Voltage SecureMail user counting traps
Encrypted email touches more people than it licenses, and that gap is where a finding grows. Voltage SecureMail user counting traps appear when external recipients, one time correspondents, and dormant accounts are counted as licensed users, turning the wide reach of secure messaging into a billable population the authorization never defined.
Voltage joined the OpenText estate through the Micro Focus acquisition that closed on January 31, 2023, and like the rest of the security portfolio it is governed by the Additional License Authorizations rather than the OpenText EULA. SecureMail is built to send protected messages to anyone, including recipients who never hold a license and never will. The defensive question is which population the authorization actually licenses, because the set of people who receive a secure message is far wider than the set the agreement defines as users.
Why reach is not the same as the licensed population
A secure messaging platform succeeds precisely because it can protect a message to a recipient who has no relationship with the licensee beyond receiving that one message. An external recipient who opens a protected email is not, by that act alone, a licensed user. An audit that counts every address that ever received or opened a SecureMail message is measuring reach, not entitlement. The corrective is to establish, from the authorization, which population the license actually counts, internal senders, defined user accounts, or whatever unit the agreement names, and to hold the count to that definition rather than to the full recipient list.
Secure email reaches everyone it sends to. The license counts a defined population. A finding that equates recipients with users counts the breadth of the platform rather than the entitlement the buyer actually holds.
Where the SecureMail count inflates
The inflation in a SecureMail finding gathers in a few familiar places, each of which should be tested against the authorized definition before any total is accepted.
- External recipients. People outside the organisation who received protected messages but hold no license.
- One time correspondents. Addresses that received a single message and never appeared again, counted as standing users.
- Dormant and disabled accounts. Internal accounts with no activity in the measurement window, swept into a live user count.
- Distribution and shared addresses. Group or functional addresses counted as individual users.
Reconstruct against the authorized definition
The four Rs apply directly. Respond inside the seven day notice window and route every data request through a single controlled channel so the user population is described once. Reconstruct the effective position by fixing the licensed unit from the authorization and resolving the population to that definition, removing external recipients, one time correspondents, dormant accounts, and shared addresses. Rebut the finding line by line on the definition of a user. Resolve on terms that fix the user definition unambiguously so the next measurement starts from a settled population rather than the full recipient list.
A recent engagement
In a recent engagement a SecureMail finding had been priced on a user count that folded in external recipients and one time correspondents who held no license, alongside dormant internal accounts. Reading the authorized definition of a user and resolving the population to that set corrected the finding without inventing any new facts about the deployment. The discipline mirrors the way identity counts are resolved across the security portfolio: the count is held to the unit the agreement defines, not to every record the platform ever touched.
Define the user, then count
With SecureMail more than most products, the argument is settled by the definition of a user. A finding that counts recipients as users is making an interpretive leap that the authorization may not support, and the buyer that accepts a recipient count accepts a population it never licensed. The defensive discipline is to insist on the language of the authorization, to fix the licensed unit before any number is discussed, and to resolve the population to that definition. Most of the reduction in a SecureMail matter comes from establishing that the audit counted the platform's reach rather than the entitlement the buyer holds.
Counted on every recipient of a Voltage SecureMail message?
We fix the licensed user definition from the authorization, resolve the population to that set, and reprice the finding against your actual entitlement. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover Voltage and identity counting. Each links back to the complete OpenText audit defense playbook for 2026.
- Voltage data protection license metrics explained
- Voltage SecureData token and key management licensing
- ArcSight identity user definitions and consumer counts
- NetIQ identity and access license counting traps
- ArcSight identity views and named user definitions
If an OpenText or Micro Focus audit notice has reached you, the first seven days matter more than any week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, reduced the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.