Securing Email in the Cloud Without Losing Control:
A Quick Guide for Administrators

Onboarding Mechanics

Consolidating Control

Admins of Echoworx Email Encryption don’t need to become coders or spend weeks writing policies. You want a platform that fits into your setup, not the other way around. Our approach is straightforward: we take your requirements and do the initial setup, including the mail flow back to your gateway. Your team adds the rules on your edge gateway to route messages needing encryption to Echoworx, triggered either by DLP policies or user action (think simple subject tags like [encrypt]).

Before anything goes live, we walk everything through a UAT sandbox. You have the chance to test each mail path, check that rules work as expected, and iron out any bumps before switching over. It’s a chance to make sure things work in practice not just on paper.

Key Takeaways:

• Tell us your requirements; we handle the complex configuration.
• Use simple edge gateway rules to route encrypted traffic.
• Validate all mail flows in a dedicated UAT environment.

Branding Globally

Reducing Compliance Risk, User Confusion, and Support Burden

Branding inside Echoworx goes far beyond picking a logo or color; it’s about owning the end-to-end experience for every user, in every region, on every device. Multinational organizations especially need flexibility as they juggle different brands, delivery portals, and compliance requirements. The real power here is in the ability to tailor not just the look, but how your secure communications actually feel to users across the globe.

For administrators, this means less manual headache and more assurance that every communication looks, reads, and feels like it’s truly coming from your organization.

Total Brand Customization

Admins have full visual control, right down to exact colors, graphics, and text so every portal, notification, or secure message aligns with your brand guidelines. Want to go deeper? You can use custom CSS and HTML to shape buttons, portals, help pages, and notifications. User touchpoints don’t just match your brand; they reinforce it everywhere your users interact.

Branded Pickup Portals and Vanity Domains

Pickup portals can be branded to look and feel like your company’s own digital space, not a third-party service. With vanity domains, every secure email link comes directly from an address and URL you control, which keeps brand trust intact and reduces any recipient confusion or phishing concerns. Every device, including mobile, offers a seamless, branded experience.

Modern Rich Text Engine and Authenticator Names

Admins can set up modern compose and reply editors, controlling things like fonts and message formatting for clearer communication. Even small touches—like how your organization appears in authenticator apps—can be rebranded, removing generic labels and keeping everything clearly “you.”

Global Communication and Language Support

Branding isn’t just about visuals; it’s also about speaking the right language. With support for over two dozen global languages, every user receives notifications and portal access in the language that best suits them. Recipients can save their preferred language, or admins can automate language choice by sender or recipient. Templates are localized for regional norms to keep things clear and consistent, regardless of where an email is opened.

Automation to Keep Branding Consistent

Admins often worry about drifting brand standards as systems scale. Here, automated branding ensures every template, from welcome emails to password resets, is deployed with the correct look and feel based on rules you choose by brand, geography, or business unit. Notifications, disclaimers, terms of service, and more are all centrally managed for consistency, so manual effort and errors drop out of the equation.

Privacy and Accessibility Considerations

When regional privacy policies change or compliance needs shift, updates can be made across branded portals and notifications quickly. All customer-facing portals are designed with accessibility in mind, meeting modern WCAG standards to ensure everyone including users with disabilities can easily navigate secure messages.

Key Takeaways:

• Customize delivery methods based on data sensitivity and recipient needs.
• Support multiple distinct brands under a single, unified platform.
• Align all custom portals with localized privacy and compliance laws.

Key Management Strategy

Uncompromising Control

Managing encryption keys and certificates is one of the trickier, ongoing realities for admins. It’s not just about having the right keys in place, it’s about keeping operations smooth, minimizing emergencies, and giving your team as much control as possible. With Echoworx, you get per-customer certificate segregation, which means your keys and credentials are kept strictly separated from everyone else’s, removing conflicts and “wrong key” headaches. You decide which LDAP directories to use for recipient lookups, optimizing how the system retrieves the right certificate for every case.

We support both S/MIME and PGP, with automated processes for retrieving and renewing certificates (including integrations with trusted providers like DigiCert and SwissSign). If a user’s certificate is nearing expiration, we can trigger auto-renewal no surprise disruptions or lapses in secure email. The platform allows you to generate or import keys as needed, and recipients can upload their own certificates if required. For organizations with strict governance needs, features like Manage Your Own Encryption Keys (MYOK) let you control creation, rotation, and overall key lifecycle from your end, powered by modern cloud security like AWS KMS and hardware-backed HSMs.

Everything is built with compliance and data sovereignty front and center. If regulations shift, you stay ready. Advanced controls let you rotate keys immediately in response to a potential issue no outside help required, no waiting. The platform meets the standards for things like GDPR, DORA, NIS2, and other regulatory frameworks, so you’re covered on both the operational and audit fronts.

When it comes to certificate-based encryption, the tools are designed to move you from firefighting to forward planning: making sure valid keys are always available, reports are always up to date, and you can demonstrate compliance at a moment’s notice. The result: key management that’s practical and predictable, not a source of stress.

Key Takeaways:

• Rely on HSM-backed infrastructure for supreme key security.
• Integrate seamlessly with your existing KMS environments.
• Maintain the power to rotate keys instantly and independently.

Modern Outlook Add-in

Supporting a Smooth User Experience

Traditional COM add-ins have a reputation for being finicky. They tend to crash, overlap, and send support tickets piling up. The move to the modern Outlook add-in shifts things for the better. It deploys directly through Microsoft 365—just pick your user groups in the admin center and roll it out. The add-in shows up where it’s supposed to, across Outlook Web and desktop. This way, you’re keeping things simple for end users and giving your help desk a break.

Customization goes further too

Admins can adjust the menu options and behaviors in the add-in, tailoring them to your organization’s business policies and common workflows, such as setting a shared passphrase or choosing attachment-only encryption.

Phased rollouts are also simple

Deploy first to a pilot group, collect feedback, and then roll out to the wider team once everyone’s confident. If an older COM add-in is still present, the modern version automatically disables itself to avoid confusion, keeping things tidy for everyone.

Key Takeaways:

• Deploy instantly using native M365 user group definitions.
• Ensure consistent experience across Windows, Mac, and Web.
• Automatically suppress legacy add-ins to prevent user friction.

Visibility and Reporting

Putting Information in Your Hands

Visibility starts with access and for administrators, how you get into the system matters. Echoworx lets you control how admins log in using self-serve OpenID Identity Provider settings. This means you can configure Single-Sign-On (SSO) with your organization’s existing corporate Identity Provider, so admins don’t need to juggle new passwords or separate accounts just for this platform. Everything stays tied to your own access standards, keeping things consistent and reducing password fatigue and risk of security gaps.

Centralized authentication makes it easy to add or remove admin access as team members change, and you can enforce your company’s policies for authentication methods and password requirements right from your existing dashboard. This is a straightforward way to maintain control across the platform and any territory you operate in.

With the right access in place, admins have direct entry to the Echoworx console. There, you can pull log files, configure audit feeds, and get granular details about message delivery, account activity, and certificate management. Data can also be pushed directly into your SIEM platform or collected via secure APIs so whether it’s a compliance audit or tracking down a user issue, you have what you need, when you need it.

Key Takeaways:

• Configure admin access with self-serve OpenID SSO, integrating with your corporate Identity Provider.
• Centralize and enforce access controls using your internal authentication policies.
• Feed every admin action and message log directly into your SIEM via secure APIs.
• Track, trace, and report on message activity through the admin console.
• Manage user access and certificates dynamically to maintain strict security posture.

Download Guide