EnforceEmailSecurityRecipients system configuration setting defines a list of email addresses to always force the encryption and/or signing. It is possible to use regular expression to match several addresses like
The sender and all recipients for each email should be configured to use the same encryption engine either PGP or S/MIME. The system is not capable to mix them.
If the encryption of an email recipient is enforced, all recipients of this email must have a public key or certificate in the system. The email must be encrypted for all recipients, otherwise this could be considered a security issue.
If more than one key and certificate for the sender or a recipient exist in the system (if enforced), this function selects the first valid certificate. Except if another one has been previously specified in the user interface.
The email sending will fail if the system could not find all the enforced keys and certificates.
If an agent uses PGP key or S/MIME certificate in the system, the two-factor verification email can be sent encrypted. PGP is favored over S/MIME.
If this feature is configured, the two-factor authentication setup widget has an additional checkbox. If this checkbox is selected, the email containing the password token will be sent in encrypted form.