The following article will provide a guideline on how to set up Proofpoint Essentials for Office 365. Please read it carefully.
 

Our Support team are available to help you:

You can book a deployment call with them here.

Support contact details can be found here.


 Deploying Proofpoint to Office 365 is a 5-stage process. This article covers the 5 stages:

  1. How to verify and enable a domain on Proofpoint Essentials.
  2. Sync users with Azure.
  3. MX record and outbound relay.
  4. Bypass Outlook spam filtering on email routed through Proofpoint Essentials.
  5. Locking down Office 365 to Proofpoint Essentials. 





Stage 1 - How to verify and enable a domain on Proofpoint Essentials.

 

When adding a new domain to Proofpoint, you must verify the domain with the text record and enable the domain. If these steps are not followed, Proofpoint will reject any email sent to the domain.

 

IMPORTANT: Once the domain has been verified and enabled, you MUST wait 30 to 45 minutes before the domain is available for routing inbound and outbound.

 

Configure a TXT Verification / Enable:

 

1.  Log in to the Proofpoint website:

        • US: https://us1.proofpointessentials.com/

        • EU: https://eu1.proofpointessentials.com/



2. If you are a reseller, locate the company in question under Customer Management then Customers.

A close up of text on a screen

Description automatically generated

3. Once the company has been selected, click Account Management then Domains then select the Edit pencil icon to the far right of the domain name.

4. Once in the Edit Domains menu, ensure that the Domain Purpose is set to Relay and the proper Delivery Destination hostname is defined. 

 

The Delivery Destination is the MX record that Office 365 recommends for your domain name. You can view this in Microsoft 365 admin center > Settings > Domains > Click on your Domain > DNS Records. The delivery destination is the Value:

5. Click on the Verification Method drop-down list and select Verify by TXT record, copy the TXT record provided, then click Verify Now.

6. Ignore the Failed Verification message that appears.

7. Add the TXT record that you just copied in your DNS space for the domain you wish to verify and enable. This TXT record allows Proofpoint to verify this as your domain before the MX records are configured. 

 

8. Depending on provider or TTL, you may need to wait 3600 seconds before proceeding to step 9.

 

9. Once added to your DNS space, go back to Proofpoint Essentials and click 

Account Management then Domains then select the Edit pencil.

10. Click the Verify Now button below, and a message will display that the domain has been verified.

11. Activate your domain name on Proofpoint:

(see items circled red, you must slide these to the ON position before you change your MX records or send outbound email).

IMPORTANT: Once the domain has been verified and enabled, you MUST wait 30 to 45 minutes before the domain is available for routing inbound and outbound.


12. Updating SPF records

If you intend to set outbound through our service by connecting to our smart-host, we strongly recommend that you construct an SPF/TXT record, which authorises our sending servers to send on behalf of your domain. If you do not authorise our sending relays to send on behalf of your domain (or add us to an existing SPF record) recipients' systems may consider that email transitioning outbound through our relays is unsolicited. 


    • Proofpoint's include statement for US1 Clients: 'a:dispatch-us.ppe-hosted.com'

    • Proofpoint's include statement for EU1 Clients: 'a:dispatch-eu.ppe-hosted.com'


 


Stage 2 - Sync users with Azure


About Proofpoint Essentials Azure Sync Tool

The Proofpoint Essentials Azure Sync Tool allows organizations hosted on Office 365 to import and/or synchronize users and groups from Office 365 directly to their account. 

 

Set up Azure Active Directory

Follow these steps to create an Azure application which will be used as part of the synchronization.

 

1. Log in to your Microsoft Azure portal as an administrator user through https://aad.portal.azure.com.

 

2. Click on Azure Active Directory on the left side panel and click on App Registrations and then click on New Registration.

    In the fields displayed, enter a name in the Name field (e.g. Proofpoint).

 

3. Select the option Accounts in this organizational directory only "Company inc" only - Single Tenant.

 

4. Under Redirect URL, select Web in the dropdown menu and enter the following Sign-On URL:

        • US: https://us1.proofpointessentials.com

        • EU: https://eu1.proofpointessentials.com

5. Click on Register to complete the App registration.
 

6. Copy the Application (client) ID displayed into notepad.

7. Click on API Permissions then click on Add a permission.

8. Scroll down to the bottom of the Request API Permissions and select Microsoft Graph.

9. Select Delegated Permissions.

10. Ensure that the following permissions have been applied under Delegated Permissions.

    • Delegated Permissions

• Directory

•     Directory.Read.All

• Group

•     Group.Read.All

• User

•     User.ReadBasic.All

 

11. Next click on Application Permission.

12. Ensure that the following permissions have been applied under Application permissions then

click Add permissions

    • Application Permissions:

• Directory

•     Directory.Read.All


The API permissions will now look like this:

13.  Click the Grant admin consent for Company button followed by clicking Yes to confirm.

14. Finally select Certificates & Secrets and click on the New client secret button under Client secrets.

15. Enter a description name and select Never for the expire date and click Add.

16. Copy the displayed Secret Key into notepad. Note: Regenerate the key if it contains a ~ (tilde). Proofpoint is unable to accept Secret Keys that contain a ~

Configure Proofpoint to Deploy with Azure:

 

1. Login to your Proofpoint account via the US or EU site, depending on where the domain is registered.

 

2. Go to Administration > User Management > Import & Sync > Azure Directory Sync.
 
A screenshot of a cell phone

Description automatically generated

3. In the fields displayed, enter the Primary Domain name in Office 365 and paste in the Application ID and the Secret Key copied from the steps above.

4. Scroll down to the bottom and set Sync Frequency to 1-Hour and click Save and then click Search Now.

A screenshot of a cell phone

Description automatically generated

5. At this point, you will be displayed with a report to which you can verify and exclude users.
 

6. When it has been reviewed, click the Sync Active Directory button to import users.

 

IMPORTANT: Once the domain has been Sync'ed, you MUST wait 45 minutes before the domain is available for routing inbound and outbound email. 


 

Stage 3 - MX records and outbound relay

 

Updating MX records

It is now time to have your public MX records modified to allow email flow through Proofpoint Essentials. The steps required may vary based on which hosted provider is currently hosting your DNS entries.

 

The MX records for your domain must be updated to the following depending on your region:

Proofpoint Essentials US

mx1-us1.ppe-hosted.com
mx2-us1.ppe-hosted.com
Proofpoint Essentials EU
mx1-eu1.ppe-hosted.com
mx2-eu1.ppe-hosted.com



Configure Outbound Relaying on Proofpoint Essentials:

1.  Login to the Proofpoint Essentials website US or EU.

 

2. Click on Account Management then Features.

3. Check the option Enable Outbound Relaying and click save.

4. Still under the Account Management menu click on Domains.

5. Click the button Manage Hosted Services

6. Toggle the option Office 365 from off to on.

Configure Outbound Relaying on Office 365: 

1. Log in to the Office 365 Admin Center.

 

2. Once logged in click the Admin button.

3. Click on Admin centers then Exchange.

4. In the Exchange admin center, click on Mail Flow then the connectors tab.

5. Click the plus sign to create a new send connector.

6. On the page that opens up select from Office 365 to Partner Organization and click Next.

7. Next provide a name for the connector and turn on the rule and click Next.

8. Click the plus icon and add an asterisk in the Add Domain page and click OK. Make sure the option Only when email messages are sent to these domains is selected and click Next.

9. Select the option Route email through these smart hosts and click the plus icon +.

10. Enter the smart host address required and click Save. Based on US or EU login, the address is different.

    • Proofpoint Essentials Smart Host US:

• outbound-us1.ppe-hosted.com

    • Proofpoint Essentials Smart Host EU:

• outbound-eu1.ppe-hosted.com

11. Next page is simply the security protocols page which should be left as there default settings and click Next.
 

12. Click Next once more to complete the connector.

 

13. On the following page, click the plus icon and enter an external email address and click OK. This will validate if the send connector is correctly configured.

14. Then click the Validate Button to test the connector. You should be greeted with a successful message.

 


 

Stage 4 - Enable enhanced filtering on email routed

through Proofpoint Essentials.

 

When emails are filtered through Proofpoint Essentials, it is often beneficial to disable Outlook’s own spam filtering. This is achieved by enabling Enhanced Filtering for Connectors (“skip listing”) to skip the IP addresses of inbound messages being routed through Proofpoint Essentials. 


Note that the IP addresses listed here may be different depending on your geographic location. For the correct IP addresses see: 

https://help.proofpoint.com/Proofpoint_Essentials/Administrator_Topics/000_gettingstarted/020_connectiondetails.

 

Inbound Connector for Proofpoint Essentials Overview:

1. Log in to the Office 365 Admin Center.

 

2. Once logged in click the Admin button.

3. Click on Admin centers then Exchange.

4. In the Exchange admin center click on Mail Flow then the tab Connectors.

5. Click the plus sign to create a new inbound connector.

6. Under Select your mail flow scenario in the From dropdown menu, select Partner Organization and in the To menu, select Office 365.

7. Enter a name for your connector, such as ‘Inbound Connector for Proofpoint Essentials’. Under What do you want to do after connector is saved tick the Turn it on box.

8. Under How do you want to identify the partner organization? Select Use the Sender's IP address.9. Enter in the relevant address ranges for Proofpoint Essentials. These vary by location and can be found here. The connector should resemble the screenshot below. Note that IP addresses will be different for the EU region. The full inbound connector for the US region is as follows. Note that the EU region will have a different set of IP addresses.

A screenshot of a social media post 
Description automatically generated


10. Navigate to https://protection.office.com/skiplisting and click on the connector you have just created. Under ‘IP addresses to skip’ select ‘Skip these IP addresses that are associated with the connector.’ Here you will add the IP addresses determined when you created the connector. Note, Microsoft’s Enhanced Filtering for Connectors accepts a larger subnet mask; therefore it will not be necessary to enter the relevant /24 subnets if the /19 subnet is entered, as shown in the screenshot below. Please note that these IP addresses are for the US regions, and the EU region has a different set of IP addresses.A screenshot of a social media post

Description automatically generated




Stage 5 - Locking down Office 365 to Proofpoint Essentials

 

When using the Proofpoint Essentials email filtering service with Office 365, you will need to ensure that you only accept port 25 connections from Proofpoint's service ranges or spammers will still be able to send an email directly to your Office 365 mail environment, bypassing your MX records. Here is how to lock down Office 365 Exchange Online.

Note that this step does not need to be enabled during the initial deployment, and you may wish to wait sometime as a premature lockdown, depending on your own organization’s setup, can cause false positives and cause Office 365 to block incoming mail.


1. Double click on the connector you made in step 4 to edit. 

2. Click Next

3. Change your selection from Use the sender's IP address to Use the sender's domain   

4. Click to add a new domain. Then enter a single asterisk * to specify the wildcard.

5. Keep the box ticked that says Reject email messages if they aren't sent over TLS. Tick the box that says Reject email messages if they aren't sent from within this IP address range. These domains should contain the IP addresses that you entered previously to identify Proofpoint. If not, add them here, and then click Next and Save to finalise your changes. 

6. Office 365 is now locked down to Proofpoint and should resemble the screenshot below. Note that IP addresses will be different for the EU region.