Scenario:


Now that we can assure that mail flow testing is functional with a telnet test. It is time to allow regular email traffic inbound and outbound through ProofPoint Essentials.


Updating MX records


If the users have been synchronized as it was done in STEP 2, it is now time to have your public MX records modified to allow email flow through ProofPoint Essentials. The steps required may vary based on which hosted provider is currently hosting your DNS entries.


The most popular are that of Godaddy and Network Solutions. for this process please contact your providers on how to modify or update DNS records.


Our MX records for ProofPoint Essentials must be updated to the following records. 


ProofPoint Essentials US:


- mx1-us1.ppe-hosted.com

- mx2-us1.ppe-hosted.com


ProofPoint Essentials EU:


- mx1-eu1.ppe-hosted.com

- mx2-eu1.ppe-hosted.com



This may take a time for 30 minutes to 6 hours depending on your provider.


IMPORTANT: It is also recommend that when the MX priorities have been updated, the old MX records should be removed 24 hour later for a grace period of adding the new ProofPoint Essentials MX records. This is very important as failing to do so may cause a loss of emails.




Configure Outbound Relaying on ProofPoint Essentials:


Important: Before configuring the outbound mail flow through PP -- you need to add an entry to your client's SPF record. Usually most organisations already have one. If your client is on office365, the SPF record looks like this:

"v=spf1 include:spf.protection.outlook.com -all"


The SPF record tells the world who is allowed to send mail on your or your client's behalf.


You need to add this entry to the SPF record:


a:dispatch-us.ppe-hosted.com


So the SPF record becomes like this:

"v=spf1 a:dispatch-us.ppe-hosted.com include:spf.protection.outlook.com -all"


This is covered in the "Getting started with proofpoint" guide.




1- Log into the ProofPoint Essentials website US or EU.


2- Click on Account Management then Features.



3- Check the option Enable Outbound Relaying and click save.



4- Still under the Account Management menu click on Domains.


5- Click the button Manage Hosted Services



6- Toggle the option Office 365 from off to on and click Save.



Configure Outbound Relaying on Office 365: 



1- Sign-In to the Office 365 Admin portal.

2- Click on Admin menu this will launch Admin Center


3- In the Admin Center click on Show All.



4- Then click on Exchange under the Admin Centers which will launch the Exchange Admin Center.



5- Once in the Exchange Admin Center select Mail Flow - Connectors.



6- On the Connectors page click Add a Connector to create a new send connector.



7- On the New Connector page select Connection From "Office 365" and for Connection To select Partner Organization then click Next.



8- Next provide a name for the connector and turn on the rule and click Next.



9- In the Use of Connector page, make sure the option Only when email messages are sent to these domains is selected. Then add an asterisk " " in the field and click the blue plus " " sign. Then click Next.



10- On the Routing page select the option Route email through these smart hosts and add the Smarthost address based on your ProofPoint Essentials Stack.



ProofPoint Essentials Smart Host US:


- outbound-us1.ppe-hosted.com


ProofPoint Essentials Smart Host EU:


- outbound-eu1.ppe-hosted.com



11- Once the Smarthost address has been entered in the field click the blue plus button " " to add it and then click the Next button.


12- Next page is simply the security protocols page which should be left as there default settings and click Next.


13- On the Validation Email page we can now test the connection. Enter a public email address to test the connection and click the blue plus sign " + ". Then click the Validate button.



15- Then click the Validate Button to test the connector. You should be greeted with a successful message. You can now click Next and click Create Connector.



IMPORTANT - If you are using a third party archiving service with your office365 tenant, you will need to bypass proofpoint for outbound mail traffic going to that archiving server.  See this article:

https://vircomhelp.freshdesk.com/support/solutions/articles/48001214841-new-clients-on-proofpoint-with-office365-and-existing-third-party-archiving-solutions





16- You can now proceed to STEP 6 - Locking Down O365 Connections.