M365 Integration Guide Proofpoint V3.19

Microsoft 365 Integration
Guide
PROOFPOINT TO MICROSOFT 365 – BEST
PRACTICES
Product Version: PPS 8.x
Deployment Type: PPS On-Prem and PPS PoD
Document Owner: Proofpoint Professional Services
Document Version: 3.19
Last Updated: June 22, 2023
© 2022 Proofpoint. All rights reserved. 1 of 34

Table of Contents
Document Introduction ....................................................................................................... 5
Overview ............................................................................................................................. 5
Configure Inbound Mail Flow ............................................................................................. 5
Proofpoint – Inbound .................................................................................................................. 6
Step 1 – Add Domain to the Proofpoint Inbound Mail Table ..................................... 6
Step 2 – Apply the Proofpoint Inbound Spam Policy ................................................. 6
Step 3 – Enable Recipient Verification ....................................................................... 6
Microsoft 365 – Inbound ............................................................................................................. 6
Step 1 – Create Inbound from Proofpoint Transport Connector................................ 7
Step 2 – Exclude the Proofpoint Protection Server from the EOP SPAM Module ... 8
Step 3 – Bypass Enhanced Filtering from Proofpoint ................................................ 9
Step 4 – Bypass Microsoft Defender for Microsoft 365 Safe Link Rewriting............. 9
Methods to Prevent EOP Direct Delivery ................................................................................. 10
Step 1 – Create Direct Delivery Audit Transport Rule ............................................. 12
Step 2 – View Message Details ................................................................................ 13
Step 2a – Run PowerShell Command to View Message Details ............................ 13
Step 2b – Run Microsoft Explorer to View Message Details ................................... 13
Step 3 – Identify Source IP Addresses..................................................................... 14
Step 4 – Add IP Address to Exception List .............................................................. 14
Step 5 – Repeat Steps 2 Through 5 ......................................................................... 14
Step 6 – Choose either Method 6a or 6b or 6c or 6d. .............................................. 14
Step 6a – Exchange Online Reject Connector Method ........................................... 15
Step 6b – Exchange Online Reject Transport Rule Method .................................... 16
Step 6c – Redirect Back to Proofpoint using Exchange Online Connector and
Transport Rule Method ............................................................................................. 17
Step 6d – Do Nothing ................................................................................................ 18
Inbound Mail Flow Hydration Requirements ............................................................................ 18
Step 1 – Open EOP Hydration Ticket....................................................................... 18
Step 2 – Confirm EOP Hydration Ticket was Actioned ............................................ 19
Testing and Troubleshooting - Inbound.................................................................................... 19

Configure Outbound Mail Flow......................................................................................... 19
Proofpoint – Outbound.............................................................................................................. 20
Step 1 – Enable Microsoft 365 Allow Relay ............................................................. 20
Step 2 – Add SPF Records....................................................................................... 20
Step 3 – Add DKIM Records and Enable DKIM Signing on Outbound Email ......... 20
Microsoft 365 – Outbound ........................................................................................................ 21
Step 1 – Verify Domain SPF Records Include the Proofpoint Protection Server.... 21
Step 2 – Add Outbound to Proofpoint Transport Connector.................................... 21
Step 3 – Add Outbound to Proofpoint Transport Rule ............................................. 22
Step 4 - Send an Outbound Email ............................................................................ 22
Step 5 – Expand Scope of the Outbound to Proofpoint Transport Connector ........ 23
Step 6 – Change Outbound to Proofpoint Transport Connector to a Wildcard ....... 23
Check IP Addresses For Microsoft Blocklist Listing ................................................................. 23
Step 1 – Submit a Microsoft Microsoft 365 Delisting Request ................................ 23
Step 2 – Submit a Microsoft Support Request to Delist from Hotmail/Live/Outlook 24
Outbound Mail Flow IP Warm-up Guidance............................................................................. 24
IP Warmup - Outbound ............................................................................................. 24
Methods to Prevent Unauthorized Microsoft 365 Allow-Relay................................................. 24
Step 1 – Generate a Unique ID Using PowerShell .................................................. 25
Step 2 - Create an EOP Transport Rule to Add Custom X-Header ........................ 25
Step 3 - Create a Firewall Rule within PPS to Check for X-Header ........................ 26
Step 4 - Create Firewall Rules to Audit Potentially Spoofed Email ......................... 26
Step 5 - Review the Quarantine Folder for Valid Email ........................................... 28
Step 6 - Modify Outbound_Antispoof Rule to Quarantine and Discard ................... 28
Testing and Troubleshooting – Outbound ................................................................................ 29
Microsoft 365 Security Features Compatibility Matrix ..................................................... 29
Microsoft Exchange Online Protection and Proofpoint Protection Server ............................... 30
EOP Anti-Malware..................................................................................................... 30
EOP Anti-Spoofing .................................................................................................... 30
EOP Anti-Spam ......................................................................................................... 31
EOP Anti-Phishing .................................................................................................... 31
EOP Connection Filtering ......................................................................................... 31
EOP Enhanced Filtering for Connectors .................................................................. 31
EOP Directory Based Edge Blocking (DBEB) .......................................................... 31
Microsoft Defender for Office (MSDO) and Targeted Attack Protection (TAP) ....................... 32
EOP Safe Links for Email ......................................................................................... 32
EOP Safe Links for OneDrive, SharePoint Online, and Teams .............................. 32
EOP Safe Attachments for Email ............................................................................. 32
Safe Attachments for OneDrive, SharePoint Online, and Teams ............................................ 32
Zero-hour Auto Purge (ZAP) and Threat Response Auto Pull (TRAP) ................................... 32
Data Loss Prevention for Email and Proofpoint Regulatory Compliance ................................ 33
Office Message Encryption (OME) and Proofpoint Encryption (PE) ....................................... 33
Resources ......................................................................................................................... 33

Document Introduction
This document identifies best practices when integrating Microsoft 365 with Proofpoint
Protection Server (PPS). Please review this entire document before making changes to
Proofpoint Protection Server, Microsoft 365, or DNS.
Proofpoint's standard configuration best practices are recommended for all Proofpoint
customers to ensure the full benefit of Proofpoint solutions purchased are received.
Overview
Microsoft 365 can be configured with the Proofpoint Protection Server (PPS) as its
inbound and outbound mail gateway. Any changes within Microsoft 365 may take up to
30 minutes to become active. Sometimes, it may take several hours for all nodes to
reflect changes.
Microsoft 365 IP addresses and user interfaces can change; refer to Microsoft
documentation for configuration details.
Before getting started, it may be helpful to contact Proofpoint Support or, if applicable, a
Proofpoint Professional Services consultant to assist with the implementation.
Proofpoint Protection Server can be configured as the inbound mail gateway through
which all incoming mail for specified domains is filtered before reaching Microsoft 365.
Use the Configure Inbound Mail Flow instructions below to configure inbound delivery.
Proofpoint Protection Server can be configured as the outbound mail gateway through
which all mail sent from a Microsoft 365 tenant to an external recipient can be filtered.
By configuring Microsoft 365 as described in Configure Outbound Mail Flow below, the
Microsoft 365 mail servers will pass outgoing mail through the Proofpoint Protection
Server to be filtered before final delivery.
CAUTION: Proofpoint recommends any changes in the Proofpoint Protection Server, DNS, or Microsoft
365 take place during a well-planned change control window to help reduce the risk to your organization.
Configure Inbound Mail Flow

Proofpoint Protection Server can be configured as the inbound mail gateway through
which all incoming mail for specified domains is filtered before being passed to the
Microsoft 365 mail servers for delivery to intended recipients. All steps in this section
should be completed before updating the domain's MX record.

Proofpoint – Inbound
Step 1 – Add Domain to the Proofpoint Inbound Mail Table
To route email back to Microsoft 365, an entry should be added to the Proofpoint
Protection Server Inbound Mail table. In most cases, adding this entry before the
cutover should not impact production email delivery.
1. Log in to the Proofpoint Protection Server

2. Configure Mail Routes by navigating to System > Inbound Mail
3. In the Mail for Host / Domain, enter the domain name that the Proofpoint system
should accept mail for filtering and delivery to Microsoft 365.
4. In the Mailer field, choose the drop-down option ESMTP.
5. After the Proofpoint service has completed filtering, the mail is routed to the
specified destination. In the Destination / Error Message field, enter the
Microsoft 365 hostname in the resolvable format specific to Microsoft. If unsure of
the hostname, the process to find the destination for an Microsoft 365 Tenant is
outlined below.
Find the hostname in Microsoft Microsoft 365:
1. Log in to the Microsoft 365 admin center (https://admin.microsoft.com/)

2. In the left pane, click Settings > Domains
3. In the Domains table, click the domain, then click on the DNS Record
heading
4. Under the Microsoft Exchange > MX section, take note of the hostname
value. This is the address of the destination mail server.
For example proofpoint-com.mail.protection.outlook.com
Step 2 – Apply the Proofpoint Inbound Spam Policy

After adding the domain to the inbound mail table, the appropriate inbound spam policy
should be applied to the domain. The method to apply the inbound spam policy may
differ for each organization, so those instructions are out of the scope of this document.
Step 3 – Enable Recipient Verification

After adding the domain to the inbound mail table, recipient verification may need to be
enabled for the newly added domain. Recipient verification isn't enabled by default, so
the steps to configure it are out of the scope of this document.
Microsoft 365 – Inbound

The following steps should be completed within the Microsoft 365 Exchange Admin
Center before cutting over inbound emails through the Proofpoint Protection Server.

WARNING: Before making changes within the Microsoft 365 Exchange Admin Center, review all existing
EOP Transport Rules and Transport Connectors used for mail flow routing. Failure to account for
specialized mail flow routing rules defined within the Microsoft 365 tenant may result in loss of email.
Step 1 – Create Inbound from Proofpoint Transport Connector

Mail sent from the Proofpoint Protection Server should require Transport Layer Security
(TLS) to ensure emails are never sent in clear text over the public Internet. Please
review both options before proceeding.
This EOP Transport Connector option enforces TLS for messages received from the
Proofpoint Protection Server.
WARNING: Any configuration of the Transport Connector not mentioned below (notably by enforcing the
certificate name of the client) would cause the Microsoft connector to return a 5.x SMTP response that
could cause messages being rejected if for any reason STARTTLS could not be nogotated.
1. Log in to the Microsoft 365 Exchange Admin Center

(https://admin.exchange.microsoft.com/)
2. Select Mail flow from the left menu, then select Connectors
3. Click the + Add a connector link to add a new connector
4. Under the Connection from section, choose Partner organization
5. Under the Connection to section, verify Microsoft 365 is preselected, then click
Next at the bottom
6. Name the connector Inbound from Proofpoint
7. Add a description to describe the connector, like "Used to enforce TLS for
messages received from Proofpoint"
8. Make sure you click the checkbox next to "Turn it on," then click Next at the
bottom
9. On the next screen, select "By verifying that the IP address of the sending
server matches one of the following IP addresses, which belong to your
partner organization" to identify the Partner Organization
10. Add the IP addresses associated with your Proofpoint Protection Server and click
the + button to add them to the list
11. Click Next at the bottom
12. Select "Reject email messages if they aren't sent over TLS" checkbox from
the Security restrictions section
14. Verify the settings, then click Create connector

WARNING: The Transport Connector created above enforces TLS for messages sent from the Proofpoint
Protection Server. If TLS cannot be negotiated, the Microsoft EOP mail system currently returns a 4.x SMTP
response which causes the email to remain in the PPS outbound mail queues. If Microsoft changes its
response to a 5.x SMTP response, this connector will cause all emails from the Proofpoint Protection Server
to be rejected.
Step 2 – Exclude the Proofpoint Protection Server from the EOP SPAM Module
This step will allow messages from the Proofpoint Protection Server to bypass the EOP
Spam Module. Please review both options before proceeding.
NOTE: Option #1 and Option #2 are mutually exclusive because they achieve the same result. However,
both options may be implemented if desired.
Option #1 - Add IP addresses to Connection Filter IP Allow List (Recommended)

This option adds the Proofpoint Protection Server IP addresses to the EOP Connection
Filter IP Allow List to bypass the EOP spam module. Confirm this option is working by
inspecting the headers of an inbound email and looking for the IPV:CAL header, which
indicates the message skipped spam filtering because the source IP address was in the
IP Allow List.
1. Log in to the Microsoft 365 Defender portal (https://security.microsoft.com)

2. Navigate to Email & Collaboration > Policies & Rules > Threat policies >
Anti-spam in the Policies section or go directly to the Anti-spam policies page
at https://security.microsoft.com/antispam.
3. Click on the Connection filter policy (default) policy
4. Click Edit connection filter policy on the pop-out page, then under Always allow
messages from the following IP addresses or address range, add the
Proofpoint Protection Server IP addresses to the default connection filter IP allow
list
5. Click Save to save the changes
Option #2 – Add Transport Rule to Bypass SPAM (Depreciated)

This option uses an EOP Transport Rule that overrides the spam confidence level to -1
(bypass spam filtering). This option is essentially the same as option #1 but may not
trigger if higher priority transport rules enable Stop processing more rules.

2. Select Mail flow from the left menu, then select Rules
3. Click the +Add a rule option to add a new Transport Rule
4. Name the rule "Bypass Spam Filtering for Proofpoint"

5. Under Apply this rule if, select The sender > IP address in any of these
ranges or exactly matches, then click Enter IPv4 or IPv6 addresses and enter
all IP addresses of your Proofpoint Protection Server
6. Under Do the following, Modify the message properties, then select set the
spam confidence level (SCL) and select Bypass spam filtering
7. Click the + button, then under the And heading, select Modify the message
properties > Set a message header, then set the message header
BypassFocusedInbox to the value true
Note: This step is optional and would cause everything received from your
Proofpoint Protection Server to be delivered to the Focused Inbox.
8. When you're finished, click Save
Step 3 – Bypass Enhanced Filtering from Proofpoint

EOP inbound connectors are a trusted source of incoming mail to Microsoft 365. If email
received from your Proofpoint Protection Server is trusted, confirm that Enhanced
Filtering for Connectors is disabled (bypassed). If Microsoft 365 should perform
additional checks within EOP, ensure Enhanced Filtering for Connectors is enabled. For
more information, please see EOP Enhanced Filtering for Connectors.
NOTE: Proofpoint recommends bypassing enhanced filtering for the Inbound from Proofpoint Transport
Connector.
1. Navigate to the Enhanced Filtering for Connectors web page

(https://security.microsoft.com/threatpolicy)
2. Under the Rules heading, click on Enhanced Filtering, then click on the
Inbound from Proofpoint connector name
3. If you want to disable Enhanced filtering, ensure you have selected Disable
Enhanced Filtering for Connectors
4. If enabling Enhanced filtering, select Skip these IP addresses that are
associated with the connector, then add the IP addresses of the Proofpoint
Protection Server to the skip list.
Note: Consider starting with a small subset of users to see if Enhanced Filtering
suits your organization.
5. Click Save to save the changes
Step 4 – Bypass Microsoft Defender for Microsoft 365 Safe Link Rewriting
Safe Links in Microsoft Defender for Microsoft 365 provides URL scanning of inbound
email messages in the mail flow. Microsoft Defender Safelink Rewriting cannot be used

concurrently with Proofpoint URL Defense. The following steps will allow all emails from
the Proofpoint Protection Server to bypass Safelink Rewriting within EOP.

4. Name the rule "Bypass Safelinks for Proofpoint"
5. Under Apply this rule if, select The sender > IP address in any of these
ranges or exactly matches, then click Enter IPv4 or IPv6 addresses and enter
all IP addresses of your Proofpoint Protection Server
6. Under Do the following, select Modify the message properties > set a
message header, then set the message header X-MS-Exchange-Organization-
SkipSafeLinksProcessing to the value 1
7. When finished, click Save
Methods to Prevent EOP Direct Delivery

A threat actor may attempt to circumvent any third-party filtering gateway by sending an
external email directly to Microsoft 365 without following the MX record e.g., send to
example-com.mail.protection.outlook.com instead of using the MX records for your
Proofpoint Protection Server. However, Microsoft too may choose to send directly for
some Microsoft services e.g., Teams, Skype, Yammer, or Sharepoint.
There are four mutually exclusive mitigation methods available.

Solution Name Summary Pros Cons
6a. Exchange Online Exchange Connector 1. Will reject threat actor 1. Risk of rejecting legitimate
Reject Connector configured that will email received by direct email received by direct
reject inbound mail delivery unless matching delivery if approved
from an external exceptions. exceptions are not in the
sender if it did not 2. Will reject inside the exceptions section.
arrive from initial SMTP session - 2. Must be enabled for ALL
Proofpoint IPs. straightforward to test. sending domains or explicitly
listed sending domains.
3. Exceptions are limited to
sending domains and sending
IPs only.
4. Rejections are NOT shown
in M365 message tracing.
5. Mail sent to the
onmicrosoft.com addresses
will always be sent direct to
M365 (but can be mitigated
by adding an external email
address for each user).

6b. Exchange Online Exchange transport 1. Will reject threat actor 1. Risk of rejecting legitimate
Reject Transport Rule rule configured that email received by direct email received by direct
will reject inbound delivery unless matching delivery if approved
mail from external exceptions. exceptions are not in the
sender if it did not 2. Flexible with multiple exceptions section.
arrive from IF and Except IF 2. Initial SMTP session will
Proofpoint IPs but conditions e.g., sender accept inbound mail but later
with flexible domain, recipient send a non-deliverable when
exception conditions. domain, sender IP, and the transport rule fires.
message type. 3. It may still be possible for
3. Can be enabled threat actors to defeat if the
incrementally as sender can break the
domains are migrated to exception conditions.
Proofpoint filtering. 4. Transport rule priority and
4. Failures are shown in rule settings may impact rule
M365 message tracing. triggering.
6c. Redirect Back to Exchange connector 1. Will send threat actor 1. The sending IP becomes the
Proofpoint using and transport rule email received by direct customer O365 tenant IP. If
Exchange Online configured to catch delivery for filtering by the sending domain has a
Connector and Transport inbound mail from Proofpoint unless strong email authentication
Rule external sender if it matching exceptions. policy (e.g. SPF hardfail and
did not arrive from 2. Flexible with multiple DMARC reject) and strong
Proofpoint IPs and IF and Except IF email authentication policies
send it back to conditions e.g., sender are applied in Proofpoint this
Proofpoint to be domain, recipient may result in authentication
filtered. domain, sender IP, and failures when Proofpoint
message type. filters the inbound email.
3. Can be enabled Also, lose the ability to
incrementally as perform Proofpoint dynamic
domains are migrated to reputation on external sender
Proofpoint filtering. IPs.
2. It may still be possible for
threat actors to defeat if the
sender can break the
exception conditions.
3. Transport rule priority and
rule settings can impact rule
triggering.
6d. Do Nothing Do nothing. Mail that 1. There is no risk of 1. Risk of delivering threat
is sent directly to rejecting approved actor email received by direct
Microsoft will not be messages received by delivery.
filtered by direct delivery. 2. Microsoft filtering of direct
Proofpoint and will 2. No additional delivery email is likely less
rely on Microsoft configuration is needed. effective than Proofpoint
rules to filter. filtering. e.g., risk, spam, or
bulk mail will arrive in the
inbox.
3. Direct delivery mail flow is
not visible or filtered
alongside regular traffic in
Proofpoint tools (e.g.,

SmartSearch).
4. Spam or bulk mail received
by direct delivery will not be
available from Proofpoint
digest or web quarantine.
We recommend beginning by setting up an EOP transport rule to audit messages

received from outside the organization that Proofpoint Protection Server has not filtered.
Step 1 – Create Direct Delivery Audit Transport Rule

4. Name the rule Audit Direct Delivery
5. Under Apply this rule if, select the Sender is located, then select Outside the
organization
6. Click the + button, then under the And heading, select the Recipient is located,
then select Inside the organization
7. Under the Do the following section, select Modify the message properties,
then select set a message header, then set the message header X-EOP-Direct-
Delivery to the value True
8. Under Except If, select The sender > IP address in any of these ranges or
exactly matches, then click Enter IPv4 or IPv6 addresses, and enter all IP
addresses authorized to deliver directly to EOP like the Proofpoint Protection
Server and any authorized mail systems such as on-prem Exchange.
9. Under Except If, click the + button, then under the Or heading, select The
message properties > includes the message type, then select Calendaring
10. If your organization allows forwarding messages externally, you'll also need to
add the following: Under Except If, click the + button, then under the Or
heading, select, The message header > includes any of these words, then set
the message header X-MS-Exchange-Generated-Message-Source to the value
Mailbox Rules Agent

Step 2 – View Message Details
Use one of the two following methods to view message details where audit direct
delivery has fired. 2b is easier but is only available if you have a Microsoft E5 license.
Step 2a – Run PowerShell Command to View Message Details

Run the following PowerShell command to view the messages delivered directly to
EOP.
$days = 3 # Get 3 day's worth of data
$StartDate = (Get-date).AddDays(-$days) # Determine start date
$EndDate = (Get-date) # Determine end date
Get-MailDetailTransportRuleReport -PageSize 5000 -StartDate $StartDate -EndDate

$EndDate -TransportRule "Audit Direct Delivery" | Export-csv AuditDirectDelivery.csv
WARNING: It may take several hours before the Get-MailDetailTransportRuleReport finds any messages
that triggered the transport rule.
Step 2b – Run Microsoft Explorer to View Message Details

Run the following Microsoft Explorer command to view the messages delivered directly
to EOP – this is only available with a Microsoft E5 license.
1. Log in to the Microsoft 365 Defender (https://security.exchange.microsoft.com/)

2. Select Email & Collaboration from the left menu, then select Explorer
3. Select Exchange Transport Rule from the filter attribute drop-down
4. Enter Audit Direct Delivery in the filter value field
5. Select the "Customize columns" option and check the box for "Sender IP"
6. Click "Refresh" to load the email that fired the selected Exchange Transport Rule

Step 3 – Identify Source IP Addresses
Review the results from Step 2a or Step 2b and identify any systems that should be
authorized for direct delivery to EOP. For 2a only an EOP Message Trace will be
required to determine the source IP addresses.
Step 4 – Add IP Address to Exception List

Modify the "Audit Direct Delivery" Transport Rule and add any other authorized
systems identified to the Except if.. Sender's IP address is in the range list.
Step 5 – Repeat Steps 2 Through 5

Repeat steps 2 through 5 until all authorized mail systems are identified and added to
the exception list.
Step 6 – Choose either Method 6a or 6b or 6c or 6d.

Do NOT implement more than one method. The advantages and disadvantages of each
method are described at the beginning of this section.

Step 6a – Exchange Online Reject Connector Method
WARNING: Only implement 6a or 6b or 6c or 6d. This step should only be completed once you have
finished your inbound migration and once you are satisfied that all inbound email traffic to your Microsoft
tenant routes via the Proofpoint systems. Before completing this step, seek advice from Proofpoint Support
or your Proofpoint Professional Services Consultant.

3. Click on the Inbound from Proofpoint Transport Connector
4. From the pop-out, verify the How to identify your partner organization is set to
Identify the partner organization by verifying that messages are coming
from these domains: *. If this setting differs, seek advice from Proofpoint
Support or an assigned Proofpoint Professional Services Consultant before
proceeding.
5. From the pop-out, under the Security Restrictions heading, click Edit
restrictions
6. Verify the Reject email messages if they aren't sent over TLS is selected
7. Click on the "Reject email messages if they aren't sent from within this IP
address range," click the + button, then add all IP addresses authorized to send
an email directly to EOP, which should include the IP addresses of the Proofpoint
Protection Server and any authorized mail systems, then click "Save."
WARNING: Make sure to identify the full range of IP addresses for your Proofpoint Protection Server
or any other third-party email service authorized to send email from your domains. If authorized mail
systems are not accounted for in the connector, messages from those sources will be rejected. You
may want to regularly review to see if there are any new approved exceptions.

Step 6b – Exchange Online Reject Transport Rule Method
WARNING: Only implement 6a or 6b or 6c or 6d. This step should only be completed once you are ready
to describe all required "if" and "except if" conditions. Before completing this step, seek advice from
Proofpoint Support or your Proofpoint Professional Services Consultant.

4. Name the rule Inbound from Proofpoint Reject Direct Delivery
organization
6. Click the + button, then under the And heading, select any other conditions
required e.g. the Recipient, then select domain is, add migrated domains.
7. Under the Do the following section, select Block the message, then select
reject the message with an explanation, then specify the rejection reason
Delivery not authorized, must use the published MX record.
8. Click the + button, then under select Block the message, then select reject the
message with enhanced status code, then enter the enhanced status code
5.7.1.
11. Click the + button, then under the OR heading, select any other conditions
required e.g. the Sender, then select domain is, then add any sending
domains exceptions.
12. Enable the rule by selecting the new rule and dragging the slider to Enabled.
WARNING: Make sure to identify the full range of IP addresses for your Proofpoint Protection
Server or any other third-party email service authorized to send email from your domains. If
authorized mail systems are not accounted for in the connector, messages from those sources will
be rejected. You may want to regularly review to see if there are any new approved exceptions.

Step 6c – Redirect Back to Proofpoint using Exchange Online Connector and Transport
Rule Method
WARNING: Only implement 6a or 6b or 6c or 6d. This step should only be completed once you are ready
to describe the "if" and "except if" conditions. Before completing this step, seek advice from Proofpoint
Support or your Proofpoint Professional Services Consultant.

3. Select Connection from, Office 365
4. Select Connection to, Partner Organisation
5. Enter name Inbound from Proofpoint Bypass Fix
6. Specifiy when you want to use this connector, Only when I have a transport
rule setup up that redirects messages to this connector.
7. Specifiy, Route email through these smart hosts.
8. Add the FQDNs associated with your Proofpoint Protection Server and click the +
button to add them to the list
10. Select "Reject email messages if they aren't sent over TLS" checkbox and
Issued by a trusted certificate authority from the Security restrictions
section
12. Click the + button to specify an external email address and Validate.
17. Name the rule Inbound from Proofpoint Bypass Fix
organization
19. Click the + button, then under the And heading, select the Recipient is located,
then select Inside the organization
20. Click the + button, then under the And heading, select any other conditions
required e.g. the Recipient, then select domain is, add migrated domains.
21. Under the Do the following section, select Redirect the message to, select
the following connector, then select Inbound from Proofpoint Bypass Fix.

24. Click the + button, then under the OR heading, select any other conditions
required e.g. the Sender, then select domain is, then add any sending
domains exceptions.
26. Verify the settings, then click Finish to create the rule and Done.
27. Enable the rule by selecting the new rule and dragging the slider to Enabled.
WARNING: Make sure to identify the full range of IP addresses for your Proofpoint Protection
Server or any other third-party email service authorized to send email from your domains. If
authorized mail systems are not accounted for in the transport rule, messages from those sources
will be redirected to Proofpoint for filtering. You may want to regularly review to see if there are any
new approved exceptions.
Step 6d – Do Nothing
WARNING: Only implement 6a or 6b or 6c or 6d. Before completing this step, seek advice from Proofpoint
Support or your Proofpoint Professional Services Consultant.
Do nothing and accept that external mail that is sent directly to Microsoft will not be
filtered by Proofpoint.
Inbound Mail Flow Hydration Requirements

Microsoft utilizes an undocumented connection filter within its Exchange Online
Protection mail system. This hydration mechanism throttles new IP addresses seen by
the EOP platform for several days. Proofpoint recommends submitting a request within
2 to 7 days before an inbound cutover.
WARNING: Failure to complete this step will likely cause a significant impact on the business because
Microsoft EOP will defer inbound emails from the Proofpoint Protection Server.
Step 1 – Open EOP Hydration Ticket

Complete the following instructions within seven days of an inbound cutover.
1. Go to the admin center at https://admin.microsoft.com

2. On the bottom right side of the page, select Help & support

3. At the bottom, select Contact Support, then enter the following description:
Our organization will be implementing the Proofpoint Protection Server at our email perimeter.
Please exclude the following Proofpoint IP Address assigned to our company from the Microsoft
Hydration Requirements system: ip.address.1, ip.address.2
4. Complete the rest of the form, then click the Contact me button at the bottom of
the page
Step 2 – Confirm EOP Hydration Ticket was Actioned

Within two days of the planned inbound cutover, confirm Microsoft Support excluded the
requested IP addresses from the Microsoft Hydration Requirements system.
Example Microsoft Response: Your IP addresses were excluded from hydration for two
weeks.
Testing and Troubleshooting - Inbound

The inbound mail flow path should be tested before cutting over the domain's MX
records. After completing the steps defined in the Configure Inbound Mail Flow section,
send an email message to the Proofpoint Protection Server using a tool like Wormly to
confirm the email is delivered to the intended recipient.
Before cutting over MX records, trace the test email sent above using System > Smart
Search and confirm the email was accepted for delivery. In addition, verify the
appropriate inbound spam policy was triggered and that the email was delivered to the
intended recipient's inbox.
Configure Outbound Mail Flow

This section describes configuring Microsoft 365 to direct outbound mail to the
Proofpoint Protection Server. As the outbound gateway, the Proofpoint Protection
Server processes the mail by filtering out spam and viruses before final delivery.

WARNING: Proofpoint recommends using a transport rule combined with the Outbound to Proofpoint
transport connector to test outbound routing before the actual outbound cutover.
Proofpoint – Outbound
Step 1 – Enable Microsoft 365 Allow Relay
Before routing outbound email from Microsoft 365 through the Proofpoint Protection
Server, Allow Relay from Microsoft Microsoft 365 should be configured.

2. Configure Allow Relay by navigating to System > Outbound Mail > Allow Relay
3. Under the Microsoft Microsoft 365 heading, enable Allow Relay from
Microsoft Microsoft 365 IP Addresses, then select the appropriate Microsoft
365 Service Plan (e.g., Worldwide)
4. Click Save Changes to save the change
WARNING: Failure to complete this configuration correctly could cause messages for external recipients
to be rejected with a relay denied error.
Step 2 – Add SPF Records

For outbound messages delivered by the Proofpoint Protection Server, a Sender Policy
Framework (SPF) DNS TXT record should be created or updated to specify the
Proofpoint Protection server as an authorized sending host for the sender's domain. An
SPF record allows a receiving mail system to determine if a sending server should be
valid for the address listed in the envelope sender. Without these records, some
recipients (including Yahoo and Gmail) may rate control or limit connections from
Proofpoint's servers.
If you are using Proofpoint PoD, refer to the Welcome Letter under the SPF section to
view an example SPF record you could use for your Proofpoint Protection Server
cluster.
For more information regarding SPF and valid syntax: Sender Policy Framework
Step 3 – Add DKIM Records and Enable DKIM Signing on Outbound Email
Proofpoint recommends adding a DKIM signature for all domains used to send an email
out through the Proofpoint Protection Server. Adding a DKIM signature may vary for
each organization and is out of the scope of this document.

Microsoft 365 – Outbound
WARNING: Before making changes within the Microsoft 365 Exchange Admin Center, review all existing
EOP Transport Rules and Transport Connectors used for mail flow routing. Failure to account for
specialized mail flow routing rules defined within the Microsoft 365 tenant may result in loss of email.
Step 1 – Verify Domain SPF Records Include the Proofpoint Protection Server
1. Navigate to https://www.proofpoint.com/us/cybersecurity-tools/dmarc-spf-
creation-wizard, then enter each domain used to send outbound email
2. Download the results, then confirm no errors were found, and the SPF record for
each domain references your Proofpoint Protection Servers
Step 2 – Add Outbound to Proofpoint Transport Connector

This transport connector will initially be configured to allow testing outbound mail flow
for a single user or a group of users.
WARNING: For on-premise PPS deployments, you must set System > SMTP Encryption > Settings >
SMTP Encryption Options = On before creating this Microsoft 365 Transport Connector.

3. Click the + Add a connector link to add a new connector
4. Under the Connection from section, select Microsoft 365
5. Under the Connection to section, select Partner organization, then click Next
at the bottom
6. Name the connector Outbound to Proofpoint
7. Add a Description to describe the connector, like "Used to route outbound email
through the Proofpoint Protection Server"
8. Make sure to click the checkbox next to Turn it on, then click Next at the bottom
9. On the next screen, select Only when I have a transport rule setup that
redirects to the connector
10. Select Route email through these smart hosts, then add the IP addresses
associated with the Proofpoint Protection Server and click the + button to add
them to the list. For PoD deployments, consider using the mxa and mxb Global
Server Load Balancer (GSLB) names from your welcome letter instead of the IP
addresses associated with your PoD to enhance deliverability.

11. Select Always use Transport Layer Security (TLS) to secure the connection
(recommended) and select the Issued by a trusted certificate authority (CA)
radio button.
13. Enter an external email address, then click the + button to add it to the list
14. Click the Validate button to verify EOP can establish a TLS connection to your
Proofpoint Protection Server and that the email is accepted for delivery. If the
Validation step fails, reach out to Proofpoint for additional guidance.
Step 3 – Add Outbound to Proofpoint Transport Rule

3. Click the + Add a rule link, then select Create a new rule to add a new transport
rule
4. Enter the Name Outbound to Proofpoint Rule (Testing and IP Warmup)
5. Under Apply this rule if, select The recipient > is external/internal, then select
Outside the organization
6. Under Apply this rule if, click the + button, then under the And section, select
the sender > is the person, then choose one or more senders
7. Under Do the following, select Redirect the message to, then select the
following connector, then select the connector created in the previous step.
Note: If the connector is not enabled, it will not be available for selection.
8. Click Save to add the Transport Rule
Step 4 - Send an Outbound Email

1. After completing steps 1-3, wait around 30 minutes for the changes to propagate
within EOP
2. Send an outbound email from an email address scoped to the Outbound to
Proofpoint Rule (Testing and IP Warmup) transport rule with the subject
Outbound Mail Flow Test #1. If additional test messages are required,
increment the test number in the subject to aid in troubleshooting.
3. Log in to the Proofpoint Protection Server, then select System > Smart
Search > Search
4. Enter the search criteria for the test email sent in the previous step to confirm the
email routed out through the Proofpoint Protection Server
5. Check with the intended recipient to confirm the test email was received and
delivered to their inbox. If the email was not delivered to the inbox, it could
indicate the email did not pass email authentication. Do not proceed until email
authentication is verified for the test email messages.

Step 5 – Expand Scope of the Outbound to Proofpoint Transport Connector
3. Select the Outbound to Proofpoint Rule (Testing and IP Warmup) transport
rule, then add additional senders to direct more outbound mail through the
4. Repeat steps 1 through 3 until a sufficient amount of email is being routed
through the Proofpoint Protection Server and no outbound deferred email
messages are detected.
Step 6 – Change Outbound to Proofpoint Transport Connector to a Wildcard

This step should occur during a well-planned change window. In most cases, simply
modifying the Outbound to Proofpoint transport connector from being called by a
transport rule to applying when the recipient domain is * should work. However, some
organizations have fairly complex outbound mail flow rules, and step-by-step
instructions to redirect your outbound mail flow are out of the scope of this document. If
you need assistance, please get in touch with Proofpoint Support or an assigned
Proofpoint Professional Services consultant to assist you with implementation.
WARNING: Pay attention to any warning notices displayed while creating a Transport Connector within
EOP. Do not save the connector if a warning indicates missing routes for any of your domains.
Check IP Addresses For Microsoft Blocklist Listing

Before cutting over mail flow, follow the steps to determine if Microsoft is blocking your
Proofpoint Protection Server IP addresses.
Step 1 – Submit a Microsoft Microsoft 365 Delisting Request

1. In a web browser, go to https://sender.office.com/
2. Follow the instructions on the page. Ensure you use the Proofpoint Protection
Server IP address assigned to outbound mail flow. You can only enter one email
address and one IP address per visit.
3. Locate the email sent by Microsoft, then confirm your email address which logs
you back into the Microsoft 365 Anti-Spam IP Delist Portal.
4. Click Delist IP address to submit the delisting request

5. The final step will indicate if Microsoft is currently blocking your IP address. See
the screenshot for an example.
Step 2 – Submit a Microsoft Support Request to Delist from Hotmail/Live/Outlook

1. Use the link available within the Delist IP step to determine if a listing exists for
Hotmail.com, Live.com, or Outlook.com
2. Repeat steps 1 and 2 for the remainder of your Proofpoint Protection Server IP
addresses
Outbound Mail Flow IP Warm-up Guidance

IP Warmup - Outbound
Adding a new IP address to outbound mail traffic will require you to "Warm Up"
Proofpoint Protection Server IP addresses. Warming up an IP address means
establishing a reputation with the Internet Service Providers (ISPs) so you can reduce
the likelihood of potential mail delivery issues. Please review the Proofpoint
Communities article: Recommendations for IP/Domain Reputation Warmup before
making any changes.
Microsoft 365 allows scoping the Outbound to Proofpoint transport connector to a

specific sending group or groups. It is recommended to "test" outbound mail by
applying it to a limited set of users, such as an IT-specific group.
WARNING: Failure to properly establish a volume reputation could delay mail delivery to external domains.
Methods to Prevent Unauthorized Microsoft 365 Allow-Relay

Adding rules to prevent allow-relay abuse needs to be carefully planned and executed.
This configuration will first enable audit mode to identify messages that may be
legitimate, such as Non-Delivery Reports (NDR), forwarded messages, or other status

notification messages. Do not proceed to enable the final action of Quarantine > Discard
in step 6 until reviewing the Outbound Spoofed quarantine folder messages to identify
legitimate emails (e.g., valid messages that don't contain the custom X-Header added
by the EOP Transport Rule).
WARNING: Failing to complete this configuration correctly may cause emails received from the Microsoft
365 mail system to be quarantined and blocked. Ensure you complete step 5 before changing the final
action to Quarantine > Discard in step 6.
Step 1 – Generate a Unique ID Using PowerShell
PS C:\Users\rjones> New-Guid
Guid
----
0337a36c-9d46-4b88-a03f-519d5bc7c703
NOTE: The New-Guid PowerShell cmdlet creates a random globally unique identifier (GUID). You may also
generate an arbitrary string of at least 32 characters using your method of choice.
Step 2 - Create an EOP Transport Rule to Add Custom X-Header

3. Click the + Add a rule link, then select Create a new rule to add a new transport
rule
4. Name the rule Outbound to Proofpoint - Authorization X-Header
5. Under Apply this rule if > The recipient > is external/internal > Outside the
organization
6. Under Do the following > Modify the Message Properties > Set a message
header to this value > X-Proofpoint-Id with a value of the GUID created in step
1
7. Click Save to add the new transport rule
8. Find the new transport rule in the list, then edit the rule
9. Set the priority to 0, then click Save
WARNING: You will need to wait at least 1 hour before proceeding to allow the changes within Microsoft
365 to propagate.

Step 3 - Create a Firewall Rule within PPS to Check for X-Header
This firewall rule will trigger if our custom x-header exists in an inbound email, then
removes it, making it harder to discover.

2. Navigate to Email Protection > Email Firewall > Rules
3. Click Add Rule, then:
a. For the rule ID, use outbound_antispoof_id
b. For the Description, use Check for our custom X-Header on Email
Received from allow_relay
c. Under Policy Routes, select Restrict processing to selected policy
routes…, then select allow_relay
d. Click Add Condition, then select Condition: Message Headers, then
select User Defined and enter X-Proofpoint-Id, Operator: Equals, then
enter the unique value entered in step 1
e. Click the Add Condition button
f. For the delivery method, select Continue
g. Select Change message headers…, then select Delete header, then
enter X-Proofpoint-Id
h. Click the Add Rule button at the top to add the new rule
Step 4 - Create Firewall Rules to Audit Potentially Spoofed Email

3. Click Add Rule, then:
a. Set Enable to On
b. For the rule ID, use outbound_antispoof
c. For the Description, use Audit Unauthorized Outbound Email
Received from outbound.protection.outlook.com
d. Under Policy Routes, select Restrict processing to selected policy
routes…, then select allow_relay
e. Under Policy Routes, select Disable processing to selected policy
routes…, then select default_inbound
f. Click Add Condition, then select Sender Hostname, then select
Operator: Ends With, then enter .outbound.protection.outlook.com,
then click Add and New Condition
g. Select Add condition as: And, then select Condition: Triggered Rule >
Does Not Equal, then enter Rule ID:
module.access.rule.outbound_antispoof_id, then click Add and New
Condition
h. Select Add condition as: And, then select Defer processing until end
of message
i. Click the Add Condition button
4. Click the Quarantine message… checkbox, then select New Folder…, then
enter Outbound Antispoof, then click the Add Entry button
5. For the delivery method, select Continue

6. Confirm the rule looks like the following screenshot before saving the rule
7. Click the Save Changes button at the top to save the changes
Step 5 - Review the Quarantine Folder for Valid Email

2. Navigate to System > Quarantine > Folders
3. Locate the Outbound Antispoof quarantine folder, then review each message
to determine if it appears to be a valid email. If you see more than a few
messages in this folder, review the configuration in steps 1 through 4.
4. Over the next several days, repeat the actions in this step to identify any valid
email. Do not proceed to step 6 unless the quarantine folder is empty or all
quarantined emails are spoof attempts.
NOTE: Please contact Proofpoint Support or your assigned Proofpoint Professional Services consultant for
guidance if valid emails are quarantined in the Outbound Antispoof folder to assist with exclusions.
Step 6 - Modify Outbound_Antispoof Rule to Quarantine and Discard

The step modifies the existing audit rule and changes the final action from Quarantine
and Continue to Quarantine and Discard.

3. Edit the outbound_antispoof firewall rule, then update the Description to
Block Unauthorized Outbound Email Received from
outbound.protection.outlook.com
4. Confirm the firewall rule still has Quarantine message… > Folder:
Outbound Antispoof selected
5. Change the Delivery Method action from Continue to Discard
6. Click the Save Changes button to save the firewall rule
NOTE: Plan to monitor the messages in the Outbound Antispoof folder for several days to confirm that no
valid email was quarantined after setting this rule to Discard.
Testing and Troubleshooting – Outbound

Testing the outbound mail flow path is possible before cutover by completing the
Configure Outbound Mail Flow steps and enabling the Envelope filter on the "Outbound
to Proofpoint" route. Enabling a sender-based envelope filter only works on the user's
primary SMTP address, not an alias address. Upon sending a message out to your
Microsoft 365 account, you receive an email back with the following errors:
"Undeliverable" and "your host.yourcompany.com rejected your message to the

following email addresses: "and "Relaying denied"
The Microsoft 365 Allow Relay addresses were most likely not correctly configured in
your Proofpoint Protection Server. See the Configuring Outbound Mail Flow section.
Microsoft 365 Security Features Compatibility Matrix

The following information is intended to help you understand how to use the products
and features your organization is licensed for so that you can map this functionality to
your security and compliance needs. Customers should engage their Proofpoint
Professional Services Consultant for questions related to the most current best
practices and their relevant configurations for deploying Proofpoint.
This table provides a quick reference for email security products that can be used
concurrently.
A more detailed explanation for these products and features is provided below.
Microsoft Proofpoint Used Concurrently?

Exchange Online Protection Proofpoint Protection Server Yes, with limitations

Microsoft Proofpoint Used Concurrently?
MSDO Safe Links (Email) TAP URL Defense No
MSDO Safe Links (Other) TAP URL Defense Yes
MSDO Safe Attachments (Email) TAP Attachment Defense Yes
MSDO Safe Attachments (Other) TAP SaaS Defense Yes
Zero-hour Auto Purge Threat Response Auto Pull No
Data Loss Prevention (Email) Regulatory Compliance No

(Email)
Office Message Encryption Proofpoint Encryption No
Microsoft Exchange Online Protection and Proofpoint Protection

Server
This section provides a high-level overview of the protection features available within
Exchange Online Protection (EOP) and compatible warnings when used with your
EOP Anti-Malware
Emails messages are automatically protected against malware by Exchange Online
Protection (EOP). There should be no need to disable or bypass anti-malware
protection within EOP.
NOTE: Refer to the following Microsoft 365 Article for more information: Anti-malware protection in EOP
EOP Anti-Spoofing
EOP Anti-Spoofing examines the forgery of the From header in the message body
(used to display the message sender in email clients). Email authentication is one of the
primary anti-spoofing technologies used by EOP to help identify an email as spoofed. In
most cases, you won't need to add anti-spoofing exceptions because this document
provides a method to bypass this check by way of the EOP Connection Filter IP Allow
List.
NOTE: Refer to the following Microsoft 365 Article for more information: Anti-spoofing protection in EOP

EOP Anti-Spam
Anti-spam scanning within EOP should be disabled for messages received from your
Proofpoint Protection Server. Please review the Configure Inbound Mail Flow section of
this document on how to add the IP address of your Proofpoint Protection Server to the
EOP Default Connection Filter IP Allow List.
NOTE: Refer to the following Microsoft 365 Article for more information: Anti-spam protection in EOP
EOP Anti-Phishing
Emails messages are automatically protected against phishing by Exchange Online
Protection (EOP). There should be no need to disable or bypass anti-phishing
protection within EOP.
NOTE: Refer to the following Microsoft 365 Article for more information: Anti-phishing policies in Microsoft
365
EOP Connection Filtering

The EOP Connection Filter allows you to identify good or bad email servers by their IP
address. You will need to add your Proofpoint Protection Server IP addresses to the
connection filter IP allow list, which allows all incoming emails received from Proofpoint
to skip all spam filtering.
NOTE: Refer to the following Microsoft 365 Article for more information: Configure connection filtering
EOP Enhanced Filtering for Connectors

Customers can leverage the EOP feature "Enhanced Filtering for Connectors" to allow
Microsoft to filter email based on the source of messages that arrive over that
connector. This feature will skip the IP addresses associated with their Proofpoint
cluster for inbound messages so that EOP can see the original IP of the message
sender.
NOTE: Refer to the following Microsoft 365 Article for more information: Enhanced Filtering for Connectors
EOP Directory Based Edge Blocking (DBEB)

Customers can continue to use DBEB to reject messages for invalid recipients after
cutting over their inbound mail flow through the Proofpoint Protection Server. Proofpoint

recommends enabling recipient verification within the Proofpoint Protection Server to
reduce the possibility of generating email backscatter.
NOTE: Refer to the following Microsoft 365 Article for more information: Use Directory-Based Edge
Blocking to reject messages sent to invalid recipients in Exchange Online
Microsoft Defender for Office (MSDO) and Targeted Attack

Protection (TAP)
EOP Safe Links for Email
TAP customers utilizing URL Defense should disable Safe Links URL rewriting for email
messages. This will ensure that the TAP URL rewrite protects users and that links
function correctly when a redirect occurs.
NOTE: Refer to the following Microsoft 365 Article for more information: Safe Links in Microsoft Defender
for Microsoft 365
EOP Safe Links for OneDrive, SharePoint Online, and Teams

MSDO customers can utilize Safe Links for non-email channels with no impact.
EOP Safe Attachments for Email

MSDO customers can utilize Safe Attachments concurrently with TAP Attachment
Defense. Please note that Safe Attachments will only be analyzing messages
containing attachments that have already been deemed "clean" by Proofpoint.
Customers should consider the additional delay imposed by the Microsoft detonation
process before enabling this feature.
NOTE: Refer to the following Microsoft 365 Article for more information: Safe Attachments in Microsoft
Defender for Microsoft 365
Safe Attachments for OneDrive, SharePoint Online, and Teams

MSDO customers can utilize Safe Attachments for non-email channels concurrently with
TAP SaaS Defense with no impact.
Zero-hour Auto Purge (ZAP) and Threat Response Auto Pull

(TRAP)
The ZAP feature cannot be used concurrently with TRAP so Proofpoint recommends
that customers disable ZAP for Phishing emails to eliminate confusion over which

product is moving the message. This can be accomplished using the Set-
HostedContentFilterPolicy with the -PhishZapEnabled parameter in Exchange Online
PowerShell.
To view the current hosted content filter policies and settings, run the following
PowerShell command:
PS C:\Users\rjones> Get-HostedContentFilterPolicy | select Name, SpamAction,
PhishZapEnabled, IsDefault
Name SpamAction PhishZapEnabled IsDefault

---- ---------- --------------- ---------
Strict Preset Security Policy1627062886673 Quarantine True False
Standard Preset Security Policy1627062985739 MoveToJmf True False
Default MoveToJmf True True
NOTE: Refer to the following Microsoft 365 Article for more information: Zero-hour auto purge (ZAP) in
Exchange Online
Data Loss Prevention for Email and Proofpoint Regulatory

Compliance
These products should not be used concurrently to avoid conflict with Data Loss
Protection (DLP) policies. Customers that wish to implement DLP rules should utilize a
single solution that fits their compliance needs.
Office Message Encryption (OME) and Proofpoint Encryption (PE)

These products should not be used concurrently. Customers that require messages to
be sent securely should utilize a single solution that fits their compliance needs.
Resources
• Proofpoint Customer Success Portal https://proofpointcommunities.force.com/community/s/
• Proofpoint Customer Success Portal Quick Start Guide

https://proofpointcommunities.force.com/community/s/article/ka3390000004NfV/Proofpoint-Customer-Success-
Center-Portal-Quick-Start-Guide
• Admin Guide and Release Notes https://proofpointcommunities.force.com/community/s/article/Latest-PPS-

Documentation
• Support Guide https://proofpointcommunities.force.com/community/s/article/kaK390000008OIA/Proofpoint-

Support-Guide

• How to effectively use the Smart Search feature
https://proofpointcommunities.force.com/community/s/article/ka4390000000Co4/Video-How-to-effectively-use-
the-Smart-Search-feature Video: https://youtu.be/RATlTbdbr70
• How to report a False Positive or False Negative to Proofpoint

https://proofpointcommunities.force.com/community/s/article/Spam-How-to-monitor-report-and-improve-
spam-filtering
• How to monitor, report, and improve spam filtering

https://proofpointcommunities.force.com/community/s/article/ka439000000PHfD/Spam-How-to-monitor-report-
and-improve-spam-filtering
• Filtering Order for the Proofpoint Protection Server Email Modules

https://proofpointcommunities.force.com/community/s/article/ka4390000000Cvp/Filtering-Order-for-the-
Modules
• How to delist a sender from Proofpoint Dynamic Reputation (PDR) Block List
https://proofpointcommunities.force.com/community/s/article/ka4390000000CwJ/How-to-delist-a-sender-from-
Proofpoint-Dynamic-Reputation-PDR
Dynamic Reputation IP Lookup: https://ipcheck.proofpoint.com/
• How to create and apply an inbound spam policy to an organization

https://proofpointcommunities.force.com/community/s/article/ka4390000000CnV/Video-How-to-create-and-
apply-an-inbound-spam-policy-to-an-organization Video: https://youtu.be/FKSP7nzXbRU
• How to create and apply an outbound spam policy to an organization

https://proofpointcommunities.force.com/community/s/article/ka4390000000Cmh/Video-How-to-create-and-
apply-an-outbound-spam-policy-to-an-organization Video: https://youtu.be/Kpvxaw-uIRU
• Troubleshooting PPS Alert Events / Error Messages

https://proofpointcommunities.force.com/community/s/article/kaB3900000000Hl/Alert-Events-Error-Messages-
1-13-2012
• Proofpoint Spam Reporting Plug-In for Microsoft Outlook

https://proofpointcommunities.force.com/community/s/article/ka4390000004KVC/Proofpoint-Spam-Reporting-
Plug-in-for-Microsoft-Outlook

M365 Integration Guide Proofpoint V3.19

Uploaded by

Copyright:

Available Formats

You might also like

M365 Integration Guide Proofpoint V3.19

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

M365 Integration Guide Proofpoint V3.19

Uploaded by

Copyright:

Available Formats

Microsoft 365 Integration

Product Version: PPS 8.x

Deployment Type: PPS On-Prem and PPS PoD

Document Owner: Proofpoint Professional Services

Document Version: 3.19

Last Updated: June 22, 2023

© 2022 Proofpoint. All rights reserved. 1 of 34

© 2022 Proofpoint. All rights reserved. 2 of 34

© 2022 Proofpoint. All rights reserved. 4 of 34

Configure Inbound Mail Flow

© 2022 Proofpoint. All rights reserved. 5 of 34

1. Log in to the Proofpoint Protection Server

Find the hostname in Microsoft Microsoft 365:

1. Log in to the Microsoft 365 admin center (https://admin.microsoft.com/)

For example proofpoint-com.mail.protection.outlook.com

Step 2 – Apply the Proofpoint Inbound Spam Policy

Step 3 – Enable Recipient Verification

Microsoft 365 – Inbound

© 2022 Proofpoint. All rights reserved. 6 of 34

Step 1 – Create Inbound from Proofpoint Transport Connector

1. Log in to the Microsoft 365 Exchange Admin Center

© 2022 Proofpoint. All rights reserved. 7 of 34

Option #1 - Add IP addresses to Connection Filter IP Allow List (Recommended)

1. Log in to the Microsoft 365 Defender portal (https://security.microsoft.com)

Option #2 – Add Transport Rule to Bypass SPAM (Depreciated)

1. Log in to the Microsoft 365 Exchange Admin Center

© 2022 Proofpoint. All rights reserved. 8 of 34

Step 3 – Bypass Enhanced Filtering from Proofpoint

1. Navigate to the Enhanced Filtering for Connectors web page

© 2022 Proofpoint. All rights reserved. 9 of 34

1. Log in to the Microsoft 365 Exchange Admin Center

Methods to Prevent EOP Direct Delivery

There are four mutually exclusive mitigation methods available.

© 2022 Proofpoint. All rights reserved. 10 of 34

© 2022 Proofpoint. All rights reserved. 11 of 34

We recommend beginning by setting up an EOP transport rule to audit messages

Step 1 – Create Direct Delivery Audit Transport Rule

© 2022 Proofpoint. All rights reserved. 12 of 34

Step 2a – Run PowerShell Command to View Message Details

Get-MailDetailTransportRuleReport -PageSize 5000 -StartDate $StartDate -EndDate

Step 2b – Run Microsoft Explorer to View Message Details

1. Log in to the Microsoft 365 Defender (https://security.exchange.microsoft.com/)

© 2022 Proofpoint. All rights reserved. 13 of 34

Step 4 – Add IP Address to Exception List

Step 5 – Repeat Steps 2 Through 5

Step 6 – Choose either Method 6a or 6b or 6c or 6d.

© 2022 Proofpoint. All rights reserved. 14 of 34

1. Log in to the Microsoft 365 Exchange Admin Center

© 2022 Proofpoint. All rights reserved. 15 of 34

1. Log in to the Microsoft 365 Exchange Admin Center

© 2022 Proofpoint. All rights reserved. 16 of 34

1. Log in to the Microsoft 365 Exchange Admin Center

© 2022 Proofpoint. All rights reserved. 17 of 34

Inbound Mail Flow Hydration Requirements

Step 1 – Open EOP Hydration Ticket

1. Go to the admin center at https://admin.microsoft.com

© 2022 Proofpoint. All rights reserved. 18 of 34

Step 2 – Confirm EOP Hydration Ticket was Actioned