Skip to content

📧 Email Security Implementation (O365 and Proof Point Essentials) Series

Part 4: Proofpoint Integration Setup

📚 Series Navigation

🎯 What We'll Configure

In this part, we'll configure the Proofpoint Essentials side of the integration: 1. Domain Relay Configuration - Set up mail routing to Office 365 2. Security Features - Enable comprehensive email protection 3. Email Warning Tags - Configure user notification system 4. DKIM Key Management - Generate and manage authentication keys 5. User Provisioning and SSO - Enable user access (overview)

🔧 Prerequisites

Before starting, ensure you have: - [ ] Proofpoint Essentials administrator access - [ ] Office 365 connectors from Part 3 configured and tested - [ ] DNS records from Part 2 implemented - [ ] Your Office 365 tenant's mail protection endpoint (e.g., yourdomain-com.mail.protection.outlook.com)

📧 Domain Relay Configuration

This is the foundation that tells Proofpoint where to send clean emails after filtering.

Step 1: Access Domain Configuration

  1. Log into Proofpoint Essentials
  2. Navigate to your Proofpoint admin portal

  3. Sign in with administrator credentials

  4. Navigate to Domains

  5. Click Email in the left navigation
  6. Select Domains
  7. Click Add Domain or select existing domain

Step 2: Configure Domain Settings

Domain Information:
┌─────────────────────────────────────┐
│ Domain Type: Relay                  │
│ Domain Name: yourdomain.com         │
│ Primary Delivery Destination:       │
│ yourdomain-com.mail.protection.     │
│ outlook.com                         │
└─────────────────────────────────────┘

Finding Your O365 Mail Protection Endpoint:

Your endpoint follows this pattern: - Format: [domain-with-dashes].mail.protection.outlook.com - Example: For yourdomain.comyourdomain-com.mail.protection.outlook.com - Verification: Check your MX record in Office 365 Admin Center

Step 3: Verify Domain Configuration

After saving, ensure: - [ ] Domain status shows as Active - [ ] Primary delivery destination is correct - [ ] No error messages in domain configuration

🛡️ Security Features Configuration

Proofpoint Essentials offers comprehensive protection. Here's what to enable and why:

Step 1: Core Protection Features

Navigate to Email > Settings > Features and enable:

✅ Enable Outbound relaying

Purpose: Ensures outbound mail is protected with outbound scanning
Benefit: Prevents your domain from sending malicious content
Recommendation: Always enable

✅ Enable Disclaimers

Purpose: Adds disclaimers to emails
Benefit: Legal protection and professional branding
Recommendation: Enable if required by legal/compliance

✅ Enable SMTP Discovery

Purpose: Another way to provision users to the service
Benefit: Automatic user discovery and provisioning
Recommendation: Enable for easier user management

Step 2: Data Loss Prevention

✅ Enable Data Loss Prevention (DLP)

Purpose: Adds various data loss prevention options
Features: 
- Dictionaries for sensitive content detection
- Smart identifiers (SSN, Credit Cards, etc.)
- Custom content policies
Recommendation: Essential for compliance

DLP Configuration Steps: 1. Navigate to Email > Filters > Data Loss Prevention 2. Configure dictionaries for your industry 3. Set up smart identifiers for relevant data types 4. Create policies for different user groups

Step 3: Advanced Threat Protection

✅ Enable URL Defense

Purpose: Scans inbound emails for malicious links
How it works:
1. Rewrites URLs in emails
2. Performs click-time analysis
3. Blocks access to malicious sites
Recommendation: Critical security feature

✅ Enable Attachment Defense

Purpose: Scans emails for known malicious attachments
Protection: Against attachment-based threats
Recommendation: Always enable

✅ Enable Attachment Defense Sandboxing

Purpose: Scans unknown attachments in isolated environment
Process:
1. Unknown attachments are held temporarily
2. Analyzed in secure sandbox
3. Released or quarantined based on analysis
Recommendation: Enable for maximum protection

Step 4: Additional Protection Features

✅ Enable Social Media Account Protection

Purpose: Protects against social media-based threats
Benefit: Extends protection beyond traditional email threats
Recommendation: Enable for comprehensive protection

✅ Enable Email Encryption

Purpose: Provides email encryption capabilities
Use cases: 
- Sensitive data transmission
- Compliance requirements
- Secure communication
Recommendation: Enable if encryption is required

✅ Enable Anti-Spoofing Policies

Purpose: Provides additional DMARC policy controls
Benefit: Enhanced protection against domain spoofing
Recommendation: Always enable
Note: This unlocks Email Warning Tags (next section)

Step 5: Administrative Features

✅ Enable One Click Removal

Purpose: Allow admins to remove mail from user mailboxes
Requirement: Properly configured Microsoft environment
Benefit: Quick response to identified threats
Recommendation: Enable for incident response

✅ Enable Automatic Remediation

Purpose: Removes malicious email discovered after delivery
Process:
1. Threat identified post-delivery
2. Automatically removed from user mailboxes
3. Users notified of removal
Requirement: Correctly configured Microsoft environment
Recommendation: Essential for advanced threat response

🏷️ Email Warning Tags Configuration

Email Warning Tags provide visual cues to users about potentially dangerous emails.

Prerequisites

Anti-Spoofing Policies must be enabled first (see previous section).

Step 1: Access Email Warning Tags

  1. Navigate to Email > Email Tagging
  2. Confirm Email Warning Tags is enabled
  3. Access Tag Types configuration

Step 2: Configure Informational Tags

✅ External Sender Tag

Purpose: Informs users when email comes from outside the organization
Display: Banner at top of email
User Impact: Promotes security awareness
Configuration: Enable with custom messaging

Recommended Message: 

⚠️ EXTERNAL EMAIL: This email originated from outside your organization. 
Exercise caution with links and attachments.

Step 3: Configure Warning Tags

✅ DMARC Failure Tag

Purpose: Informs users when email fails DMARC authentication
Display: Warning banner
Significance: High security risk indicator
Action: Usually blocks email, but provides user notification

✅ Newly Registered Domain Tag

Purpose: Warns about emails from recently registered domains
Risk: Newly registered domains often used in phishing
Display: Warning banner with age information
Recommendation: Enable with 30-day threshold

✅ High Risk GEO IP Tag

Purpose: Warns about emails from high-risk geographical locations
Risk Assessment: Based on threat intelligence
Display: Country/region information
Customization: Configure risk levels per region

Step 4: Configure Tag Display Options

Purpose: Provides users with additional security education
Implementation: Links to your security training materials
Content: Explain why the warning appeared

✅ Allow users to perform actions on learn more

Purpose: Enable user reporting and feedback
Actions: 
- Report as phishing
- Report as safe
- Request review
Benefit: Improves threat intelligence

✅ Include additional text below the warning tag

Purpose: Provide specific guidance to users
Content Examples:
- "Contact IT if you believe this is legitimate"
- "Do not click links or download attachments"
- "Forward suspicious emails to security@yourdomain.com"

Step 5: Tag Customization

Create organization-specific messaging:

External Sender Template: 

🌐 EXTERNAL EMAIL 
This message originated from outside yourdomain.com. 
Verify sender identity before clicking links or downloading attachments.
Questions? Contact IT at extension 1234.

High Risk Warning Template: 

⚠️ HIGH RISK EMAIL DETECTED
This email has characteristics associated with phishing or malware.
• Do not click any links
• Do not download attachments  
• Forward to security@yourdomain.com for analysis

🔑 DKIM Key Management

Step 1: Generate DKIM Keys

  1. Navigate to DKIM Configuration
  2. Email > Authentication > DKIM

  3. Select your domain

  4. Generate Key Pair

  5. Click Generate New Key
  6. Select key size (2048-bit recommended)

  7. Choose selector name (or use auto-generated)

  8. Obtain Public Key

  9. Copy the public key provided
  10. Note the selector name (e.g., selector-1678913997)

Step 2: DNS Publication

The public key from Step 1 should already be in your DNS from Part 2:

Type: TXT
Name: selector-1678913997._domainkey.yourdomain.com  
Value: "v=DKIM1; k=rsa; t=s; n=core; p=[LONG_PUBLIC_KEY_STRING]"

Step 3: Key Verification

  1. In Proofpoint: Click Verify DNS Record
  2. External Verification: Use online DKIM checkers
  3. Test Email: Send test email and check headers

Step 4: Key Rotation (Quarterly)

  1. Generate new key pair in Proofpoint
  2. Publish new public key to DNS
  3. Wait for DNS propagation (24-48 hours)
  4. Activate new key in Proofpoint
  5. Remove old key from DNS after 1 week

👥 User Provisioning and SSO Setup

User Provisioning Options

  • Enabled in Features (see previous section)
  • Process: Users automatically discovered when they send/receive email
  • Benefit: No manual user management required

Option 2: Manual Provisioning

  • Navigate: Users > Add Users
  • Process: Manually add individual users
  • Use case: Small organizations or specific user groups

Option 3: Bulk Import

  • Navigate: Users > Import Users
  • Process: Upload CSV file with user information
  • Use case: Large organizations or initial setup

Single Sign-On (SSO) Configuration

While specific SSO configuration varies by identity provider, here are the general steps:

Step 1: Identity Provider Setup

Common Providers:
- Azure Active Directory (most common with O365)
- ADFS
- Okta
- Ping Identity

Step 2: Proofpoint SSO Configuration

  1. Navigate: Settings > Authentication > Single Sign-On
  2. Configure:
  3. Identity Provider metadata
  4. Attribute mappings
  5. Group assignments
  6. Test: Verify SSO login functionality

Step 3: User Communication

Inform users about: - New login process - Portal access URL - Quarantine management capabilities

💡 Tip: For detailed SSO configuration, consult Proofpoint documentation specific to your identity provider.

📋 Configuration Verification Checklist

Domain Configuration:

  • [ ] Domain type set to "Relay"
  • [ ] Correct O365 mail protection endpoint configured
  • [ ] Domain status shows as "Active"

Security Features:

  • [ ] All critical features enabled (URL Defense, Attachment Defense, etc.)
  • [ ] DLP policies configured for your organization
  • [ ] Anti-spoofing policies enabled

Email Warning Tags:

  • [ ] External sender tags configured
  • [ ] Warning tags for high-risk scenarios enabled
  • [ ] Custom messaging appropriate for your organization
  • [ ] "Learn more" links configured

DKIM Configuration:

  • [ ] DKIM keys generated in Proofpoint
  • [ ] Public keys published in DNS
  • [ ] DKIM verification successful
  • [ ] Key rotation schedule established

User Access:

  • [ ] User provisioning method selected and configured
  • [ ] SSO setup completed (if required)
  • [ ] User communication plan executed

🚨 Security Best Practices

Feature Management

  • Enable gradually: Don't enable all features at once
  • Monitor impact: Watch for false positives and user complaints
  • Regular review: Quarterly assessment of feature effectiveness

Tag Configuration

  • Clear messaging: Use simple, actionable language
  • Consistent branding: Match your organization's communication style
  • Regular updates: Refresh messaging based on threat landscape

DKIM Management

  • Secure key storage: Protect private keys appropriately
  • Regular rotation: Change keys quarterly
  • Multiple selectors: Consider using multiple DKIM keys for redundancy

🎯 What's Next

With Proofpoint fully configured, we'll move to Part 5 where we'll cover: - Comprehensive testing methodology - Office 365 message tracing and troubleshooting - Mail flow verification procedures - Common issues and their solutions - Monitoring and maintenance procedures

The integration is nearly complete - Part 5 will ensure everything works correctly and provide you with the tools to maintain and troubleshoot the system.

📖 Series Navigation

Remember to enable features gradually and monitor their impact on mail flow and user experience.