Domain-Specific Delivery Exceptions
For individual domains, you can specify delivery options that differ from the outbound IP default.
The Email Security product executes a connection test for each domain exception. The test initiates an SMTP session on the Administrator Dashboard server with the destination domain's mail server and attempts to establish an encrypted session. If the test fails, an exclamation point (!) displays to the left of the domain name. Click the exclamation point to show details of the error, including the error message and error code.
To use TLS in place of SMD, the domain must be added to the Delivery Exceptions list with Encryption set to Always Encrypt
If the error is a certificate validation error, you can view the certificate and elect to trust it. If you do so, the encryption type changes to Manual. Click the triangle next to View Certificate to expand the window. Click the triangle again to contract the view.
To configure domain-specific delivery exceptions for outbound mail:
Manage >> Outbound IPs >> {Outbound IP}
| 1. | In the Routing and Session Management section, click the add icon  next to Add Delivery Exception |
| 2. | In the Domain text box, enter the name of the domain exception. The expression *.domain.com will cover all sub-domains for the specified domain. |
| 3. | For the Route, select the second radio button and enter the host name or IP address in the text box. |
| 4. | From the Encryption drop-down list, select the encryption option. |
|
Option |
Description |
|
Never Encrypt |
Transport Layer Security (TLS) is never attempted during the session. |
|
Attempt to Encrypt |
If an encryption session cannot be established, the message is sent in the clear. |
|
Always Encrypt (any certificate) |
Accepts any certificate from the gateway. |
|
Always Encrypt (valid certificate) |
Accepts any valid, non-expired, certificate that has the proper form and syntax. |
|
Always Encrypt (trusted certificate) |
Accepts only certificates issued by a trusted Certificate Authority (CA), there is a complete chain to the CA, and the host name is not an IP address. |
|
Always Encrypt (check hostname) |
The certificate is trusted and contains the listed hostname. |
| 5. | If you select Always Encrypt (check hostname), another text box opens. Enter the hostname to locate the CN or SAN fields of the certificate. |
| 6. | If you want this domain to be exempt from special routing, select the checkbox. |
| 7. | Click OK. |