Synopsis:
This document is done for a specific setup where a customer has two domains/clients, while using Proofpoint, on two separate office 365 tenants (Tenant01 and Tenant02) and does forwarding from Tenant01 to Tenant02. As a result all the messages forwarded get labeled on Tenant02's Proofpoint log search as FRAUD / SPF or DKIM.
Solution:
To get a round this situation you will need to follow the steps below:
On Tenant01
1- login to this tenant Proofpoint and Make sure you enable the "Email Tagging" under Email > Email Tagging with the word [Coming from External] or your own tag (if you changed it then remember it as you will need it later)
2- On office365 tenant for Tenant01 do the following:
- Create a connector (i.e.: Fwd_Tenant02) from office365 to Partner org and make sure it is sending to SMART HOST of Tenant02 i.e.: tenant02-com.mail.protection.outlook.com
- Create a RULE to call that connector based on the condition specified: Apply this rule if recipients' address domain portion belongs to any of these domains: 'Tenant02com' and Is received from 'Outside the organization' Do the following Route the message using the connector named 'Fwd_Tenant02'.
- If this is not already done, then enable External Forwarding for ALL users Policies & Rules > Threat Policies > Anti Spam Policies --> Anti Spam outbound Policy (Default) (Figure 1)
- On each user's OWA, create a RULE that forwards to specific email address i.e. user@Tenant01.com FWD to Anotheruser@Tenant2.com by going to Settings > Forwarding
On Tenant02
- on the Tenant02 and an exception for the "Proofpoint Inbound Lockdown Rule via vircomPortal" as in the screen shot below (Figure2)
Figure 1:
Figure 2: