Bring Your Own SMTP

Last Updated: May 21, 2026

Bring Your Own Simple Mail Transfer Protocol (BYO SMTP) lets your organization use its SMTP server for Scan to Email instead of Vasion's email service. This feature gives you full control over email delivery, security, and compliance, removing deployment blockers for regulated industries that require on‑premises or tightly controlled email environments and individual user attribution.

Key Points

This feature is in beta and is only available by request. Contact your Vasion representative for more information.

BYO SMTP does the following:

  • Provides the option to use your company’s SMTP server rather than the Vasion-hosted SMTP service.
  • Affects only the Scan to Email feature. Features like scheduled reports and password reset emails still come from Vasion.
  • Supports configurations at the global or Service Client level for regional mail routing.
  • Supports both username and password and Open Authorization (OAuth) 2.0 for SMTP server authentication.

How BYO SMTP Works

With BYO SMTP Scan to Email uses your organization's SMTP server instead of Vasion's email service. You control file size limits, data loss prevention (DLP) policies, encryption standards, and retention rules through your organization's email infrastructure.

You configure this feature at the global level for your organization, and you can add optional Service Client-specific settings for sites or departments. BYO SMTP supports username and password authentication for mail servers and Google Workspace and OAuth 2.0 authentication for Microsoft Exchange.

Encryption At Rest

When you enable Encryption at Rest, Vasion Print encrypts scanned documents using the Advanced Encryption Standard (AES), a symmetric encryption algorithm. AES encryption is applied at the file level through Vasion's encryption service. You can enable encryption at rest globally on Tools then Settings then Scanning or by using the BYO SMTP settings on the Printer Apps tab.

S/MIME Email Encryption

Secure / Multipurpose Internet Mail Extensions (S/MIME) adds certificate-based, end-to-end email encryption to the Scan to Email workflow. When you enable S/MIME, scanned documents are encrypted at the payload level before transmission, securing content end-to-end rather than at the transport layer only. This provides:

  • End-to-end encryption: Document content is encrypted before transmission, not just during transit.
  • Payload-level security: S/MIME encrypts the document itself, complementing the transport-layer encryption that TLS provides.
  • Organization-wide certificate management: You upload and manage one certificate for your entire organization through the Admin Console.

The following list outlines the S/MIME settings and paths needed to fully encrypt your Scan to Email traffic.

  • Sign Enabled: Enables S/MIME digital signing for outbound scan-to-email messages, so recipients can verify that the email originated from your organization and was not altered in transit.
    • Signing Certificate Path: The file path to the organization's signing certificate (.p12 file), which Vasion Print uses to digitally sign outbound emails on behalf of the sender.
    • Signing Certificate Password: The password that protects the signing certificate file, required to access the private key used during the signing process.
  • Encryption Enabled: Enables S/MIME payload encryption for outbound scan-to-email messages, so scanned document content is encrypted before transmission and can only be read by the intended recipient.
    • Recipient Certificate Path: The file path to the directory containing recipient public key certificates (.pem files), which Vasion Print uses to encrypt each outbound email for the corresponding recipient.
  • Trust Store Path: The file path to a custom certificate authority (CA) trust store (.pem file) that Vasion Print references when validating signing certificates against a private or self-signed CA.
  • CRL Checks: When enabled, Vasion Print checks the Certificate Revocation List (CRL) to confirm that the signing certificate has not been revoked before allowing an email to be sent.

With S/MIME enabled, Vasion Print applies your organization's uploaded certificate to each scanned document before it is transmitted through your BYO SMTP configuration. The recipient's email client uses the certificate to decrypt the message content upon delivery.

Requirements

The following are required:

  • Scan to Email configured.
  • A supported SMTP server that you manage.
  • The following SMTP server details:
    • Server hostname and port.

    • Authentication method, which can be either username and password or OAuth 2.0.

      OAuth 2.0 is compatible with only Microsoft Exchange. You also need access to create and manage app registrations in your email provider's admin portal.

  • Encryption type, which can be either none, Transport Layer Security (TLS), or STARTTLS.
  • Network connectivity between Vasion Print and your SMTP server. The default is port 587.
  • For S/MIME encryption you need:
    • An organization-wide S/MIME certificate on the Service Client machine.
    • Signing certificate path and password.
    • Recipient certificate path.
    • Trust Store path

Next Steps

Refer to the following: