eM4 Compliant Email

eM4 Compliant Email

The need to encrypt Emails and their attachments across the public Internet protecting NPI is an undisputed requirement. Current deployed market solutions suffer from industry interoperability, deviate and burden trading partners’ workflow and require many IT resources not available to all. It’s time to climb out of the box.

This new paradigm or eM4Service can scale from one to thousands of users. It makes industry compliance affordable and uniform. It’s simple!




  • B2B / B2C
  • No logins or passwords required
  • eM4 B2B model requires no user training, in fact, they don’t even know they’re using it
  • B2C model does not require authentication
  • Proof of Delivery uses Wallet Authentication when you need to ensure the identity of the receiver - a combination of simple questions of shared personal information (last four of SSN, Birth Date, etc.)
  • Proof of Readability ensures that the attachment sent to the receiver can be opened and read
  • Proof of Agreement is E-Signing made simple
  • Disinterested third party (D3P) auditing makes reporting available to all members and regulatory authorities as necessary
  • Commodity priced whereby any size organization can subscribe

The eM4 Service exceeds user expectations on meeting compliance all while minimizing change and expense. Your users continue to send emails as they always have, the only noticeable difference is the reassuring message that their email was protected by eM4.

eM4 Frequently Asked Questions

General Questions

Does PaperClip consider the eM4 Service compliant with Federal and State laws?
PaperClip meets the Federal and State regulations and rules. Unique architecture allows for no user logins or password while remaining compliant under current laws. In addition, PaperClip’s “Proof of Delivery” feature offers the non-reputation needed for delivery confirmations (e.g. Voice Signatures, Disclosures, sensitive information) through friendly “Wallet Security” (e.g. last four digits of your SSN). PaperClip’s Disinterested Third Party (D3P) level of email auditing enables archived access reporting meeting many new rules of 6 years preserved on who had access to HIPAA, GLB and CFPB rules.
Do all my Emails go out encrypted?

Yes or when the User selects encryption. Subscribers can configure their compliance level at any time. Subscribers can deploy the Server Edition or the Cloud Client with the standard five encryption rules, or Serial Mode. In Serial Mode all Email traffic passes through the Relay and only those Emails subject to the rules are encrypted.

Subscribers can deploy the Server Edition or the Cloud Client with absolute encryption enabled, or Parallel Mode. In Parallel Mode all Email traffic received by the Relay is encrypted. Parallel Mode usually deploys controlled by an email content filtering (scrubber) or routing system.

Subscribers can deploy the Server Edition or the Cloud Client with absolute encryption disabled. All Emails will pass through the Relay unchanged. Encryption only happens when the Outlook AddIn Forces Encryption (X Record inserted) or the Encrypt Flag ( This email address is being protected from spambots. You need JavaScript enabled to view it. ) is one of the addresses.

What are the eM4 encryption rules?

1. If an Email recipient's Email address or address domain is in the list of Subscribers, the Email is encrypted.
2. If one or more Email recipients' Email addresses or address domains are in the Subscriber list, the Email is encrypted to all addresses.
3. If the wild card Email address ( This email address is being protected from spambots. You need JavaScript enabled to view it. ) appears in the address, the Email is encrypted to all addresses.
4. If the wild card Email address ( This email address is being protected from spambots. You need JavaScript enabled to view it. ) appears in the address, the Email is passed through, not encrypted to any addresses.
5. If recipients on the Email are not eM4Service Subscribers or not sponsored eM4Lite Subscribers, the Email is not encrypted.

What are the eM4 decryption rules?

1. All incoming encrypted Email is decoded and passed on to the Server or Client.
2. All eM4 Relay encoded Emails will be tagged indicating so.

Is there an Outlook AddIn to help the user?
Yes. Users can install an Outlook AddIn presenting a bottom placed ribbon indicating the encryption status and the ability to change the same.
Can users with third party hosting or various public ISPs providers use eM4?
Yes. Subscribers can install the Cloud Client as a new email account and using POP3, IMAP and SMTP securely exchange emails to other Subscribers and Non-Subscribers.
Do emails pass through PaperClip's Central Office?
No. Emails are encrypted by your internal eM4 Relay and handed off to your Email gateway for normal delivery. Only Emails for Non-Subscribers are sent to PaperClip's eM4 Webmail.
Are Emails sent to eM4 Webmail secured?
Yes. Emails are encrypted in transit and stored on the PaperClip server encrypted at rest then purged 30 days later.
Can we leverage our existing mail infrastructure to write business rules which would redirect mail going to specific domains, over to Em4?
Yes. In a parallel implementation of the eM4 Relay, you can use your email server to identify and route emails by domain or address through the eM4 relay.
The header info includes an eM4 tag for encrypted emails. Is this tag removed when the email is decrypted on the relay server?
No. The two "x records" remain with the email.
Will the Subject line of the email also be encrypted?
Yes. The entire email and its attachments will be encrypted and wrapped. The subject line will include "eM4 Compliant Email delivery notice". The "From" line will include "PaperClip Compliant Email".
Can you choose to turn on eM4 for one Subscriber and not another Subscriber?
Yes. In a Parallel Deployment the host mail server or content filtering system can decide on what domains are routed to the eM4 Relay.

Enterprise eM4 Relay

Does PaperClip offer hosted Enterprise eM4 Relay?
Yes. PaperClip hosts internally the Multi-Tenant Relay whereby a secure tunnel (SSL/TLS) is established from your provider to the M-T Relay. Standard eM4 encryption rules apply and PaperClip becomes your delivery agent.
Can eM4 work with GroupWise email server?
eM4 is basically a SMTP closed relay allowing it to work with any SMTP based email platform. The eM4 Relay sits between your email server (Exchange, GroupWise, Lotus, etc.) and the Smart Host or SMTP Gateway.
Is a Smart Host required?
Yes. eM4 Relay is a "Closed" relay which for compliance, is not accessible from the Web. The Smart Host or SMTP Gateway manages the interface with the Web and routes all or selected emails to the eM4 Relay.
What type of hardware is recommended?
eM4 Relay supports Microsoft 2003 servers and above. Encoding and decoding is the most resource intense function of the eM4 Relay therefore CPU power is the most critical requirement.
How can I measure the performance of the eM4 Relay?
eM4 Relay supports Microsoft Performance Monitor (PerfMon) with 13 eM4 related counters providing you the capability to measure and track the systems performance.
Is the MS IIS SMTP Virtual Server required if we already have an email gateway that does the mail routing?
No. The eM4 Relay can inter operate with any Smart Host or SMTP Gateway. The MS SMTP Virtual Server comes with IIS and is very effective for medium to lite traffic. MS Exchange 2003/2007 requires exclusive control of the SMTP server which will require a second CPU to support SMTP Virtual Server as a Smart Host.
The installation mentions the need for MS SQL Express but I don't see any configuration instructions for a database. Is there a database with the Relay Server?
Yes. The eM4 Relay install software contains MS SQL Express. The install will setup the database requiring no user intervention.
What is stored in the Database?
The SQL Database is used for configuration parameters and auditing. Audit data is held and posted to the Central Office (every 15 minutes) then purged - "transient data storage".
What's the expected size of the Database?
The SQL Database size under normal operation is estimated at 2 Mb.
Is there something specific in the headers before and after the encryption/decryption?
The eM4 encrypted email inserts two "x records" in the header identifying it as an eM4 encoded email and a unique identification number.
Is the eM4 Relay software supported under VMware?
Yes. eM4 Relay is compatible with VMware and Microsoft Virtual Server.
Is there any documentation on eM4 installation/setup/configuration?
Request the "eM4 Installation Docs 2013.zip" file.
Does the Relay Server Edition support mobile devices?
Yes. Emails are decrypted before they land on your mail server therefore available to your mobile device in clear text. Users should always secure their mobile devices.

eM4 Cloud Client

What is the PaperClip Cloud Client?
The eM4 Cloud Client can be used by anyone that has a desktop email client (i.e. Outlook, Lotus Notes, GroupWise, etc.). The Cloud Client installs as a new email account with simple email address and password. The additional server information will be provided by PaperClip.
What protocols does the Cloud Client support?
The eM4 Cloud Client supports POP3, IMAP and SMTP protocols.
Is the Cloud Client considered a full subscriber?
Cloud Clients are full Subscribers; you will have a login and password to access reports, configuration options, Webmail options and branding.
How do I receive encrypted emails?
The desktop email clients (e.g. Outlook) cycles the new eM4 Email Account via a secure protocol (IMAP) and pulls the email from your eM4 Mailbox.
How do I send encrypted emails?
To send securely, compose your email and select the eM4 Email Account as the sender. The mail will be sent securely to your eM4 Mailbox, encrypted and delivered to a Subscriber or Non-Subscriber as necessary.
Mobile Device support?
Configure your mobile device to your eM4 Mailbox and process the same selecting the eM4 Account when sending.

Non-Subscriber Webmail

Who uses webmail?
eM4 Webmail is provided to support Non-Subscribers and meet compliance. In addition, Webmail users can "Reply To" the sender securely.
Are emails stored in webmail encrypted?
Yes, all emails and attachments are encrypted at rest.
Who pays for webmail?
The eM4 Webmail is included as a service for Subscribers.
Is there any kind of notice that an email has not been received?
Yes. Once an email goes out the recipient gets 1st notice. If they do not pick it up within the Subscribers configured wait period (ex: 36 hours) they get a 2nd notice. Yet another period of time (ex: 36 hours) goes by then both sender and receiver get a 3rd and final notice. Email is retained on PaperClip servers for 5 days then purged. Audit reports reflect activity.
Do Non-Subscribers require a login and password to view email?
No. Subscriber can deploy their Webmail presents with no login or password required. Non-subscribers simply click on the link contained in the notice and a SSL secured browser displays the original Email with any attachments.
Does webmail provide an inbox?
Non-Subscribers have the option to register and secure their inbox with a login and password. Registering an inbox provides simple Email options and management.
Are there any rules for entering passwords when creating an account?
Subscribers can manage their own password profile with 15 common configuration options (i.e. Lengths, expirations, lockout attempts, etc.). Default is minimum length 6 characters: requires 2 non-alphanumeric characters.
Can a Non Subscriber use their Inbox to initiate a secure email?
Yes. Subscribers can acquire eM4 Lite Subscribers accounts and sponsor any email address or Non Subscriber. This will enable the Non Subscriber to create an Email and send securely to only the sponsoring Subscriber.
Do eM4 Lite Subscribers (sponsored clients) have access to the portal?
Can multiple people log into the webmail under the same credentials?
Yes. They must share the authentication.
Who pays for the non-subscriber email "Replied to"?
The ability to converse with a Non-Subscriber is part of the eM4 Service.
Can more than one person share a Web Mail account?
Yes. One Web Mail account supports one email address, users would share login credentials.
How long are emails stored in the Web Mail Mailbox?
Emails are also purged five days after Third and Final Notice to Sender and Receiver. Opened emails are purged 30 days after retrieved. In the inbox, new mail appears in bold, once retrieved it appears un-bolded.
Can I brand my emails to non-subscribers with my company logo?
Yes. Subscribers can send to eM4 Support a properly formatted banner (240x120 pixel) whereby Non-Subscribers opening Emails will see the Subscriber’s branding.
Can I customize the notice email sent to Non-Subscribers?
Yes. Subscribers can modify the notice Email language to conform to their compliance department. Notices are setup in the eM4 Central Office portal.
Can Non-Subscribers use the eM4 Cloud Client?
No. Non-Subscriber exclusively work with the Webmail portal. eM4 Lite Subscribers do have the option to convert to the Cloud Client but their encrypted emails are restricted to their sponsoring Subscriber.
Can Webmail users save the Email to their desktop?
Yes. Non-Subscribers and Lite Subscribers can save the Email to their desktop in a WC3 or MSG compliant format.
Are there email attachment size limits?
Yes. eM4 has a 20 megabyte limit.

eM4 Auditing

Are Bypass Emails recorded for auditing?
Yes. If an Email normally subject to encryption but the users selects “Force Not Secure” or enters the “Bypass Flag”, the event is considered auditable and recorded.
As part of the Audit information, what is actually stored at the Central Office server?
Email addresses, Subject Line, Attachment file names, Sent and Received date/time stamps.
Are there specific Retention Requirements for the logs?
Audits (logs) are maintained for seven years. The Subscriber can configure reports to be sent to subscriber and their frequency. Audits can be pushed to subscriber daily, weekly or monthly and accessible from the CO for last sixty days.
Are the logs encrypted?
The possible NPI in the attachment name or subject line is stored in a secured database. Audit reports generated from the portal are downloaded over an SSL connection. Scheduled reports are sent as email attachments via eM4 Compliant Email.
What's the mechanism to transfer the audit files? Is this optional?
The auditing File will be a CSV file (spreadsheet) pushed via email through eM4 itself. This feature can be enabled or disabled with a frequency of daily, weekly or monthly selected.

Transport Layer Security

What is TLS?

TLS (Transport Layer Security) was designed by Netscape in 1994 to connect email clients to email servers. TLS is an Internet protocol (RFC 2246) which provides confidentiality and authentication layers over any reliable transport layer. TLS uses digital certificates to authenticate the user as well as authenticate the server using the public key from the server to encrypt a random number and send it back to the server. The random number, combined with additional random numbers previously sent to each other, is used to generate a secret session key to encrypt the subsequent message exchange.

Simply said, TLS encrypts the pipe.

Why would I use TLS?

TLS is intended for large enterprise email infrastructures. If I manage many emails servers across my company, TLS works well to secure email for my clients and my email servers.

Simply said, if you control the environment, TLS can be very effective.

My organization uses TLS, if I send an email to a trading partner, are we compliant?

Unfortunately no. TLS cannot guarantee end-to-end encryption. Any non-TLS open relay or TLS interoperability errors will continue your message in clear text. Receivers of TLS delivered email can validate it was encoded by reading the email properties message source.

Simply said, TLS is a one-hop encryption, not "end to end".

What does TLS cost?

TLS requires a X.509 certificate, which is installed on one to many servers depending on your infrastructure. There are commercial tools available to create certificates or you can buy a trusted certificate. Most organizations acquire trusted certificates to avoid interoperability problems with other TLS enabled server. Trusted TLS certificates can range in cost from $1,000 to $2,500 per server per year.

Simply said, TLS may cost nothing to a couple of thousand dollars.

Can I use TLS if my ISP provider hosts my email?

Usually no. Many ISP providers do not support TLS because of its implied liability and associated support.

Simply said, check with your ISP.

Does TLS provide D3P Level Auditing?

No, TLS is just a network protocol. Reporting would be "first party" at best and limited to the functionality of your email (spam, antivirus, smart host, etc.) server(s) features.

Simply said, TLS is a protocol, not an application.

How does eM4 compare with TLS?

The eM4 Service is a D3P Level secure email service meeting compliance and TLS is a network protocol which can not guarantee secure delivery. At the heart of the service is the eM4 Relay which is a closed relay designed to encrypt and decrypt the email and attachments for end to end security. These events are captured by PaperClip Incorporated's eM4 Central Office, a disinterested third party providing equal access to the sender and receiver(s) for auditing purposes.

Simply said, TLS is a casual security feature, not a compliant application service.


em4 v 160

Back to top