.

For further assistance, please contact us at support@stayprivate.com.

Email DLP Integration

You can use a DLP tool to decide which emails to send via StayPrivate, either instead of, or in addition to the keyword:

Follow the relevant instructions for either Microsoft, Google or Other.
Go to your DLP tool and create the rules to determine which emails are sent via StayPrivate.
Ensure that the action triggered by these rules is to change the routing, so that the emails are sent to sendsecure.stayprivate.com.

For further assistance, please contact us at support@stayprivate.com.

Advanced Rules

You can also use the native logic in your email server to create more complicated sending rules:

Firstly, follow the relevant instructions for either Microsoft, Google or Other.
Then on Microsoft 365, in the Exchange Admin Center, under 'Mail Flow' and 'Rules', you can either amend the 'Identify messages to send via StayPrivate' rule, or add further rules to redirect messages to the 'Send to StayPrivate' connector.
Or on Google Workspace, in 'Settings for Gmail', under 'Compliance', you can either amend the two rules 'Identify messages to send via StayPrivate - 1' and 'Identify messages to send via StayPrivate - 2' or add further rules to route emails via 'StayPrivate'.

For further assistance, please contact us at support@stayprivate.com.