Start a conversation

Frequently Asked Questions for Admins

This FAQ article applies to SafeSend version 4.4.

Proof of Concept and Purchasing

Is SafeSend available as a trial?

  • Yes, we offer a 14-day proof-of-concept (PoC) trial.

When exactly does the PoC trial period start?

  • The PoC period starts the first time a user launches Outlook after the SafeSend PoC has been installed. It does not start from the recipient of the PoC installation file, or from the installation time, but rather from the first usage time which is when Outlook is first started.

What is included in the PoC trial package?

  • The MSI installation files and the ADMX/ADML files are included in the PoC package. The ADMX/ADML files are used to manage settings centrally via Group Policy.

What happens when the PoC trial expires?

  • The PoC trials are “silent” meaning that the user is not notified that the trial has expired. The SafeSend popup will simply not be displayed anymore after the PoC period has elapsed.

Is there any user limit in the PoC trial ?

  • No, there is no limit to how many users you can install the PoC trial. The only limit in the PoC is the time.

Can SafeSend be reconfigured during the PoC trial ?

  • Yes, there are two options for re-configuring SafeSend. The first option is to use the supplied ADMX/ADML files to deploy new settings to each client using Group Policy. The second option is to contact us, and we will give you a new PoC package with your updated settings.

How does SafeSend determine how many days are left on the PoC trial period?

  • SafeSend counts the numbers of days left from the first usage date. You can find out how many days are left by pressing CTRL+SHIFT+A when the SafeSend window is visible, and the click the “View settings..” button, and then look under the header “License key:”.

How is SafeSend purchased?

  • The first step is typically a short demo. We then offer a 14-day proof-of-concept trial where SafeSend is pre-configured according to your preferences. After that, we sign a sales contract or receive an official purchase order. We then deliver the full software and payment is net 30 days after delivery.

What is included when purchasing SafeSend?

  • SafeSend is supplied as a ZIP file that includes one MSI file and a set of ADMX/ADML files. The MSI file includes the customer’s preferred settings so no extra configuration is needed during installation and the ADXM/ADML files are used to control settings centrally using Group Policy.

Can we purchase SafeSend for only a subset of the users in our organization?

  • Yes, either you can install SafeSend only for a subset of your users, or you can choose to install it for all users but only enable it for some users.

Would it be best to remove the previous version of SafeSend from our pilot users in the PoC trial, or will the new package that includes the full license key simply upgrade the previously installed evaluation version?

  • The new package will upgrade the previously installed version automatically so you can install it without performing an explicit uninstall.

Is redeployment required after a purchase, or is it possible to deploy a new license key?

  • A redeployment is not necessary, and you can choose to deploy a new license key instead. This will unlock the time limitation on the usage of SafeSend. The proof-of-concept trial contains all functionality available in SafeSend except that it has a time limit on the usage.

What is included in the yearly license fee?

  • The yearly license fee includes support, future upgrades, and corporate branding. 


How is SafeSend licensed?

  • SafeSend is licensed by the number of users. A single user that has a standalone PC, a laptop and a Citrix account counts as one user with respect to licensing. 

    SafeSend is licensed by the number of users. SafeSend is priced as a yearly license fee that includes support, future upgrades, and corporate branding. Please see the FAQ questions related to licensing as well.

Can we transfer licenses between users when they leave/join?

  • Yes, due to the way the licensing works it is possible to transfer licenses between users and no specific action is required.

How do you upgrade the license key in SafeSend?

  • You can deploy a new license key in the following ways:

    1. Using the ADMX/ADML files in Group Policy and configure the setting called LicenseKey.

    2. Push out a registry value manually to HKCU/SOFTWARE/Policies/SafeSend/SS_LicenseKey using Group Policy or SCCM.

    3. Ask us to create a new MSI file for you where we include your new license key. The drawback of this approach is that you have to redeploy SafeSend.

How can the license expiry date be seen?

  • You can see the expiry date on the ‘Expires on’ text line in the View Settings section. This can be found in File -> Options -> Add-ins -> Add-in Options… -> SafeSend -> View Settings

What happens when the SafeSend license expires?

  • SafeSend has a silent expiry, meaning that the user is not notified that the license has expired. All that happens is that the SafeSend popup will not be displayed anymore.

Does SafeSend have license keys that are valid longer than one year?

  • Yes, we have license keys that are valid for multiple years.

How is the license renewed each year?

  • Upon agreeing to renew the license for another year we will supply you with a new license key to deploy via Group Policy or that can be pushed out via SCCM. If you have chosen to not implement the centrally managed settings via Group Policy, we will supply you with a new MSI package that includes the new license key. This MSI package would then have to be redeployed.

Does SafeSend keep track of when our license is about to expire and notify us well in advance?

  • Yes, we will keep track of the expiry date of your license and contact you well in advance for renewal. 


Do you have any recommendations regarding scaling the deployment size?

  • We always recommend a gradual deployment. First deploy to a smaller test group, then to a larger group, and then finally to all machines.

What are the system requirements of SafeSend and which email clients are supported?

  • See this article for the latest information on the system requirements, which includes a list of the supported email clients: System Requirements

Does the installation of SafeSend automatically upgrade Microsoft .NET if a version lower than 4.0 is found?

  • No, SafeSend does not install or upgrade Microsoft .NET. The installation will instead fail and cannot be completed. Microsoft .NET 4.0 or later is required to install SafeSend, but we have chosen to not automatically install or upgrade Microsoft .NET, as to not change the system configuration without administrators being aware.

Does SafeSend work in a Citrix or RDS environment?

  • Yes, SafeSend works seamlessly in a Citrix or RDS environment. We have several customers running such setups. What is different on those setups is that Outlook is run in Online Mode (as opposed to Cached Mode).

Is any server setup required to install SafeSend?

  • No, SafeSend is a pure client application that is installed on each users' machine. The settings are managed centrally using Group Policy that pushes out new settings to each machine but on a per-user basis.

Does SafeSend send or receive any kind of communication to an internal or external server?

  • No, SafeSend does not send any user statistics, error reporting or other types of data to any internal or external server. Also, SafeSend does not receive any data, e.g., configuration data, from any internal or external server.

How are settings managed centrally?

  • Settings are managed centrally using Group Policy. SafeSend is supplied with ADMX/ADML files that can be used to manage settings centrally using Group Policy.

How does it work technically when configuring settings centrally?

  • SafeSend is supplied with each customer’s preferred settings included in the MSI file. A central configuration can then override these settings. When SafeSend starts, it reads the settings according to the following priority order:

    (1) HKLM/SOFTWARE/Policies/SafeSend

    (2) HKCU/SOFTWARE/Policies/SafeSend

    (3) HKLM/SOFTWARE/{WOW6432Node}/SafeSend

    The default settings included in the MSI file are written to HKLM/SOFTWARE/{WOW6432Node}/SafeSend during installation. The WOW6432Node part is included depending on the bitness of Outlook and Windows. If you are running Outlook 32-bit on Windows 64-bit, then the WOW6432Node is included in the registry path. A concrete example is when you would like to change the list of safe/internal domains in SafeSend. Then you configure Group Policy to set the SafeDomains setting to your new list of safe/internal domains. This pushes out a new registry value of HKCU/SOFTWARE/Policies/SafeSend/SS_SafeDomain s to each user. Then when users start SafeSend the next time, the newly configured list of safe/internal domains from HKCU/SOFTWARE/SafeSend will be used instead of the defaults included in the MSI.

Do you have to be an administrator, or have administrative rights, to install SafeSend?

  • Yes, the SafeSend MSI file is a per-machine installation file that requires administrative rights.

What does it mean that SafeSend is a per-machine installation?

  • This means that all users who log into the same machine and starts Outlook will see SafeSend. This assumes that SafeSend has not been disabled for specific users by the administrator.
Where is SafeSend installed on a local PC?
  • SafeSend is installed in C:\Program Files (x86)\SafeSend on Windows 64-bit. SafeSend is installed in C:\Program Files\SafeSend on Windows 32- bit.
Does installing SafeSend require a PC reboot?
  • No, the installation of SafeSend does not require a PC reboot. However, the users will need to restart Outlook in order to see SafeSend after the installation is complete.

Does installing SafeSend require restarting Outlook?

  • Yes, SafeSend will only show up in Outlook after it is restarted. However, the installation process does not always require Outlook to be closed to complete. Whether Outlook needs to be closed during the installation process depends on the current state of Outlook and Windows, which DLLs are in use etc. There are ways of installing SafeSend silently without shutting down Outlook.
Can SafeSend be activated only for a subset of the users in my organization?
  • Yes. Either you can choose to install SafeSend only for a subset of your users, or you can choose to install it for all users but only enable it for a subset of your users. See the Enabled setting in the documentation for more information.

What packaging or deployment tool can be used to deploy SafeSend?

  • The MSI file is a per-machine installation file and requires no special packaging tool. It can be deployed via Group Policy, SCCM, msiexec or any other packaging tool or installation tool.

Does the MSI file work both with Outlook 32-bit and Outlook 64-bit?

  • Yes, SafeSend is supplied with one MSI file that works both on Outlook 32-bit and Outlook 64-bit. This simplifies deployment in many instances.

How do I install and upgrade silently using msiexec?

  • The recommendation here is not valid for all our customers as we have seen it work for some, but where others are also claiming that Outlook must be restarted when performing an upgrade. Nevertheless, we recommend installing and upgrading SafeSend using “msiexec.exe /i SafeSend.msi /qn REBOOT=ReallySuppress MSIRESTARTMANAGERCONTROL=Disable”. This will install SafeSend without requiring Outlook to restart (if your environment supports this). If Outlook is not running, SafeSend will install/upgrade right away. During an upgrade, if Outlook is already running with an existing version of SafeSend, the newer version will be installed, and the user will see it next time restarting Outlook. The installation error code will then be 3010 but this should not be seen as a real error. It is also possible to install SafeSend directly by forcing Outlook to shut down using the command “msiexec /i SafeSend.msi /qn REBOOT=ReallySuppress”

How do I create a verbose log file from the MSI installation?

  • Run the command ”msiexec /i SafeSend.msi /qn REBOOT=ReallySuppress /L*V example.log” in order to get a verbose log file from the Windows Installer.

Are you required to uninstall an older version of SafeSend when performing an upgrade?

  • No, this is not required. A newer version of SafeSend will automatically uninstall the older version, thus you do not need to perform an explicit uninstall.

What are ADMX/ADML files?

  • ADMX/ADML files are installed on domain controllers in order to control settings centrally using Group Policy. SafeSend is supplied with ADMX/ADML files in order to enable centrally managed settings without redeployment.

Where do you install the ADMX/ADML files?

  • The ADMX and ADML files should be installed on the domain controllers. The files should be copied to the “central store” (e.g., \\logonserver\sysvol\policies\PolicyDefinitions) and not in C:\Windows\PolicyDefinitions. The ADMX file should be placed in the root directly while the ADML file should be placed in the “en-US” subdirectory.

We have restrictions on deploying the ADMX/ADML files on our domain controllers, can we still configure SafeSend centrally?

  • Yes, you can deploy registry keys directly using SCCM or Group Policy. All settings including the license key can be deployed this way. Hence, you are not required to use the ADMX/ADML files. Nevertheless, it is our recommended way of managing settings centrally. The benefit of using ADMX/ADML files is that you do not have to be aware of the data type, e.g., DWORD or MULTI_STRING, of the registry keys when configuring settings.

Are there any requirements on the domain controller in order to use the ADMX/ADML files?

  • Yes, the ADMX/ADML files require Windows Server 2008 R2 or later version, due to the multi-string type (REG_MULTI_SZ) used in the SS_SafeDomains registry value. If you are receiving an error “Unknown data format” for the SS_SafeDomain value when opening gpedit, then you might need to upgrade the ADMX template files for your Windows Server. The latest AMDX templates can be downloaded from Microsoft by searching online for “Download Administrative Templates (ADMX) for Windows Server”.

Will we need to update the ADMX/ADML files we have already added to our domain controllers during the PoC trial?

  • No, there is no need for you to update the ADMX/ADML files that were already set up during the proof-of-concept trial.

Do the ADMX/ADML files push out settings to the HKCU or the HKLM part of the registry?

  • The ADMX/ADML files enable configuring settings on a per-user basis, hence settings are pushed out to the HKCU part of the registry on each PC.


Is there any way to track if SafeSend is installed on all machines?

  • This is a per-machine setting and can be verified by confirming that the registry key HKEY_LOCAL_MACHINE\SOFTWARE\{WOW6432Node}\SafeSend\SS_SafeDomains is existing. The {WOW6432Node} part is included depending on the bitness of Outlook and Windows. If the key does not exist, then SafeSend has not been installed successfully on the machine.

Is it possible to prevent users from disabling the SafeSend Add-in in Outlook?

  • Yes, it is possible to prevent users from disabling SafeSend just like it is possible to prevent users from disabling any other add-in in Outlook. For guidance on doing this, see the article Prevent Users from Disabling Outlook Add-ins.  Contact us if you need assistance setting this up.

Is there any way to track if SafeSend is enabled for all end users?

  • This is a per-user setting and can be verified by confirming that the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\Addins\zzz.SafeSend\LoadBehavior does not have the value of 2. The value will be 2 if the user has “unchecked” SafeSend in the list of Add-ins to be loaded. The case when this key is not present should not be treated as an error case, but rather as a case that a particular user has never unchecked SafeSend in Outlook post installation.

Is it possible to prevent SafeSend from being disabled by the end user?

  • Yes, SafeSend has a few settings for this depending on which version of Outlook you have deployed. For Outlook 2016, use PreventUserDisablingAddin_Outlook_2016 defined in the AMDX/AMDL files (writes “zzz.SafeSend” of type REG_SZ with value “1” to HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Resiliency\AddinList). For Outlook 2013, use PreventUserDisablingAddin_Outlook_2013defined in the AMDX/AMDL files (writes “zzz.SafeSend” of type REG_SZ with value “1” to HKCU\Software\Policies\Microsoft\Office\15.0\Outlook\Resiliency\AddinList). 

    For Outlook 2010 or 2007, SafeSend cannot prevent the user from disabling it. However, it can re-enable itself each time Outlook is restarted. The use the setting ReenableAddin defined in the AMDX/AMDL files (writes registry key “LoadBehaviour” of type REG_DWORD with value 3 to HKCU\Software\Microsoft\Office\Outlook\Addins\zzz.SafeSend). Microsoft has not intended add-in developers to force the value of LoadBehavior but there are no drawbacks of using it this way.

How do you re-enable an add-in disabled by Outlook?

  • There are many reasons why an add-in might be disabled by Outlook. Normally it is the startup time that is too long, but it could be other reasons as well. SafeSend starts up within 50-200 ms which is far under the one-second threshold that Outlook has before it disables the add-in due to a slow startup time. If you do find yourself in a situation where SafeSend is disabled, and you cannot re-enable it, then look at this link. Please also contact us and we will be able to guide you on how to solve this in the best way. To prevent this from happening in the first place, you can also use our GPO settings DoNotDisableAddinOnSlowStart_Outlook2013, DoNotDisableAddinOnSlowStart_Outlook2016 and ReenableAddin that are available in our ADMX/ADML files.

Does SafeSend support different zoom modes in Windows?

  • Yes, SafeSend automatically resizes to display correctly independently on the selected zoom mode in Windows (100%, 125%, 150%, …).

Does SafeSend support mobile devices?

  • SafeSend itself does not have any mobile capabilities. However, Good for Enterprise and BlackBerry Work both have the functionality to confirm recipients while sending outside the enterprise. Please refer to the administrative documentation for Good for Enterprise/BlackBerry Work for how to enable this functionality for your users or contact us and we will help you out. The functionality is named ’email recipient warning for unauthorized email domains’ and it asks the users “This message contains external email addresses. Deselect recipients who should not receive the message.”

Can you specify a blacklisted domain instead of the default whitelisted domains?

  • Yes, this is possible using the setting UseSafeDomainsUseAsBlacklist. See the documentation for more information.

Can you specify specific email addresses as safe?

  • No, SafeSend does not accept individual email addresses being specified as safe.

Can you specify specific email addresses as unsafe?

  • Yes, see the settings TreatMatchingEmailsAsUnsafe and TreatMatchingEmailsAsExternal in the documentation.

Can SafeSend wildcard subdomains as safe?

  • There is no need to wildcard subdomains because SafeSend accepts all subdomains under the top-level domain as safe. If you specify ‘’ in the safe domain list, then all emails with ‘*’ will be considered safe. For example,,, will all be safe.

Can SafeSend wildcard top-level domains as safe, e.g., mycompany.*?

  • Yes, it is possible to specify mycompany.* in the safe domain list. Then,,, etc. will all be considered safe

Why does SafeSend not support parsing Exchange Distribution Lists for external recipients?

  • Exchange Distribution Lists are email lists stored on the Exchange server, and SafeSend cannot detect any external recipients in them. The fetching of the actual members from the Exchange server takes too long and the Exchange API (application programming interface) often fails for larger lists. In addition to that, lists often contain other lists in a tree structure. However, SafeSend has a few settings which can be used to define a set of lists that should be treated as external (see TreatMatchingEmailsAsExternal and TreatMatchingExchangeDLNamesAsExternal in the documentation). SafeSend does fully support local contact lists stored in Outlook.

Can an email be stuck in the Outbox if you have the experimental ReplyAll warning (ReplyAllWarningMode) enabled?

  • This can happen in rare cases because you have enabled our experimental Reply All warning. Please set ReplyAllWarningMode = 0 and this issue will be solved.

What does SafeSend do if my email has a large number of external recipients, e.g., 100 external recipients?

  • SafeSend creates a scrollbar for the list of external recipients to be confirmed. The scrollbar makes it possible to confirm all recipients without a large SafeSend window.

Why can't I see SafeSend when emailing externally?

  • Your license key has likely expired. Our license keys always expire on 1st of April of a specific year, and we have a silent expire so that end users are not notified. You can check if the license has expired by Outlook -> File -> Options -> Add-ins -> Add-in Options … -> SafeSend -> View settings… and then on the first tab named ‘Information’ look for the license key section. You will then see the exact date the license key will expire or if it already has expired. Please contact us on how to resolve this.

Where does Outlook store whether or not it will load SafeSend?

Outlook uses the LoadBehavior registry key to determine whether it will load SafeSend when it starts. Outlook will start SafeSend if the LoadBehavior value is 3, and it will not start SafeSend if the LoadBehavior value is 2. The location of this key can be in either HKEY_LOCAL_MACHINE or in HKEY_CURRENT_USER, where (if present) the HKEY_CURRENT_USER values override the HKEY_LOCAL_MACHINE values. The full registry paths are:

(1) HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\Addins\zzz.SafeSend\LoadBehavior

(2) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\zzz.SafeSend\LoadBehavior

(for Outlook 32-bit on Windows 32-bit, or Outlook 64-bit on Windows 64-bit)

(3) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Outlook\Addins\zzz.SafeSend\LoadBehavior (for Outlook 32-bit on Windows 64-bit)

Choose files or drag and drop files
Was this article helpful?
  1. Carlos Rios

  2. Posted