It looks like that's what I have done already and it will not work.  I am using the text "confidential" in the subject to filter on and it isn't working.

Isn't the screenshot I posted showing that?

I know the rest must be set up correctly since, if I change the filter to look for the text "confidential" in the body instead of subject, it works.

What does message tracking show for the mails that you have have tagged?  Are they being processed as IN or OUT --- and, do you have the content filter on the right Mail Policy?

-Robert 

OK,  All the examples I found had the brackets.  So, I thought the brackets were part of the requirements.

After removing the brackets and slashes, it worked.

:-)  cool - yea - for simplicity sake - usually we like to see a "tag" in the subject line - and it's easier sometimes for end-user education to do [SEND SECURE] $subject for people to understand --- also, using the []'s gives you a clear-cut "this is to be secure" vs. someone who is just nonchalant in typing "I got this confidential email" as their subject --- which then would trip the encryption aspect inadvertently.

Is only reason per my notes, and supportability that I like to prefer the [TAG] aspect.  But - each customer is their own, and allowed to implement as they see fit.

-Robert 

I have a similar problem. I want to differentiate some alerts sent by an appliance, by the subnet that's generating the alert, so that if the alert comes from let's say 172.29.10.0/24 i want some recipients to receive the e-mails, but if the subnet is 172.29.20.0/24 i want ESA to modify the recipient and send it to other recipients. The ip addresses are in the message body of the e-mail sent to the ESA.

I added a content filter which looks into the mail body for specific expression: only-body-contains("Computer IP: 172.29.10.", 1)  and if it matches condition should take action to change recipient and send it further..

But somehow it doesn't work.

What i did wrong? What do i miss?

Thanks!

Ionut