Skip to main content
Contact Us
My preferencesSign out
Proofpoint, Inc.

Configuring Microsoft 365 for Proofpoint Essentials

  1. Last updated
  2. Save as PDF
Situation You want to configure Microsoft 365 to use with Proofpoint Essentials as your email gateway.
Summary

See below for information on:

  • Pre-requisite information to begin
  • What to do with Proofpoint Essentials before setting up
  • How to setup in Microsoft 365, including:
    • Setting up inbound mail flow
    • Bypass spam filtering in Microsoft 365
    • Creating an inbound connector
    • Setting up outbound mail flow
  • Cutting over mailflow
    • Enable and test domains

This article explains how to configure Microsoft 365 to use Proofpoint Essentials as your email gateway.

Note: Office 365 / O365 has been rebranded as Microsoft 365.

What is Microsoft 365?

Microsoft 365 is a cloud-based solution from Microsoft which offers email, messaging, security, archiving and other capabilities delivered from Microsoft's worldwide network of cloud data centers. For more information please see: https://products.office.com/en-us/business/office

Before you Start

Before continuing with the provisioning and configuration of the Proofpoint Essentials service, it is recommended you have the information listed below.

Information needed for configuring Proofpoint Essentials

  • MX record(s) for domain(s) you are configuring

Information needed for configuring Microsoft 365

Microsoft 365 Tenant

The instructions on this KB presume that you are setting up all your domains in your tenant with Proofpoint Essentials. If you are splitting your mail routing, you may need to consult Microsoft on creating the necessary custom rules based on our documentation.

Proofpoint Essentials side

Prior to the below set-up for Microsoft 365, please ensure to do this with the Proofpoint Essentials side.

  • Set the domain verification
  • Customize Spam settings (before adding in users)
  • Customize Digest settings (before adding in users)
  • Modify notifications (if warranted)
  • Add in users (preferable with Azure: Azure Active Directory Sync Guide - New API Version)
  • Create filter policies and/or approve/block sender list items

DNS TTLs

For ease of DNS changes, turning down your TTLs on the DNS, specifically MX and TXT records will help in the above domain verificaiton, and later MX cut-over.

Microsoft 365 Side

Setup Inbound Mail flow

Proofpoint Essentials is deployed between the customer’s Microsoft 365 environment and the Internet. Inbound mail is routed to Proofpoint Essentials by changing the customer’s MX records. After email is processed by Proofpoint Essentials it is routed to Office 365.

Configure Proofpoint Essentials

Locate your MX record for the domain in Microsoft 365

  1. Sign-In to the Microsoft 365 Admin center.
  2. Navigate to Settings > Domains.
  3. Click on the domain you wish to manage.
  4. Click on DNS Records
  5. Under Exchange Online, locate the MX row in the table from the Points to address or value column (i.e.,bobsbooksupplies-com.mail.protection.outlook.com).
These values will be necessary when you add your domains to Proofpoint Essentials.

 

Adding domain(s) to Proofpoint Essentials

  1. Sign-in to the Proofpoint Essentials user interface.
  2. Navigate to Administration > Account Management > Domains > New Domain.
  3. Enter the domain name you wish to configure.
  4. Ensure Relay is selected for domain purpose.
  5. Enter the delivery and failover destinations values.
    • This is the MX destination in the Exchange Online section, i.e.: bobsbooksupplies-com.mail.protection.outlook.com
  6. Choose the method you wish to use for domain verification.
  7. Click Verify Now if you wish to verify your domain at this stage or Verify Later.
Each Domain must to be verified before it can be enabled. Instructions can be found at Verifying relay domains
  1. Repeat if you are adding more than 1 domain.
The delivery and failover destinations refers to the "points to" values captured in the previous section.

Configure microsoft 365

Microsoft 365 limitation

Please note that Microsoft has a limitation of their allow list. It does not allow you to enter a large IP range. The maximum size of a range is a /24; it will not recognize larger ranges. Unfortunately, you have to enter in the IP ranges twice in this set-up documentation: Connection Details

ByPass Spam Filtering in microsoft 365

  1. Sign-In to the Microsoft 365 Admin portal.
  2. Navigate to Admin > Exchange

This will launch Exchange Admin Center

  1. Navigate to mail flow > rules.
  2. Click +Add a rule icon to access the pull down menu.
  3. Select Bypass spam filtering.
  4. In the new rule window, complete the required fields:
    • Enter a value for Name (e.g. Bypass Spam filtering for Proofpoint Essentials)
    • For Apply this rule if… select The sender...IP address is in any of these ranges or exactly matches.
    • Add IP address to the IP address list.
      • Type in the address followed by the + icon.
      • Repeat for each IP address.
    • Ensure Set the spam confidence level (SCL) to is selected in the Do the following... menu
      • Do the following > Modify the message proprieties > set the spam confidence level > bypass spam filtering
  5. Click Next
  6. Select Enforce
  7. Click Next
  8. Review the info then click Finish

Optional steps if you need to disable Microsft 365's Advanced Email Threat protection (Safelink rewrites)

Before clicking Save in the above step 6 do the following:

  1. Click Add Action.
  2. Select Modify the message properties..set a message header.
  3. Set the message header: X-MS-Exchange-Organization-SkipSafeLinksProcessing to the value: 1
  4. Click Save.

SCL Bypass

Due to major complaints, Proofpoint has opted to change to the format of ensuring Proofpoint mail is not scored via the Microsoft 365 system. This rule will allow external email to come in still, but will follow Microsoft 365 scoring. This is to ensure no mail is lost.

Create Inbound Connector

An inbound connector is used to manage mail traffic between Microsoft 365 and Proofpoint Essentials.

  1. While accessing the Exchange Admin Center, click mail flow then connectors.
  2. Click + to launch control.
  3. For From select Partner Organization.
  4. For To select Microsoft 365.
  5. Click Next.
  6. Enter a value for Name (e.g. Proofpoint Essentials Inbound Connector).
  7. (Optional) Enter a value for Description (e.g. Inbound connector for Proofpoint Essentials).
  8. Uncheck the turn it on setting. You will turn this inbound connector on once you are ready to cutover mailflow.
  9. Click Next.
  10. Select Use the sender's IP address.
  11. Click Next.
  12. Click +.
  13. Add IP address to the IP address list.
    • Click +.
    • Type in the address followed by OK.
    • Repeat for each IP address.
  14. Click Next.
  15. Ensure Reject email messages if they aren't over TLS is checked.
  16. Click Next.
  17. Click Save.

If your mail server has not been locked down to only accept mail from Proofpoint IP's. It is possible for senders to route directly to your mail system instead of following normal MX lookups to route through Proofpoint. 

Setup Outbound Mail flow

Proofpoint Essentials is deployed between the customer’s Office 365 environment and the Internet. Outbound mail is routed to Proofpoint Essentials by configuring an outbound mail gateway.

Outbound instructions set-up for all mail in tenant

Please note that these instructions are for all mail within in the tenant. If you use custom routing, or have extra outbound mail flow, other outbound routing and/or rules will be required to set-up. 

Configure Proofpoint Essentials

Enable Outbound Relaying

  1. Sign-in to the Proofpoint Essentials user interface.
  2. Go to the Administration > Account Management section
  3. Click the Features tab.
  4. Check Enable Outbound Relaying.
  5. Click Save.

Add Service IP addresses to your Inbound Gateway

  1. While logged into the Proofpoint Essentials user interface navigate to Administration > Account Management
  2. Click the Domains tab.
  3. Click Managed Hosted Services.
  4. Choose Microsoft 365.
  5. Click Save.

Configure microsoft 365

Create Outbound Connector

  1. Sign-In to the Microsoft 365 Admin portal.
  2. Navigate to Admin > Exchange.

This will launch Exchange Admin Center

  1. Click Mail Flow > Connectors.
  2. Click + to access menu.
  3. For From select Microsoft 365.
  4. For To select Partner Organization.
  5. Click Next.
  6. Enter a value for Name (e.g. Proofpoint Essentials).
  7. Enter a value for Description (e.g. Outbound connector for Proofpoint Essentials).
  8. Uncheck the turn it on setting. You will turn this outbound connector on once you are ready to cutover mailflow.
  9. Click Next.
  10. For When do you want to use this connector? select Only when email messages are sent to these domains.
  11. Click +.
  12. Enter * to specify all domains.
  13. Click OK.
  14. Click Next.
  15. For How do you want to route email messages? select Route email through these smart hosts.
  16. Click + and enter your Proofpoint smart host value (i.e., outbound-us1.ppe-hosted.com).
  17. Click Save.
  18. Click Next.
  19. For How should Microsoft 365 connect to your partner organization's email server? choose your preferred approach.
    • If you choose Always use Transport Layer Security (TLS) to secure the connection, please choose  Any digital certificate, including self-signed certificates.
  20. Click Next.
  21. Click Next.
  22. Click + icon and enter an email address for validation (Use any email other than the custoemrs own domain)
  23. Click OK.
  24. Click Validate. (This fails quite often. If all steps are followed proceed with the steps)
  25. Click Save.

If you are using Proofpoint Essentials Email Archive, you will need to create an additional outbound connector. Please refer to: Configuring Journaling for Office 365 for additional steps.

If you are using another archiving service, you will need to create an additional outbound connector to ensure journal email is not sent to Proofpoint Essentials. If it is sent to Proofpoint Essentials, it will be subject to outbound rate limiting policies. Please contact your archiving service provider for instructions.

External Recipients of distro-groups/Auto-forwarding

Please note that Proofpoint Essentials does not explicitly support some types of auto-forwarding.

  • User-level forwarding - O365 supports this for messages sent directly to the user
  • Distribution Groups with external Recipients - Proofpoint Essentials does not support this outbound behavior. A custom rule will be required to allow these messages out by bypassing the Proofpoint Essentials smarthost.
  • Distribution Groups with a user-level forward - Similar to external recipient, a bypass rule will be required.

NOTE: See this article for suggested steps on how to create the bypass rule as noted above: https://help.proofpoint.com/Proofpoi...ain_recipients

Sending To distribution groups with external domain recipients

Sending to Distribution Groups with external domain recipients contains step by step instructions how to set it up. For auto-forwarding same connector can be used and a rule will need to be created to match the auto-forward.

Cutting Over Mailflow

Enable & TEST domain(s)

  1. Sign-in to the Proofpoint Essentials user interface.
  2. Go to the Administration > Account Management.
  3. Click the Domains tab.
  4. Click the relay control to enable the domain for relay.
Once the domain is turned on, you will need to wait for Proofpoint Essentials MTAs to be updated.This occurs every half-hour. You should not proceed to the next step until you have waited for this change to be applied.

5. Click the icon with 3 dots to the far right and click on Domain Health Check. If you see a green check mark then we are able to see the SMTP Destination. 

Update YOUR MX records

You will need to add Proofpoint Essentials MX records to your DNS record.

You may want to add the MX records with a low priority ahead of your cutover. Once ready, you can then increase the priority of the Proofpoint Essentials MX records while decreasing the priority of your existing MX record.

 

Update Sender Policy Framework (SPF)

When sending outbound email through the Proofpoint Essentials gateway, recipients receive mail sent from Proofpoint Essentials rather than Microsoft 365 mail servers. If the recipient's mail service attempts to verify that the message came from your domain, it must confirm that the gateway server is an authorized mail server for your domain.

To enable this, you need to add the Proofpoint Essentials SPF record to your domain.

Enable INBOUND Connector

  1. Sign-In to the Microsoft 365 Admin portal.
  2. Navigate to Admin > Exchange.
  3. Click Mail Flow > Connectors.
  4. Select the Inbound Connector and click edit (pencil icon).
  5. Check the turn it on checkbox.
  6. Click Next and move through the next 3 screens.
  7. Click Save.

Enable Outbound Connector

  1. Sign-In to the Microsoft 365 Admin portal.
  2. Navigate to Admin > Exchange.
  3. Click Mail Flow > Connectors.
  4. Select the outbound connector and click edit (pencil icon).
  5. Check the turn it on checkbox and click next through the remaining screens.
  6. Click Validate.
  7. Click Save.

Enable BY-PASS Spam filtering Rule

  1. While accessing the Exchange Admin Center, click mail flow > rules.
  2. Check the checkbox next to the mail flow rule you created previously.

VERIFY INBOUND MAILFLOW

  1. While logged into the Proofpoint Essentials user interface, click the Log Search.
  2. Select Any from the Status drop-down and click Search.
  3. Look for new entries to be listed in the search results.

Verify Outbound Mailflow

  1. Send a test message from an Microsoft 365 mailbox to an external SMTP address.
  2. While logged into the Proofpoint Essentials user interface, click the Logs tab.
  3. Select Outbound mail from the type drop-down.
  4. Select Any from the status drop-down and click Search.
  5. Look for the test message that was sent.

Additional KB to follow if using Proofpoint Essentials Security Awareness

Security Awareness Safelisting in Office 365

Bypass ATP Attachment Processing

Bypass ATP Link Processing

 

Frequently Asked Questions (FAQ)

Does Proofpoint Scan internal to internal emails?

We do not scan internal to internal email in Microsoft 365 since these emails never leave the customer's network. 

Can I route all internal emails via Proofpoint Essentials to be scanned?

Yes, you can have internal emails routed through Proofpoint Essentials but it is not recommended. It is not recommended because it will cause a conflict with the domain spoofing setting and digests would be scanned for spam and most likely put into quarantine. Using similar steps as above you will need to

  1. Create an Inbound Connector to route external mail via Proofpoint Essentials.
  2. Create an Outbound Connector to route all mail, both internal and external, via MX record.
  3. Create a rule that says if a sender is inside your org and the recipient is also inside your org to send via the connector in step 2.

When should I use the Proofpoint domain check?

Reference the DNS check in Microsoft 365 will NOT work when using a 3rd party service like Proofpoint. Microsoft 365 expects their own MX entry, hence why O365 says everything is wrong. > Use the Proofpoint domain check