Professional Documents
Culture Documents
M365 Integration Guide Proofpoint V3.19
M365 Integration Guide Proofpoint V3.19
M365 Integration Guide Proofpoint V3.19
Guide
PROOFPOINT TO MICROSOFT 365 – BEST
PRACTICES
Proofpoint's standard configuration best practices are recommended for all Proofpoint
customers to ensure the full benefit of Proofpoint solutions purchased are received.
Overview
Microsoft 365 can be configured with the Proofpoint Protection Server (PPS) as its
inbound and outbound mail gateway. Any changes within Microsoft 365 may take up to
30 minutes to become active. Sometimes, it may take several hours for all nodes to
reflect changes.
Microsoft 365 IP addresses and user interfaces can change; refer to Microsoft
documentation for configuration details.
Before getting started, it may be helpful to contact Proofpoint Support or, if applicable, a
Proofpoint Professional Services consultant to assist with the implementation.
Proofpoint Protection Server can be configured as the inbound mail gateway through
which all incoming mail for specified domains is filtered before reaching Microsoft 365.
Use the Configure Inbound Mail Flow instructions below to configure inbound delivery.
Proofpoint Protection Server can be configured as the outbound mail gateway through
which all mail sent from a Microsoft 365 tenant to an external recipient can be filtered.
By configuring Microsoft 365 as described in Configure Outbound Mail Flow below, the
Microsoft 365 mail servers will pass outgoing mail through the Proofpoint Protection
Server to be filtered before final delivery.
CAUTION: Proofpoint recommends any changes in the Proofpoint Protection Server, DNS, or Microsoft
365 take place during a well-planned change control window to help reduce the risk to your organization.
This EOP Transport Connector option enforces TLS for messages received from the
Proofpoint Protection Server.
WARNING: Any configuration of the Transport Connector not mentioned below (notably by enforcing the
certificate name of the client) would cause the Microsoft connector to return a 5.x SMTP response that
could cause messages being rejected if for any reason STARTTLS could not be nogotated.
Step 2 – Exclude the Proofpoint Protection Server from the EOP SPAM Module
This step will allow messages from the Proofpoint Protection Server to bypass the EOP
Spam Module. Please review both options before proceeding.
NOTE: Option #1 and Option #2 are mutually exclusive because they achieve the same result. However,
both options may be implemented if desired.
Note: This step is optional and would cause everything received from your
Proofpoint Protection Server to be delivered to the Focused Inbox.
8. When you're finished, click Save
NOTE: Proofpoint recommends bypassing enhanced filtering for the Inbound from Proofpoint Transport
Connector.
Step 4 – Bypass Microsoft Defender for Microsoft 365 Safe Link Rewriting
Safe Links in Microsoft Defender for Microsoft 365 provides URL scanning of inbound
email messages in the mail flow. Microsoft Defender Safelink Rewriting cannot be used
WARNING: It may take several hours before the Get-MailDetailTransportRuleReport finds any messages
that triggered the transport rule.
WARNING: Only implement 6a or 6b or 6c or 6d. This step should only be completed once you have
finished your inbound migration and once you are satisfied that all inbound email traffic to your Microsoft
tenant routes via the Proofpoint systems. Before completing this step, seek advice from Proofpoint Support
or your Proofpoint Professional Services Consultant.
WARNING: Make sure to identify the full range of IP addresses for your Proofpoint Protection Server
or any other third-party email service authorized to send email from your domains. If authorized mail
systems are not accounted for in the connector, messages from those sources will be rejected. You
may want to regularly review to see if there are any new approved exceptions.
WARNING: Only implement 6a or 6b or 6c or 6d. This step should only be completed once you are ready
to describe all required "if" and "except if" conditions. Before completing this step, seek advice from
Proofpoint Support or your Proofpoint Professional Services Consultant.
WARNING: Make sure to identify the full range of IP addresses for your Proofpoint Protection
Server or any other third-party email service authorized to send email from your domains. If
authorized mail systems are not accounted for in the connector, messages from those sources will
be rejected. You may want to regularly review to see if there are any new approved exceptions.
WARNING: Only implement 6a or 6b or 6c or 6d. This step should only be completed once you are ready
to describe the "if" and "except if" conditions. Before completing this step, seek advice from Proofpoint
Support or your Proofpoint Professional Services Consultant.
WARNING: Make sure to identify the full range of IP addresses for your Proofpoint Protection
Server or any other third-party email service authorized to send email from your domains. If
authorized mail systems are not accounted for in the transport rule, messages from those sources
will be redirected to Proofpoint for filtering. You may want to regularly review to see if there are any
new approved exceptions.
Step 6d – Do Nothing
WARNING: Only implement 6a or 6b or 6c or 6d. Before completing this step, seek advice from Proofpoint
Support or your Proofpoint Professional Services Consultant.
Do nothing and accept that external mail that is sent directly to Microsoft will not be
filtered by Proofpoint.
WARNING: Failure to complete this step will likely cause a significant impact on the business because
Microsoft EOP will defer inbound emails from the Proofpoint Protection Server.
Example Microsoft Response: Your IP addresses were excluded from hydration for two
weeks.
Before cutting over MX records, trace the test email sent above using System > Smart
Search and confirm the email was accepted for delivery. In addition, verify the
appropriate inbound spam policy was triggered and that the email was delivered to the
intended recipient's inbox.
Proofpoint – Outbound
Step 1 – Enable Microsoft 365 Allow Relay
Before routing outbound email from Microsoft 365 through the Proofpoint Protection
Server, Allow Relay from Microsoft Microsoft 365 should be configured.
WARNING: Failure to complete this configuration correctly could cause messages for external recipients
to be rejected with a relay denied error.
If you are using Proofpoint PoD, refer to the Welcome Letter under the SPF section to
view an example SPF record you could use for your Proofpoint Protection Server
cluster.
For more information regarding SPF and valid syntax: Sender Policy Framework
Step 3 – Add DKIM Records and Enable DKIM Signing on Outbound Email
Proofpoint recommends adding a DKIM signature for all domains used to send an email
out through the Proofpoint Protection Server. Adding a DKIM signature may vary for
each organization and is out of the scope of this document.
WARNING: Before making changes within the Microsoft 365 Exchange Admin Center, review all existing
EOP Transport Rules and Transport Connectors used for mail flow routing. Failure to account for
specialized mail flow routing rules defined within the Microsoft 365 tenant may result in loss of email.
Step 1 – Verify Domain SPF Records Include the Proofpoint Protection Server
1. Navigate to https://www.proofpoint.com/us/cybersecurity-tools/dmarc-spf-
creation-wizard, then enter each domain used to send outbound email
2. Download the results, then confirm no errors were found, and the SPF record for
each domain references your Proofpoint Protection Servers
WARNING: For on-premise PPS deployments, you must set System > SMTP Encryption > Settings >
SMTP Encryption Options = On before creating this Microsoft 365 Transport Connector.
WARNING: Pay attention to any warning notices displayed while creating a Transport Connector within
EOP. Do not save the connector if a warning indicates missing routes for any of your domains.
WARNING: Failure to properly establish a volume reputation could delay mail delivery to external domains.
WARNING: Failing to complete this configuration correctly may cause emails received from the Microsoft
365 mail system to be quarantined and blocked. Ensure you complete step 5 before changing the final
action to Quarantine > Discard in step 6.
PS C:\Users\rjones> New-Guid
Guid
----
0337a36c-9d46-4b88-a03f-519d5bc7c703
NOTE: The New-Guid PowerShell cmdlet creates a random globally unique identifier (GUID). You may also
generate an arbitrary string of at least 32 characters using your method of choice.
WARNING: You will need to wait at least 1 hour before proceeding to allow the changes within Microsoft
365 to propagate.
7. Click the Save Changes button at the top to save the changes
NOTE: Please contact Proofpoint Support or your assigned Proofpoint Professional Services consultant for
guidance if valid emails are quarantined in the Outbound Antispoof folder to assist with exclusions.
NOTE: Plan to monitor the messages in the Outbound Antispoof folder for several days to confirm that no
valid email was quarantined after setting this rule to Discard.
The Microsoft 365 Allow Relay addresses were most likely not correctly configured in
your Proofpoint Protection Server. See the Configuring Outbound Mail Flow section.
This table provides a quick reference for email security products that can be used
concurrently.
A more detailed explanation for these products and features is provided below.
EOP Anti-Malware
Emails messages are automatically protected against malware by Exchange Online
Protection (EOP). There should be no need to disable or bypass anti-malware
protection within EOP.
NOTE: Refer to the following Microsoft 365 Article for more information: Anti-malware protection in EOP
EOP Anti-Spoofing
EOP Anti-Spoofing examines the forgery of the From header in the message body
(used to display the message sender in email clients). Email authentication is one of the
primary anti-spoofing technologies used by EOP to help identify an email as spoofed. In
most cases, you won't need to add anti-spoofing exceptions because this document
provides a method to bypass this check by way of the EOP Connection Filter IP Allow
List.
NOTE: Refer to the following Microsoft 365 Article for more information: Anti-spoofing protection in EOP
NOTE: Refer to the following Microsoft 365 Article for more information: Anti-spam protection in EOP
EOP Anti-Phishing
Emails messages are automatically protected against phishing by Exchange Online
Protection (EOP). There should be no need to disable or bypass anti-phishing
protection within EOP.
NOTE: Refer to the following Microsoft 365 Article for more information: Anti-phishing policies in Microsoft
365
NOTE: Refer to the following Microsoft 365 Article for more information: Configure connection filtering
NOTE: Refer to the following Microsoft 365 Article for more information: Enhanced Filtering for Connectors
NOTE: Refer to the following Microsoft 365 Article for more information: Use Directory-Based Edge
Blocking to reject messages sent to invalid recipients in Exchange Online
NOTE: Refer to the following Microsoft 365 Article for more information: Safe Links in Microsoft Defender
for Microsoft 365
NOTE: Refer to the following Microsoft 365 Article for more information: Safe Attachments in Microsoft
Defender for Microsoft 365
To view the current hosted content filter policies and settings, run the following
PowerShell command:
PS C:\Users\rjones> Get-HostedContentFilterPolicy | select Name, SpamAction,
PhishZapEnabled, IsDefault
NOTE: Refer to the following Microsoft 365 Article for more information: Zero-hour auto purge (ZAP) in
Exchange Online
Resources
• Proofpoint Customer Success Portal https://proofpointcommunities.force.com/community/s/
• How to delist a sender from Proofpoint Dynamic Reputation (PDR) Block List
https://proofpointcommunities.force.com/community/s/article/ka4390000000CwJ/How-to-delist-a-sender-from-
Proofpoint-Dynamic-Reputation-PDR
Dynamic Reputation IP Lookup: https://ipcheck.proofpoint.com/