Synopsis:

This article describes the steps need to follow while setting up Proofpoint to filter Incoming mail and forwarding it to Zoho mail.

 

Configuration:

Here are the steps to take to complete the configuration:

I) Proofpoint Admin Portal:

  1. Login to the Proofpoint portal 
  2. Verify your domain and enable relay and MUST wait 1 hour before it can process incoming mail
    1. Click on the Verify Domain button then copy the Value (Figure 1, Figure 2)
      Figure 1:
      Figure 2:

       
    2. Once the TXT record on your DNS is populated with the Value copied above wait few minutes and click Verify Domain button, then click on the 3 dots then click on Edit Domain 
    3. Enter the Domain name, Primary Delivery Destination, SMTP failover1,2,3 as shown in the screen shot below
       
    4. Click on SAVE
    5. Click on Enable Relay button, this will allow the platform to be ready to accept Incoming message.

Important: Allow 1 hour for the changes to propagate on Proofpoint platform then you can proceed with the next steps below, otherwise mail will be rejected

II) Zoho mail Admin Console:


  1. Login to Zoho Admin console 
  2. On the Zoho Admin Console, navigate to Mail Settings > Email Routing > Inbound Gateway   (screen shot belo) add the below IPs, with respect to your location, so  we need to allow Zoho mail to only accept messages from those IPs. 
    Proofpoint Essentials-USProofpoint Essentials-EU

    67.231.149.0/24

    67.231.152.0/24

    67.231.153.0/24

    67.231.154.0/24

    67.231.155.0/24

    67.231.156.0/24

    67.231.144.0/24

    67.231.145.0/24

    67.231.146.0/24

    67.231.147.0/24

    67.231.148.0/24

    207.115.110.3/32

    207.115.110.7/32

    192.69.1.3/32

    192.69.1.7/32

    148.163.128.0/24

    148.163.129.0/24

    148.163.130.0/24

    148.163.131.0/24

    148.163.132.0/24

    148.163.133.0/24

    148.163.134.0/24

    148.163.135.0/24

    148.163.136.0/24

    148.163.137.0/24

    148.163.138.0/24

    148.163.139.0/24

    148.163.140.0/24

    148.163.141.0/24

    148.163.142.0/24

    148.163.143.0/24

    148.163.144.0/24

    148.163.145.0/24

    148.163.146.0/24

    148.163.147.0/24

    148.163.148.0/24

    148.163.149.0/24

    148.163.150.0/24

    148.163.151.0/24

    148.163.152.0/24

    148.163.153.0/24

    148.163.154.0/24

    148.163.155.0/24

    148.163.156.0/24

    148.163.157.0/24

    148.163.158.0/24

    148.163.159.0/24

    91.209.104.0/24

    91.207.212.0/24

    91.207.213.0/24

    62.209.50.0/24

    62.209.51.0/24

    185.132.180.0/24

    185.132.181.0/24

    185.132.182.0/24

    185.132.183.0/24

    185.183.28.0/24

    185.183.29.0/24

    185.183.30.0/24

    185.183.31.0/24  

    207.115.110.3/32

    207.115.110.7/32

    192.69.1.7/32

    192.69.1.3/32

  3. Now we need to disable the Spam and Anti-spoofing verification on Zoho mail Admin console since   Proofpoint has already scanned them   
  4. Login to the Zoho console:
    1. select Security & Compliance > Spam Control>Spam Processing and disable the     following: Spam Process Type, Sender-based Alerts, Post-delivery Spam Checks
    2. Navigate to Security & Compliance > Spam Control>Spam Verification and set the following Actions SPF failure, DKIM Verification, DMARC Verification to None (see screen shot below)
      Note: DMARC is enabled by default, and if it is not disabled messages from Proofpoint will be bounced
       
  5. Change you domain MX record to point to Proofpoint servers with respect to your location

    Proofpoint Essentials-US

    mx1-us1.ppe-hosted.com

    mx2-us1.ppe-hosted.com


    Proofpoint Essentials-EU

    mx1-eu1.ppe-hosted.com

    mx2-eu1.ppe-hosted.com


  6. Once you confirm your mail flow for a day or 2 then you can proceed to lock down your Zoho mail to not accept mail from any other server except the Ips mentioned above. To do so login to the Zoho Admin Console> Mail Settings>Email Routing>Inbound Gateway and toggle to the right the option “Reject non-inbound gateway emails” Screen shot below
     

III) Zoho mail Admin Console:  Outbound mail configuration

Before configuring your Zoho console make sure that you added the following IP addresses  to your Proofpoint portal Account under Account Management > Domains  then in the section "Sending Servers" add the following IP addresses


Zoho's Outbound mail is sent from the following IPs:

136.143.188.3

136.143.188.4

136.143.188.5

136.143.188.1


Make sure to wait 1 hour before you perform any outbound mail tests


Zoho Admin Console: 

login to the Admin console and navigate to  Mail Settings > Email Routing > Outbound Gateway  (see screen shot below) and Add the following :

  • Destination Host (MX/IP address):  enter the following Proofpoint server


    ProofPoint Essentials-US

    ProofPoint Essentials-EU

    Smarthost

    outbound-us1.ppe-hosted.com

    outbound-eu1.ppe-hosted.com

  • Connection Type :  Plain Support with TLS
  • Port :  25
  • Authentication :  NO
  • Apply for:  All Users