Do you use content filters and does your key word by any chance include square backets? Like [send secure]?
If so you need to remember that the key word field is a regex field so something like [send secure] will encrypt every email that contains an S, E, N, D, C, U or R, which is quite a lot. You have to escape the [ ] characters in the regex field.
I would recommend you to use the Message Tracking so you can understand the message flow. The message is probably triggering the Encryption action.
You could also use the Trace feature at:
System Administration -> Trace
So you can simulate a message and how the Cisco ESA will handle the message.
If you are not confortable sharing the config (policies/filters) and the tracking in the forum, I would suggest you to open a TAC ticket so an Engineer can assist you identifying what is causing the message to be encrypted.
I would say your Cisco ESA will not encrypt the message without a clear command to do so. The only question remaining is what is causing the action to encrypt to be triggered. I believe you know, but action can be triggered in a message filter, in a content filter and in a DLP policy. There is another option, using the Plug-in for encryptign the message locally but since you did not mention this, I am guessing this is out f the list. I would recommend reviewing the configuration and the message tracking data. That way you can determine what is causing the messages to be encryted.
If you need further assistance from the forum, please share more data.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :