VIPRE Security Knowledge

Guided Setup of SafeSend Cloud

Super Administrator

Written By Marissa Fegan (Super Administrator)

Updated at April 30th, 2026

Table of Contents

Prerequisites Access SafeSend Cloud Connect your Microsoft Tenant [BETA] Selecting a SafeSend Cloud Manifest SafeSend Cloud: Policies SafeSend Cloud: Data Loss Prevention (Rulesets) Deploying SafeSend Cloud Next Steps

Sending an email to the wrong person or attaching a sensitive file by mistake can happen in an instant. VIPRE SafeSend Cloud helps eliminate these common but risky errors, by intelligently prompting users to verify external recipients and attachments, adding a simple but powerful layer of security to your email workflow.

This guided setup applies only to SafeSend Cloud. If you are using any version of SafeSend Self-Hosted, please navigate to the SafeSend Self-Hosted guide instead.

 

Ready to get started? You're in the right place. This guide will lead you through the deployment process from start to finish. If you'd like to learn more about its features first, we invite you to check out our product overview and comparison chart.

Prerequisites

Before you install SafeSend Cloud add-in for Outlook, please verify that you have all of the required prerequisites listed here.

  • Verify that your organization meets the System Requirements
  • Ensure you have access to your organization's Microsoft tenant with Global Admin or Privileged Role Admin login credentials

Access SafeSend Cloud

SafeSend Cloud is hosted within the VIPRE Symphony portal. If you currently access other VIPRE products via the portal URLs listed below, your account is already configured, and you may skip steps 2 through 4.

  1. Navigate to the appropriate access URL for your region
    1. North America: https://security-na.threatsecure.com
    2. Europe: https://security-eu.threatsecure.com
  2. Click Forgot password? 
  3. Enter the email address you used to subscribe to SafeSend Cloud and follow the prompts to set your password
  4. Upon your first login to the VIPRE Symphony portal, you will be prompted to configure Two-Factor Authentication (2FA); you can complete this setup using either SMS or an Authenticator app

Connect your Microsoft Tenant

  1. When you successfully log in to the SafeSend Cloud web console for the first time, you will see the "Start your account configuration" screen; click the Connect button to begin the integration process
  2. You will be redirected to the Microsoft "Pick an account" page; select the Global Administrator or Privileged Role Administrator account for the tenant you wish to protect
  3. Once signed in to your Microsoft tenant, you will see a list of APIs for which SafeSend is requesting permissions; review the requested list and select Accept

SafeSend Cloud requires a mix of Delegated and Application permissions to manage user identity and interact with email metadata for Data Loss Protection (DLP) scanning. You can preview a detailed list of requested permissions below:

API / Permission Name

Type

Description

Calendars.ReadWrite.Shared

Delegated

Read and write user and shared calendars

email

Delegated

View users' email address

Files.ReadWrite

Delegated

Have full access to user files

Group.Read.All

Delegated

Read all groups

Group.Read.All

Application

Read all groups

Mail.ReadWrite.Shared

Delegated

Read and write user and shared mail

offline_access

Delegated

Maintain access to data you have given it access to

openid

Delegated

Sign users in

profile

Delegated

View users' basic profile

User.Read

Delegated

Sign in and read user profile

User.Read.All

Application

Read all users' full profiles

User.ReadBasic.All

Delegated

Read all users' basic profiles
 

Next Step: Selecting a Manifest

 
 

[BETA] Selecting a SafeSend Cloud Manifest

How your SafeSend Web add-in behaves during a network interruption isn't random. It is dictated by the manifest you choose. SafeSend Cloud provides two pre-configured manifests to control security policies, offline access, and connectivity rules. Understanding the differences is key to ensuring a seamless and secure experience for your users.

SafeSend Cloud Manifest Configuration Options

Choosing the right manifest depends on your organization's security posture, user workflow, and compliance needs. 

Warning

Due to Microsoft's email system propagation processes, any changes to your manifest deployment option can take up to 72 hours.

 

Enforced Protection Mode

Choose this if your organization is seeking a balance between robust security and practical usability.

This manifest is the best-of-both-worlds solution. It enforces your security policies to prevent accidental data loss but is designed to handle common issues like network interruptions gracefully, ensuring users remain productive. It provides real security without the heavy-handed restrictions of the strictest mode. 

  • Ideal for: A general deployment across most of your users
  • User Experience: Secure and reliable, with built-in safeguards
  • Core Benefit: Enforces security rules while maintaining a smooth workflow

User Experience

Emails are checked as you're composing. If a review is needed, tips are provided at the top of the email and within the task pane asking you to Review. (Clicking Dismiss only dismisses the tip, not the need to review.)

  • In the event of a loss of connectivity to SafeSend, end users will still be able to click Send Anyway and bypass SafeSend
  • End user is unable to use Outlook Offline Mode

User Prompt Mode

Choose this if your primary goal is to educate users and foster security awareness with minimal disruption.

This manifest acts as a helpful "guardrail" rather than a locked gate. It alerts users to potential issues with their email but ultimately trusts them to make the final decision. It's the best choice for organizations that prioritize workflow speed and user autonomy while still encouraging secure practices. When using in Outlook Offline Mode, 

  • Ideal for: Organizations with a strong culture of trust
  • User Experience: Lowest friction; policies are advisory
  • Core Benefit: Promotes awareness without blocking productivity

User Experience

Emails are checked as you're composing. Tips are provided in the task pane asking you to Review or Send. When the end user clicks Send without reviewing, these three choices come up every time: Send Anyway, Review, or Don't send. 

  • In the event of a loss of connectivity to SafeSend, end users will still be able to click Send Anyway and bypass SafeSend
  • In Outlook Offline Mode, end users can hit Send and the email will wait in the Outbox and send automatically upon reconnection to the internet, bypassing SafeSend (acting as if there is no add-in)

Manifest Configuration Comparison 

Manifest Config Mode Online Behavior Behavior in Outlook Offline Mode Behavior if SafeSend server is unreachable
Enforced Protection Mode Emails are checked as you're composing. If a review is needed, tips are provided at the top of the email asking you to Review.

Email Blocked

  • Dialog box states SafeSend cannot process email - Click OK
  • Dialog box asks to save changes - Click X
  • Email is saved to Draft folder

Bypasses SafeSend

  • Click Send Anyway sends email without review
User Prompt Mode Emails are checked as you're composing. Tips are provided in the task pane asking you to Review or Send. When the end user clicks Send without reviewing, these three choices come up every time: Send Anyway, Review, or Don't send. 

Bypasses SafeSend

  • Click Send
  • Email waits in Outbox folder until Internet connectivity is reestablished

Bypasses SafeSend

  • Click Send Anyway sends email without review

Still unsure? Click Get Help within the SafeSend Cloud admin console to request additional assistance.

Next Step: Configure Policies

 
 
 

SafeSend Cloud: Policies

In the SafeSend Cloud admin console, you gain centralized control over your entire organization's email security. This is where you configure your desired policies, rules, and user assignments. Each SafeSend policy provides comprehensive, per-policy control over critical settings, such as Global and Advanced settings, Data Loss Prevention (DLP), Encryption, and Override Text Strings.

Create a Policy

Before you create any custom policies, there is a Default Policy that you can use as-is, or as a starting point to customizing your own policy, by clicking Clone. You might want to do this if you need a functional template quickly. Cloning saves you from manual data entry by pre-populating the standard rules, so you only have to focus on the unique changes your team requires.

If you prefer to configure your policy options from scratch, the following instructions will walk you through the process step-by-step. These steps assume you are already logged in to the SafeSend Cloud web console. 

To create a new policy:

  1. Navigate to Manage > Policies > + Add Policy
  2. Name your policy in a way that appropriately describes it and click Save
  3. Once your policy is created, find it in the list and click the name of the newly created policy to open and configure it
  4. Review the table below to learn about policy options
Policy Option Description
Global

Under Global, you'll see where you can edit the policy name and optional description.

 

Other options include:

  • Enable SafeSend in Outlook for Mac, Outlook for Windows, or Outlook Web Access; these are all disabled by default
  • Safe Domains allows you to specify the domains that SafeSend should trust
    • Listing a domain (e.g., mycompany.com) makes all its sub-domains safe (e.g., it covers name@mycompany.com and name@research.mycompany.com)
  • Bypass SafeSend when email is from allows you to specify what email addresses are considered safe for your organization 
  • Include Email-X-Header adds the ‘x-header: SafeSend' to all emails to verify that all computers have SafeSend installed; this setting is disabled by default
  • Add customized footer to all email messages; this setting is disabled by default
  • Unencrypted Attachments determines the action SafeSend should take when these  are detected; this is set to Ignore by default
  • Block Sending adds forbidden email addresses to prevent delivery to specific email addresses
  • Block sending to distribution lists; this is disabled by default
  • Confirm attachments to all external email addresses; this is disabled by default
  • Confirm all emails sent to external email addresses; this is enabled by default
  • Confirm internal emails on multiple domains; this is disabled by default
  • Confirm external emails to multiple domains; this is disabled by default
  • Add internal email addresses that you want SafeSend to treat as though they are external email addresses

 
Advanced

Under Advanced, you'll find the following options:

 

  • Warn user if recipient CC or BCC count exceeds a specific number set by your admin; this is set to 0/disabled by default
  • Enable recipient attachment removal, allowing the end user to remove individual recipients or attachments; this is enabled by default
  • Confirm attachments that are being sent to internal recipients; this is disabled by default
  • Popup for BCC warning displays the SafeSend popup when there are email addresses in the BCC field; this is enabled by default
  • Popup for matching recipients regular expression string displays the SafeSend popup for matching recipients regardless of other configurations
  • Treat matching Exchange distribution list names as external ignores that the added distribution lists have internal/safe domains and SafeSend scans those emails
  • Enable safe domains list as block list instead of allow list; this is disabled by default
DLP

DLP (Data Loss Prevention) scans emails and attachments for specific client keywords or regular expressions, then requires user confirmation before the email is sent. 

 

Policy-based DLP settings include:

 

  • Client keyword disable confirm is used if you don't want to require your users to type CONFIRM when there are Client Keyword matches; this is disabled by default
  • Content scanning maximum file size allows you to limit the size of attachments that will be scanned by SafeSend's DLP feature; this is set up 10MB by default and is written in bytes
  • Content scanning timeout allows you to edit the default timeout value for SafeSend's content scanning feature; this is set to 30 seconds by default and is written in milliseconds
  • DLP scan password protected attachments prompts users to provide the password for attached zip files so that SafeSend can scan the contents of the protected attachment; this is enabled by default
  • Enable including matched text in reports shows DLP match results from all reports to avoid exposing sensitive information; this is enabled by default

To read more about Data Loss Prevention, including the complete process to configure and manage DLP rulesets, visit SafeSend Cloud: Data Loss Prevention (Rulesets).

 
Encryption

SafeSend provides the trigger mechanism to initiate encryption based on your business rules. Your organization must still provide and maintain its own encryption service to secure the actual message.

 

Encryption options include:

  • Ask to encrypt when email has determines if SafeSend prompts for encryption based on specific message content
  • User’s default encryption choice sets the pre-selected action presented to the user during the send process
  • Trigger: Subject Prefix defines a specific word or tag in the subject line that automatically enables encryption
  • Trigger: X-Header identifies a specific metadata header used to signal that the email requires encryption
Strings

Under Strings, you can override any text string that applies specifically to the assigned users in your policy. 

  • Policy link provides a URL to the organization's official email or privacy policy for user reference
  • Enable localized language allows the SafeSend interface to automatically adjust based on the user's regional settings
  • Force language ensures the interface remains in one specific language regardless of the user's system locale
  • String Overrides permits the customization of specific text elements or labels within the SafeSend prompt

 
  1. When you are done configuring your policy, click Save at the top

Next Step: Configure DLP Rulesets

 
 

SafeSend Cloud: Data Loss Prevention (Rulesets)

Using rulesets, VIPRE SafeSend Cloud can prevent sensitive information from being sent out to the wrong client. DLP (Data Loss Prevention) scans emails and attachments for specific client keywords or regular expressions, then requires user confirmation before the email is sent.   

There are three important features associated with DLP:

  • Client Keyword/Domain Scanning allows you to identify a set of client keywords or regular expressions and associate those with a set of client domains or individual email addresses
  • DLP Content Scanning presents sensitive content to the user, allowing the user to determine if the email should be blocked or sent with additional confirmation
  • DLP Scan Password-Protected Attachments allows SafeSend to detect password-protected .zip files and prompt the user to add the password and decrypt the file so it can scan the attachment

Create a DLP Ruleset

  1. Navigate to MANAGE > Rulesets
  2. Click +Add Ruleset in the top right corner
  3. Name your ruleset and click Save
  4. Find your newly created ruleset in the list then click the name to open it

Content Scanning Rules

  1. To add a content scanning rule, click +Add Rule under Content Scanning Rules
    1. Name your content scanning rule
    2. Select from the following actions in the dropdown box: Inform, Confirm, ConfirmText, Deny
      1. Confirm is the default selected action
    3. Choose the content type: All Support Files, All Except PDF, or Specific File Types
      1. If selecting Specific File Types, a box will appear allowing you to select all desired file types you want DLP to scan
    4. Write a regular expression (also known as regex)
      1. If you need assistance, you can do an Internet search for a regex generator or use an AI model to help create a regex
      2. For the purposes of this example, in the screenshot below, we used AI to generate a regex to look for social security numbers, but you can also use it to look for things like credit card numbers, national insurance number, and other sensitive data types
    5. Test your regex by adding test strings to match and test strings to NOT match
      1. Green indicates the test passed; Red indicates the test failed
    6. When done, click OK at the bottom 

Pro Tip: Using Test Strings for DLP Rule Management

The Test Strings feature is an essential, built-in Regex tester that saves your input for future rule modifications. Using it can drastically improve your workflow:

Scenario 1: Immediate Validation

  • When creating a new DLP rule, use the Match and Not Match sections to immediately test your regular expression (regex) right inside the editor; this ensures your rule is accurate before deployment

Scenario 2: Future Proofing Modifications

  • If a rule needs to be updated (e.g., due to false positives from product numbers being flagged as PII) months after deployment, you can easily use the saved test strings to quickly test your regex modifications and confirm the change fixes the issue without breaking the rule's original intent; this avoids the need to find an external online tester and rebuild test data from scratch
 

Client/Keyword Domain Rules

  1. To add a client/keyword domain rule, click +Add Rule under Client/Keyword Domain Rules
    1. Add any keywords you want SafeSend to look for
    2. Add any domains or email addresses you want to associate with the above keywords
    3. Alternate Text Domain replaces the visual representation of specific domains with your preferred display text
    4. Click OK 
  1. To link a policy to your DLP ruleset, locate the desired policy in the Not Linked column and drag it over to the Linked policy
  2. Click Save at the top

To manage an existing DLP ruleset

  1. From within the SafeSend Cloud console, click on Manage > Rulesets
  2. Select the desired existing ruleset from the list by clicking on the name
  3. On the left side of your screen, you can edit existing content scanning rules or client/keyword domain rules by clicking on the pencil icon in the same line as your rule
  4. On the right side of your screen, you can change the policy associated with your ruleset by dragging the policy between Linked and Not Linked; you can also link rulesets to a policy within the DLP setting under Policies

For complete details on SafeSend Cloud policies, including additional policy-based DLP settings, navigate to: SafeSend Cloud Policies.

Next Step: Assign Users to Policy

 
 

 

These users and groups will be auto-populated from Microsoft Entra ID. Any groups you want to create specifically for SafeSend should be created in Entra ID first.

 
  1. Navigate to MANAGE > Assignments, then the +Add Assignment button
  2. Name your assignment, then choose a policy from the dropdown menu
  3. To assign specific users or groups to the chosen policy, click Add Users and/or Add Groups
  4. Click Save

Next Step: Deploy SafeSend Cloud

 
 

Deploying SafeSend Cloud

With VIPRE SafeSend Cloud, you can deploy to your whole organization or individual users. 

Please note that these instructions assume you have already selected and downloaded your manifest file. If you have not yet done this, please refer to Selecting a SafeSend Cloud Manifest.

The following steps involve navigating third-party interfaces. While these instructions are accurate at the time of publication, vendors frequently update their user interface (UI) and menu layouts. Please use this guide as a reference for the specific VIPRE data and configurations required; the exact navigation paths within the third-party application may vary slightly.

 

From within the Microsoft 365 Admin Center, upload your manifest file by navigating to Settings > Integrated Apps > Upload Custom App > Office Add-in.

Do you want to deploy SafeSend to your entire organization or only to specific users/groups?

Specific Users/Groups

Instead of a global rollout, you can target specific individuals or groups for testing or phased deployment.

  1. In the Add users section, select Specific users/groups
  2. Use the search field to find the users or security groups you wish to include
  3. Confirm the users appear in the "To be added" list 
  4. Click Next
  5. On the Accept permissions requests screen, click Accept permissions
  6. A Microsoft login window will appear; sign in with your administrator credentials and click Accept to grant SafeSend the necessary access to mail and profile data
  7. Once the status shows Permissions accepted, click Next
  8. Review your deployment settings and click Finish deployment

The system will display "Deployment in progress." Once finished, you will see a Deployment completed message. Click Done to return to the Integrated Apps list, where VIPRE SafeSend should now be listed as “Enabled.”

Deployment can take up to 72 hours to fully propagate across the Microsoft 365 environment. Users may need to restart Outlook.

 
 
 

Entire Organization

  1. Select the Entire organization radio button to ensure all users receive the add-in automatically
  2. On the Accept permissions requests screen, click Accept permissions
  3. A Microsoft login window will appear; sign in with your administrator credentials and click Accept to grant SafeSend the necessary access to mail and profile data
  4. Once the status shows Permissions accepted, click Next
  5. Review your deployment settings and click Finish deployment

The system will display "Deployment in progress." Once finished, you will see a Deployment completed message. Click Done to return to the Integrated Apps list, where VIPRE SafeSend should now be listed as “Enabled.”

Deployment can take up to 72 hours to fully propagate across the Microsoft 365 environment. Users may need to restart Outlook.

 

 

 
 

 

 

 

 

 

Next Steps

Congratulations! SafeSend Cloud has now been deployed and is ready for use. To further customize your environment or begin monitoring activity, explore the following resources:

 
 
 
 
 

 

Related Articles

Guided Setup for SafeSend Web Add-in v6.0+

Sending an email to the wrong person or attaching a sensitive file by mistake can...