This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 78%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEL%3C/text%3E%3C/svg%3E)
Hi,
I need some help trying to figure out how I can send decrypted emails via journaling to our compliance archiving platform.
We currently have set up a connector and then a Journal Rule within Purview portal. The journal rule is for full tenant and connector uses ' Only when messages are send to these domains' using the JFA domain. this seems to be ok for bypassing threat protection but not encryption.
Any thoughts on how this can be done?
I am not fully technical when it comes to this type of set up.
Thanks in advance.
A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.
Hi Support,
Will this solution work if the client has encryption like this?
See attached screenshot.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 9%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
Hi @EvieLynch,
Welcome to Microsoft Q&A, and thank you very much for reaching out to us.
Based on your description, it sounds like you've configured a connector and a journal rule scoped to your full tenant, using the JFA domain under “Only when messages are sent to these domains.” This setup appears to successfully bypass threat protection, but not encryption, preventing your compliance archiving platform from receiving decrypted email content. Therefore, you've asked whether it's possible to send decrypted emails via journaling, without disabling encryption tenant-wide.
As a Microsoft Q&A moderator, I don’t have access to your tenant-specific configuration, but I’ll do my best to assist using publicly available documentation and guidance.
Based on my research, you can either:
Enable Journal Report Decryption: You or your Admin can configure Exchange Online to include a clear-text copy of IRM-protected messages in journal reports, provided the encryption originates from within your organization. Note that this does not decrypt messages encrypted by external organizations.
To enable this:
Open PowerShell and connect to Exchange Online (kindly note to install Exchange PowerShell Module first in order to connect Exchange Online services on PowerShell):
Connect-ExchangeOnline
Run the following command:
Set-IRMConfiguration -JournalReportDecryptionEnabled $true
Please note that journal report decryption does not currently support the explicit use of OME branding templates. If encryption is applied via a mail flow (transport) rule using a custom OME template, the journal report will not contain a decrypted copy.
For more information, you can check this Microsoft Article here.
Use Mail Flow Rules to Exclude the Journaling Domain from Encryption:
You or your administrator can configure a mail flow rule in the Exchange Admin Center to exclude your journaling domain from encryption:
journal.yourdomain.com)This ensures that emails sent to your journaling domain remain unencrypted, even if encryption is applied elsewhere. For more information and detailed instructions, you can review this Microsoft Article here.
Additionally, you can configure domain exclusions in Microsoft Purview’s Insider Risk Management settings. This allows you to define global exclusions for specific domains, such as your internal journaling domain, so that activities involving those domains do not trigger compliance or encryption policies. This is especially useful when you want to ensure that journaling traffic is exempt from unnecessary encryption enforcement while maintaining broader tenant-wide protections.
Feel free to try out the suggestions I’ve shared, and don’t hesitate to reach out if you have any updates, follow-up questions, or need further clarification. I’d be happy to assist you further.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @EvieLynch,
I hope you're doing well.
It’s been a while, and I just wanted to check in on your issue.
Were the information and suggestions I provided helpful?
If you have any updates or additional questions, please feel free to let me know. I would love to assist you further.
Warm thanks.
I will get to work on testing this and let you know if it has worked. thank you!
Hi @EvieLynch,
Thank you very much for your response and update.
May I know what the results were after you tested the suggestions I shared? Were they helpful in resolving your request?
Regarding the screenshots you mentioned, could you please resend them so I can take a closer look? Kindly ensure that any personal information is either removed or clearly marked before sharing.
Looking forward to your response.
Warm thanks.
Hi @EvieLynch,
I hope you're doing well.
It’s been a few days, and I just wanted to check in regarding your request.
Have you had a chance to test out the suggestions I shared? I’d love to hear how things went and whether they helped resolve the issue.
If you have any further questions or need additional clarification, please don’t hesitate to reach out. I’m happy to assist you further.
Warm thanks.