Before proceeding at this point, verify that the following have been completed:

  • All domains have been verified, set to the correct delivery destination, and have had the relay enabled for at least 1 hour
  • All domains have had their SPF records updated to account for Proofpoint
  • All user mailboxes have been added to Proofpoint successfully

Additionally, ensure that the O365 account used for the configuration has global administrator rights.

Create Inbound Connector

  • Log into the O365 Exchange Admin Center
  • Navigate to Mail Flow > Connectors > + Add a Connector
  • Select "From Partner Organization to O365"
  • Enter a name such as "Inbound connector for Proofpoint Essentials," then click Next
  • Under "Authenticating Sent Email," select "By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization"
  • On this page, add each of the IP address ranges for your region as listed on the Connection Details page
    • Click in the text box, then paste in one CIDR range
    • Click the + button
    • Repeat for each of the IP ranges

Microsoft will only allow you to specify CIDR ranges of /24 or smaller when configuring connectors. However, the Connection Details page linked above also contains the /24 equivalents of the larger ranges in your region's list. Once all the IP ranges have been added, click Next.

  • Under "Security Restrictions," ensure "Reject email messages if they aren't over TLS" is checked, then click Next
  • Review the settings, then click Create Connector

Create Outbound Connector

  • In the Exchange Admin Center, navigate to Mail Flow > Connectors > +
  • Select “from O365 to partner organization”
  • Set the name to “Outbound connector for Proofpoint Essentials”
  • Uncheck the “turn it on” checkbox
  • Under “when do you want to use this connector,” select “only when email addresses are sent to these domains”
  • Enter * and click the + to add
  • Under “how do you want to route email messages,” select “Route email through these smart hosts”
  • Enter the appropriate smart host for your region, as listed on the Connection Details page

    • US customers:
    • EU customers:

  • Under "Security restrictions," leave the default value of “Always use TLS” and “issued by a trusted certificate authority
  • Enter an email address to receive a validation email, then click validate.

Sometimes the validation says it fails, but you still receive the test email. This is expected behavior, so as long as the test email successfully delivers, you may proceed.

Bypass O365's Spam Filtering for Proofpoint

  • In the Exchange Admin Center, navigate to Mail Flow > Rules
  • Click the + to add a new rule
  • Enter a name such as "Bypass Spam Filtering for Proofpoint"
  • Apply this rule if:
    • The Sender > IP Address > Is in this range or exactly matches
    • Add each of the Proofpoint IP address ranges for your region
  • Do the following:
    • Modify the message properties > Set the spam confidence level > Bypass spam filtering
  • If you use Microsoft's ATP / Safelinks URL rewriting:
    • Also select Modify the message properties > Set a message header
    • Set the message header X-MS-Exchange-Organization-SkipSafeLinksProcessing to the value: 1
  • When finished, click Save

Proceed to next step: Test Mail Flow