Why a Workflow Engine?
Businesses, critical infrastructures (KRITIS), clinics, research institutions, authorities and suppliers that exchange sensitive data via email must meet the highest compliance and security requirements (such as GDPR or NIS2).
The workflow engine of mail:u secure forms the heart of mail processing. It provides highly flexible rules that route every inbound and outbound message to the portal, converts it into an encrypted PDF, creates an encrypted ZIP file, signs and/or encrypts it via S/MIME or PGP.
Intelligent Email Processing
Revisions and Simulations
The mail:u secure engine offers maximum security and flexibility through a well-thought-out configuration concept:
- Secure change management through revisions: All rules, groups and key sources are managed in versioned revisions (drafts). This allows you to prepare changes at your own pace, export/import them, and publish them live only when needed.
- Risk-free test mode: A dedicated test mode allows defined rule revisions to be executed specifically for certain sender addresses or domains only (with detailed log levels for troubleshooting), without affecting the productive mail flow.
- Integrated simulation: The simulation feature lets you upload existing emails (.eml) or manually enter parameters such as sender, recipient and subject to verify that your rules are triggered correctly.
- Group-based logic: Combine domains, subdomains or specific email addresses into groups to keep your workflows clear and scalable.
How the Engine Works: The Condition Catalogue
The engine evaluates emails based on freely combinable conditions. Actions are only executed when the communication context exactly matches your specifications:
Cryptographic & Access Checks:
- Can encrypt / Can sign: Checks whether valid key material (S/MIME or PGP) is available for the recipient/sender.
- Has portal access: Identifies whether the recipient already has access to the secure web portal.
- Has PDF password: Checks whether a password for password-protected PDF delivery is stored in the database.
Email Property Checks:
- Check header & header address: Evaluates any email header (e.g. subject tags like **secure). The check can be performed via exact matches, search patterns or regular expressions (regex).
- Flags: Detects security attributes of the message, e.g. whether it is already encrypted, signed or cleanly parseable.
- Has attachment: Identifies attachments specifically by Content-Type expressions (regex).
- Has calendar: Specifically detects calendar entries (.ics).
- Has MX: Checks in advance whether a target server is configured for the recipient's domain.
The Action Catalogue
Flexibly Combinable Actions
Once conditions are met, the engine processes the defined actions in a fixed top-to-bottom order:
Encryption, Signature & Key Management
- Encrypt & Sign: Automatic application of S/MIME or PGP (including modern algorithms such as AES-256, RSA-OAEP or RSA-PSS).
- Autocert: Fully automated generation of private keys and certificate requests to the trust centre for internal senders who do not yet have a certificate.
- Attach key: Automatically appends public S/MIME or PGP keys (or vCards) to outgoing emails to facilitate future encryption for communication partners.
Secure Delivery Alternatives (without PKI on the recipient side)
- Deposit in portal: Securely moves the message into the web portal. If the recipient does not yet have access, it is created automatically. Alternatively, deposit can be strictly limited to existing portal accounts.
- Send as PDF: Converts the email content (including a reply link) into an AES-encrypted PDF document. The password can be loaded from the portal, extracted from headers or generated automatically. Optionally, the PDF and the email content can be attached as an encrypted ZIP.
- FileLink (Large File Transfer): Automatically offloads large attachments (e.g. from 10 MB) or specific file types into secure download links. Validity is configurable and recipients can be permitted to upload their own files.
Routing & Modification
- Attach security information: Integrates the result of signature and decryption checks into the subject line (e.g. [Signature OK]) or appends a verification report as PDF/TXT/HTML.
- Modify header & sender: Adds or modifies headers (e.g. to strip subject commands) or dynamically overwrites sender addresses.
- Send via SMTP / Send via MX: Enables complex routing to other gateways or direct delivery to the mail server of the recipient's domain (without an external relay server).
- Send attachment to third-party systems: Filters attachments by regex and automatically transfers them to third-party systems with an HTTP interface.
- Send notifications: Dynamically informs senders or recipients about process steps (e.g. "Email was successfully moved to the portal").
- Base64 conversion: Repairs malformed emails (e.g. those exceeding line length limits) by automatically converting HTML/text parts to Base64.
Use Cases
Real-world Workflows
Diagnostic images in healthcare
CT image series (120 MB, DICOM) is detected ⇒ FileLink + S/MIME signature ⇒ radiologist downloads GDPR-compliantly.
Incident report from an energy operator
Subject contains #NIS2 ⇒ PDF container, password via SMS, copy to the security team.
CAD file in the supply chain
STEP file 35 MB, recipient without PKI ⇒ FileLink with two-factor portal access, full audit trail.
Offer communication with a B2C customer
Secure storage of the offer and all information (contracts) in the portal. Secure access for the customer without needing their own encryption technology. Reply options and download of data and information.
Starter Workshop
Every organisation has its own individual requirements for email security and data exchange. In our joint starter workshop, we focus specifically on your use cases and capture your existing data flows. Together with our experts, you can design your first automated workflow rule for secure data transmission in just 60 minutes – completely free of charge and tailored precisely to your communication context.