Encrypting inbound email attachments associated with matched records requires one or more module access policies (MAPs).

When an inbound email is matched to a record, the attachments from that email are associated with that record. If the matched record's table has an encryption configuration, you may need more than one MAP to confirm those attachments encrypt correctly.

Both MAPs must be in place for attachments to encrypt correctly in all processing contexts. If only the system MAP exists, attachments associated with a record during a user process won't encrypt.

The MAPs you need depend on how your instance processes inbound emails. See Inbound email action processing.

• System MAP — Required when inbound email processing runs as the system user, which is the default behavior. See Create a system module access policy.
• User MAP — Required when the email is matched to a user in your instance and processing runs as that user. Any MAP type can be used as long as the user has access to the cryptographic module. If you use a role-based MAP, you must enable impersonation. See Create a user module access policy.