๐ Key Takeaways
- Cisco Secure Email Encryption Service, formerly CRES, is the cloud backend for Cisco gateways.
- First-time recipients register at res.cisco.com with a password or federate via Microsoft or Google.
- The service is legitimate but the HTML envelope regularly triggers phishing reports at recipients.
- Incomplete Payload errors mean the envelope HTML was stripped or truncated; ask for a resend.
- Cost bundles with the Cisco gateway license at Advanced or Premium tiers, priced for enterprises.
Cisco Secure Email Encryption Service is the cloud backend that carries encrypted email for organizations running the Cisco Secure Email Gateway. It was previously branded Cisco Registered Envelope Service, and the CRES name still appears throughout the recipient interface and error messages.
The service is a genuine Cisco product, but its recipient experience is unusual enough to regularly trigger phishing reports. This article explains what the service does, how registration and login work, what the Incomplete Payload error means, and how healthcare senders use it for HIPAA-compliant transmission.
What Cisco Secure Email Encryption Service actually is
Cisco Secure Email Encryption Service is a cloud service that stores encrypted message content and serves it to authorized recipients through a web portal. It works with the Cisco Secure Email Gateway, which is Cisco outbound email security appliance formerly known as IronPort ESA.
When an outbound message at the gateway matches an encryption policy, the content is uploaded to the encryption service. The gateway delivers a Secure Envelope to the recipient. The envelope is an HTML file that displays a Read Message button and either attaches to the email or is embedded in the message body depending on the sender configuration.
The recipient opens the envelope, authenticates with a CRES account, and views the decrypted message on the Cisco encryption portal. The message content lives on Cisco infrastructure at res.cisco.com and does not enter the recipient inbox in plaintext form.
Cisco documentation refers to the service as CSEE or CRES depending on the vintage of the article. The two names describe the same service. The Cisco Registered Envelope Service documentation is the canonical technical reference.

Recipient registration for a first-time envelope
The recipient side of the workflow starts when an encrypted envelope arrives at an email address for the first time. The envelope contains a Register button because the recipient does not yet have a CRES account tied to that address.
The registration steps:
- Open the envelope HTML attachment or click the Read Message link
- Choose Register on the initial screen
- Create a password of at least eight characters
- Complete the security questions for account recovery
- Confirm the account through a verification email if required
- Return to the envelope and log in with the new credentials
Once the account exists, subsequent encrypted messages from any sender using CRES will authenticate against the same account. The recipient does not need a separate registration for each sender. Newer envelope versions support federated sign-in with Microsoft, Google, and Apple, which removes the password creation step for recipients who already use those identities.
Registration is free to the recipient. The sender organization licenses the service through the gateway subscription and covers the cost.
Logging in to the Cisco Secure Email Encryption portal
Recipients access the encryption portal in two ways. The first is through the envelope link in an encrypted message, which routes to res.cisco.com with a message-specific token. The second is direct login at res.cisco.com to view all previously received encrypted messages associated with the account.
The direct login is useful when the original envelope email is deleted or lost. The portal shows an inbox of encrypted messages the account has received, up to the retention window set by the sender. Messages that have expired at the sender level no longer appear.
Password reset is handled through the portal Forgot Password flow. The account security questions established at registration are the primary recovery mechanism. If the recovery questions cannot be answered, the account is effectively locked and a new registration is required, which will not restore access to messages sent to the previous account.
Session timeout for the portal is typically fifteen minutes of inactivity. Long messages read slowly can trigger a re-authentication prompt if the reader pauses.
Whether the service is legitimate or a phishing attempt
Cisco Secure Email Encryption Service is a genuine Cisco product used by many enterprise senders. The recipient-side experience regularly triggers phishing suspicion because unsolicited HTML attachments and Read Message buttons pointing to unfamiliar domains are common phishing patterns.
Signals that confirm an envelope is a real Cisco service message:
- The Read Message link resolves to res.cisco.com or a customer branded subdomain owned by Cisco
- The envelope displays sender branding matching the actual sender organization
- The registration flow does not request payment information at any stage
- The sender email address matches an expected contact
Signals that suggest a phishing attempt impersonating Cisco:
- The Read Message link resolves to a lookalike domain like res-cisco.com or ciscosecure.co
- The envelope asks for credit card or bank account information
- The sender address is unfamiliar and unexpected
- The message urgency is high and asks for immediate action
When in doubt, contact the purported sender through a phone number or channel you already trust. Do not use contact information provided in the suspicious envelope itself.

The Incomplete Payload error and how to resolve it
Incomplete Payload is the most common recipient error with Cisco Secure Email envelopes. The message appears when the envelope HTML content is truncated, missing, or not properly rendered by the client.
Common causes:
- The recipient mail server stripped the HTML attachment for size or content policy reasons
- The mail client blocked active HTML and did not preserve the full envelope
- The download was interrupted or corrupted
- A mobile client rendered the envelope preview but did not download the full payload
Resolution steps in order:
- Ask the sender to resend the encrypted message
- Open the resent message on a different device or client
- Check spam folders and quarantine for the original envelope
- Contact the recipient IT team to check whether HTML attachments are being stripped in transit
- Ask the sender to switch to portal-only delivery rather than attachment delivery
Persistent Incomplete Payload errors across multiple resends usually indicate a systematic issue with the recipient mail environment reformatting the envelope. The sender should switch to portal notification delivery, which sends a smaller link-only email rather than a full HTML envelope attachment.
Sender-side configuration on the Cisco Secure Email Gateway
The gateway administrator configures encryption policies that determine which outbound messages route through Cisco Secure Email Encryption Service. Policies can match on recipient domain, subject line keywords, DLP scanner findings, or mail flow attributes.
A typical healthcare policy encrypts all outbound messages that a DLP scanner tags as containing PHI. The scanner looks for medical record numbers, ICD codes, patient names paired with dates of birth, and other regulated data patterns. Matching messages are encrypted before delivery without requiring the sender to make a per-message decision.
Envelope customization at the sender level covers logo, colors, and greeting text on the portal. Consistent branding reduces recipient phishing reports because the envelope visually matches other communications from the same sender. The branding is configured in the Cisco Secure Email Encryption Service admin console and applies to all envelopes from that sender.
Retention windows for encrypted messages at the portal are also sender-configurable. Common windows are 30, 60, or 90 days. Longer retention makes messages available to recipients for longer but increases the exposure window on unopened content.
Cost and licensing model
Cisco Secure Email Encryption Service is not sold as a standalone product to sending organizations. It is bundled with the Cisco Secure Email Gateway license at the Advanced Security or Premium tier. Pricing depends on mailbox count, email volume, and license tier.
Cisco does not publish list pricing publicly. Enterprise deals typically start at around thirty to forty dollars per mailbox per year at the Advanced tier and scale down at higher volumes. Real quotes require a conversation with Cisco or an authorized reseller.
The pricing model orients toward organizations with hundreds or thousands of mailboxes. A five-person medical practice would find the total cost of the gateway plus encryption to be significantly higher than a dedicated healthcare-focused email service. Sibling coverage on HIPAA secure email service options covers the alternatives at smaller scale.
Recipient use of the encryption service is always free regardless of the sender license. Recipients never see a payment prompt from a real Cisco envelope.
Alternatives at smaller scale
Cisco Secure Email Encryption Service works well for organizations that already run the Cisco gateway. For practices that do not have a Cisco gateway deployment, adopting one for encryption alone is disproportionate.
Smaller healthcare organizations typically use a dedicated HIPAA email service that combines encryption, BAA, and recipient portal in one product. A HIPAA-compliant secure email service that includes the BAA in the base plan, works with existing Gmail or Outlook accounts, and delivers to recipients through a simple portal covers the same use case without the gateway overhead. This mention concludes the product context for this article.
Microsoft Purview Message Encryption serves a similar role for organizations already on Microsoft 365 Business Premium or higher. Sibling coverage on Outlook secure email encryption covers that path.
The HHS Security Rule guidance and the HIPAA Journal reference materials support the compliance framing for any encryption service selection.
When Cisco Secure Email Encryption Service is the right fit
The service is the right fit for organizations already running the Cisco Secure Email Gateway who need encryption bundled with existing gateway features. Enterprise healthcare systems, large clinics, and hospital networks with Cisco email infrastructure fall in this category.
The service is a poor fit for organizations that do not already run a Cisco gateway. The gateway itself is a significant infrastructure and licensing investment that only pays off at enterprise scale, and dropping in the gateway solely for encryption is not economical.
For patient-facing communications, the Cisco envelope experience has a learning curve that produces support calls at the sender side. Practices sending frequently to consumer email addresses often see fewer patient support issues with a dedicated healthcare email service that has simpler recipient onboarding.
Related coverage of the broader category and alternatives is available at sibling articles Barracuda email encryption service and Outlook secure email encryption. For healthcare marketing context around email infrastructure and patient acquisition, see Redefine Web healthcare marketing hub and coverage of healthcare website security features.