Copied to clipboard

Mail Server Configuration

Follow the simple, step-by-step instructions to configure your corporate email server to work with StayPrivate. The whole setup process should take little more that 5 minutes and will not disrupt your current email service in any way.

Please note that to use StayPrivate for business you need to have already signed up to StayPrivate with the organization domain.

To see instructions for Microsoft mail servers, click here.
For Google Workspace mail servers, click here.
Or to see instructions for other mail servers, click here.

Your external MX record indicates that your mail server is managed by Microsoft. To access setup instructions for alternative providers, use the links in the navigation panel.

Your external MX record indicates that your mail server is managed by Google. To access setup instuctions for different mail servers, use the links in the navigation panel.

To see instructions for Microsoft mail servers, click here.
For Google Workspace mail servers, click here.
Or to see instructions for other mail servers, click here.
The instructions below are for Microsoft-based mail servers. To see instructions for Google Workspace mail servers, click here. Or to see instructions for other mail servers, click here.
The instructions below are for Google Workspace mail servers. To see instructions for Microsoft mail servers, click here. Or to see instructions for other mail servers, click here.
The instructions below are for generic mail servers. To see instructions for Microsoft mail servers, click here. Or to see instructions for Google Workspace mail servers click here.

Follow the simple, step-by-step instructions to configure your corporate email server to work with StayPrivate. The whole setup process should take around 5 to 10 minutes and will not disrupt your current email service in any way.

Please note that to use StayPrivate for business you need to have already signed up to StayPrivate with the organization domain.

1. Google Mail Server Access

You require administrator access to your Google mail server in order to configure it to work with StayPrivate:

Log into the Google Admin console at: https://admin.google.com
Select 'Apps'.
Select 'Google Workspace' and from the list, click on 'Gmail'.

If you do not have administrator access to your email server, please send the following link to your IT administrator and ask them to complete the setup:

2. Configure Host

To send encrypted emails, StayPrivate needs to be first added as a host:

Click on 'Hosts'.
Click on 'ADD ROUTE' to add a new mail route.
Enter the name: StayPrivate
In the 'Enter host name or IP' field enter sendsecure.stayprivate.com and in the numeric field next to it, enter the port number: 587
Click 'Save'.

3. Outbound Email

The next step is to add a rule so that the email server can identify which emails to send via the StayPrivate host.

Go back to the Gmail settings page by clicking on 'Settings for Gmail' near the top.
Scroll down to near the bottom and click on 'Compliance'. Then scroll down to 'Content compliance' and click 'CONFIGURE' (or if you already have a rule specified, click 'ADD ANOTHER RULE').
Under 'Content compliance' enter the text: Identify messages to send via StayPrivate
Under '1. Email messages to affect' select 'Outbound'.
Under '2. Add expressions that describe...' select 'If ALL of the following match the message'. Then click on 'ADD'.
Click on 'Simple content match' and select 'Advanced content match'. Then under 'Location' select 'Headers + body'.
Under 'Match type' select 'Contains text'.
Under 'Content' enter the text: #private|#sign
Click 'SAVE'.
Click 'ADD'.
Click on 'Simple content match' and select 'Advanced content match'. Then under 'Location' select 'Full Headers'.
Under 'Match type' select 'Not contains text'.
Under 'Content' enter the text: x-stayprivate-processed: true
Click 'SAVE'.
In '3. If the above expressions match, do the following' under 'Route' select 'Change the route'.
Click on 'Normal routing' and select 'StayPrivate'.
Then under 'Spam' select 'Bypass the spam filter for this message'.
Click on 'SAVE' bottom right.

4. Inbound Email

After processing, StayPrivate sends encrypted emails back to your corporate email server for delivering onto the recipient. The email server needs to be configured to accept and relay encrypted emails sent by StayPrivate:

Go back to the Gmail settings page by clicking on 'Settings for Gmail' near the top.
Scroll down to the bottom and click on 'Routing'. Under 'Routing' scroll down and under 'SMTP relay service' click 'CONFIGURE' (or if you already have a rule specified, click 'ADD ANOTHER RULE').
Under 'SMTP relay service' enter the text Receive from StayPrivate.
Under '2. Authentication' select 'Only accept mail from the specified IP addresses'. Then click 'ADD'.
Under 'Description' enter the text StayPrivate and under 'Enter IP address/range' enter the text: 18.130.40.2
Click 'SAVE'.
Under '3. Encryption' select 'Require TLS encryption',
Click on 'SAVE' bottom right.

5. Secure Replies

To ensure that direct replies from secure corporate domains are included in StayPrivate, incoming secure replies are identified and blind copied to server@stayprivatemail.com. This is achieved by adding a further compliance rule:

Go to the Gmail settings page by clicking on 'Settings for Gmail' near the top.
Scroll down to near the bottom and select 'Compliance'. Under 'Content compliance' click 'ADD ANOTHER RULE'.
Under 'Content compliance' enter: Send secure replies to StayPrivate
Under '1. Email messages to affect' select 'Inbound'.
Under '2. Add expressions that...' select 'ADD'.
Click on 'Simple content match' and select 'Advanced content match'. Then under 'Location' select 'Body'.
Under 'Content' enter #stayprivate-secure-reply then click 'SAVE'.
In '3. If the above expressions match, do the following' under 'Route' select 'Modify message'.
Under 'Also deliver to' select 'Add more recipients' then select 'ADD'.
Under 'Recipient address:' enter: server@stayprivatemail.com
Select 'SAVE'.
Finally, click on 'SAVE' bottom right. This is important - otherwise your changes may be lost.

That is it! StayPrivate will start working immediately.

6. Update SPF Record

Finally, to ensure delivery to all email clients, we recommend updating your SPF record.

Log into your DNS administration console and find the current SPF record - this is a TXT record and normally starts with 'v=spf1'. Add the text: include:stayprivatemail.com ip4:18.130.40.2 before the trailing '-all'.

OR, if you do not have an SPF record, add a new TXT record with the following content: v=spf1 a mx include:stayprivatemail.com ip4:18.130.40.2 -all

Follow the simple, step-by-step instructions to configure your corporate email server to work with StayPrivate. The whole setup process should take around 5 to 10 minutes and will not disrupt your current email service in any way.

Please note that to use StayPrivate for business you need to have already signed up to StayPrivate with the organization domain.

1. Microsoft Mail Server Access

You require administrator access to your Microsoft 365 account or mail server in order to configure it to work with StayPrivate:

From the Office 365 home page, in the left-hand menu, select 'Admin'.
In the left-hand menu, select 'Show all'.
Scroll down and under 'Admin centers' select 'Exchange'.

If you do not have administrator access to your email server, please send the following link to your IT administrator and ask them to complete the setup:

We recommend that you use the latest version of the Microsoft Exchange Admin Center. If you are using the 'Classic' Exchange Admin Center you can still follow the instructions below, but please be aware that there are one or two slight differences in wording and layout.

Instead of using the Admin Center, you can configure the email server directly using Exchange Online PowerShell. Click here to display the PowerShell instructions.

2. Outbound Email

The first step is to add a secure connector to the StayPrivate relay server:

In the left-hand menu, select 'Mail flow'. Then select 'Connectors'.
Click on '+ Add a connector'.
Under 'Connection from' select 'Office 365'. Under 'Connection to' select 'Partner organization'. Then click 'Next'.
Enter the name: Send to StayPrivate and ensure 'Turn it on' is selected. Then click 'Next'.
Select 'Only when I have a transport rule set up that redirects messages to this connector'. Then click 'Next'.
Select 'Route email through these smart hosts'. Then enter the domain name: sendsecure.stayprivate.com and click '+'. Then click 'Next'.
Ensure that 'Always use Transport Layer Security...' and 'Issued by a trusted certificate authority (CA)' are selected. Click 'Next'.
To validate the connector, enter the test email address support@stayprivate.com and click '+'.
Click 'Validate'. Office 365 will validate the new connector. This may take a minute or so. When it has finished, click 'Next'.
Click 'Create connector'.
Click 'Done'.

3. Inbound Email

Next add a secure connector to allow StayPrivate to send secure emails back to your corporate email server for delivering to the recipient.

In the left-hand menu, select 'Mail flow'. Then select 'Connectors'.
Click on '+ Add a connector'.
Under 'Connection from' select 'Your organization's email server'. Then click 'Next'.
Enter the name: Receive from StayPrivate
Ensure that 'Turn it on' is selected and click 'Next'.
Select 'By verifying that the subject name on the certificate….'. Then enter the text: *.stayprivate.com
Click 'Next'.
Click 'Create connector'.
Click 'Done'.

4. Create Rules

The next step is to add a rule so that the mail server can identify which emails to send to StayPrivate:

In 'Mail flow', select 'Rules'.
Select '+ Add a rule' and 'Create a new rule'.
Enter the name: Identify messages to send via StayPrivate
Under 'Apply this rule if' select 'The subject or body'.
Then, to the right, select 'subject or body includes any of these words'. Then type #private in the text field and click 'Add'.
Now enter #sign into the same text field and click 'Add' again. Then click 'Save'.
Under 'Do the following' select 'Redirect the message to'. Then, to the right, select 'the following connector'. Select 'Send to StayPrivate' and click 'Save'.
Under 'Except if' select 'The message headers...'. Then, to the right, select 'matches these text patterns'.
Click on 'Enter text' and enter x-stayprivate-processed in the box. Click 'Save'.
Just after 'message header matches' click on 'Enter words' and enter true in the box. Click 'Add'. Click to select the circle next to 'true' and click 'Save'.
Click 'Next'.
Ensure that 'Enforce' is selected, then click 'Next'.
Click 'Finish'. It may take a few seconds for the new rule to save.
Click 'Done'.

Next add a rule to ensure that secure emails are not incorrectly identified as spam:

In 'Mail flow', select 'Rules'.
Select '+ Add a rule' and then 'Bypass spam filtering'.
Enter the name: StayPrivate Allow
Under 'Apply this rule if' select 'The sender'. Then, to the right, select 'IP address is in any of these ranges or exactly matches'.
Enter 18.130.40.2 in the box. Then click 'Add'.
Tick the box next to 18.130.40.2. Then click 'Save'.
Click 'Next'.
Ensure that 'Enforce' is selected, then click 'Next'.
Click 'Finish'. It may take a few seconds for the new rule to save.
Click 'Done'.

5. Secure Replies

To ensure that direct replies from secure corporate domains are included in StayPrivate channels, incoming secure replies are identified and blind copied to server@stayprivatemail.com. Firstly, set up a new contact:

In the left-hand menu, select 'Recipients' then select 'Contacts'.
Select 'Add a mail contact'.
Under Contact type select 'Mail contact'.
Under 'Display name' enter: StayPrivateServer
Under 'Alias' enter: StayPrivateServer
Under 'External email address' enter: server@stayprivatemail.com
Click 'Next'.
Click 'Next' again, then click 'Create'.
Click 'Done'.

Now add a rule to ensure that secure emails are copied to server@stayprivatemail.com:

In the left-hand menu, select 'Mail flow' and select 'Rules'.
Select '+ Add a rule' and 'Create a new rule'.
Enter the name: Send secure replies to StayPrivate
Under 'Apply this rule if' select 'The subject or body'.
Then select 'subject or body matches these text patterns' and enter: #stayprivate-secure-reply
Click 'Add'.
Tick the box next to #stayprivate-secure-reply. Then click 'Save'.
Under 'Do the following' select 'Add Recipients' then, to the right, select 'to the Bcc box'.
Find 'StayPrivateServer' in the list and tick the box next to it. Click 'Save'.
Under 'Except if' select 'The message headers...'. Then, to the right, select 'matches these text patterns'.
Click on 'Enter text' and enter x-stayprivate-processed in the box. Click 'Save'.
Just after 'message header matches' click on 'Enter words' and enter true in the box. Click 'Add'. Click 'Save'.
Click 'Next'.
Check that 'Enforce' is selected, then click 'Next'.
Click 'Finish'. It may take a few seconds for the rule to be saved.
Click 'Done'.

6. Enable Rules

The penultimate step is to enable the rules:

In the left-hand menu, select 'Rules'.
Find the rule called 'Identify messages to send via StayPrivate'. Click on the word 'Disabled' next to the rule.
Click on the switch under 'Enable or disable rule' to enable the rule.
Click on the 'X' close button top right. It will take a few seconds for the rule to enable and the page to update.
Find the rule called 'StayPrivate Allow'. Click on the word 'Disabled' next to the rule.
Click on the switch under 'Enable or disable rule' to enable the rule.
Click on the 'X' close button top right. It will take a few seconds for the rule to enable and the page to update.
Find the rule called 'Send secure replies to StayPrivate'. Click on the word 'Disabled' next to the rule.
Click on the switch under 'Enable or disable rule' to enable the rule.
Click on the 'X' close button top right. It will take a few seconds for the rule to enable and the page to update.

That is it! StayPrivate will start working right away.

7. Update SPF Record

Finally, to ensure delivery to all email clients, we recommend updating your SPF record.

Log into your DNS administration console and find the current SPF record - this is a TXT record and normally starts with 'v=spf1'. Add the text: include:stayprivatemail.com ip4:18.130.40.2 before the trailing '-all'.

OR, if you do not have an SPF record, add a new TXT record with the following content: v=spf1 a mx include:stayprivatemail.com ip4:18.130.40.2 -all

Follow the simple, step-by-step instructions to configure your corporate email server to work with StayPrivate. The whole setup process should only take a few minutes and will not disrupt your current email service in any way.

Please note that to use StayPrivate for business you need to have already signed up to StayPrivate with the organization domain.

1. Mail Server Access

You require administrator access to your mail server in order to configure it to work with StayPrivate.

If you do not have administrator access to your mail server, please send the following link to your IT administrator and ask them to complete the setup:

2. Outbound Email

To connect with StayPrivate, outgoing secure emails need to be identified and relayed to https://sendsecure.stayprivate.com. For most email servers this means:

adding https://sendsecure.stayprivate.com as a host or connector;
creating a conditional routing rule to route emails to this host if the email has an external recipient and is not sent from the IP address 18.130.40.2.

If you are not able add the external recipient condition, you can simply route all emails through StayPrivate. StayPrivate will automatically ignore internal emails.

3. Inbound Email

StayPrivate sends secure emails back to the corporate email server for delivering onto the recipient. The corporate email server therefore needs to be configured to accept and relay secure emails sent by StayPrivate. You can identify secure emails in either of two ways:

by the sender IP address: 18.130.40.2; or
by the certificate used to sign the emails: *.stayprivate.com.

For alternative setup options, log into the admin dashboard at https://admin.stayprivate.com.

4. Secure Replies

To ensure that secure replies from secure corporate domains are included in StayPrivate, incoming secure replies should be identified and blind copied to server@stayprivatemail.com. For most email servers this is achieved by adding a compliance rule to add the above address to the 'bcc' field if an incoming email contains the text #stayprivate-secure-reply.

5. Update SPF Record

Finally, to ensure delivery to all email clients, we recommend updating your SPF record.

Log into your DNS administration console and find the current SPF record - this is a TXT record and normally starts with 'v=spf1'. Add the text: include:stayprivatemail.com ip4:18.130.40.2 before the trailing '-all'.

OR, if you do not have an SPF record, add a new TXT record with the following content: v=spf1 a mx include:stayprivatemail.com ip4:18.130.40.2 -all

StayPrivate is designed so that it can work with any Secure Email Gateway or Email Data Loss Prevention tool. It is also possible to create more advanced logic using native email server logic. For more information, see below.

Secure Email Gateway Integration

To ensure that StayPrivate works with an email gateway:

Firstly, follow the relevant instructions for either Microsoft, Google or Other.
Secondly, ensure that the outbound StayPrivate email is NOT routed through your email gateway. Please note that outbound emails are processed by StayPrivate then relayed back to your email server for final delivery, so the actual sent email will still pass through your email security gateway.

For further assistance, please contact us at support@stayprivate.com.

Email DLP Integration

You can use a DLP tool to decide which emails to send via StayPrivate:

Follow the relevant instructions for either Microsoft, Google or Other.
Go to your DLP tool and create the rules to determine which emails are sent via StayPrivate.
Ensure that the action triggered by these rules is to change the routing, so that the emails are sent to sendsecure.stayprivate.com.

For further assistance, please contact us at support@stayprivate.com.

Advanced Rules

StayPrivate can also be configured to automatically encrypt based on email content and/or recipient identity. For more information contact us at support@stayprivate.com. You can also use the native email server logic to create more complicated sending rules:

Firstly, follow the relevant instructions for either Microsoft, Google or Other.
Then on Microsoft 365, in the Exchange Admin Center, under 'Mail Flow' and 'Rules', you can either amend the 'Identify messages to send via StayPrivate' rule, or add further rules to redirect messages to the 'Send to StayPrivate' connector.
Or on Google Workspace, in 'Settings for Gmail', under 'Compliance', you can either amend the rules 'Identify messages to send via StayPrivate' or add further rules to route emails via 'StayPrivate'.

For further assistance, please contact us at support@stayprivate.com.