Complete install process for clients on Office365 with Proofpoint

Created by Abderrahim Ibnou el kadi, Modified on Tue, 14 Sep 2021 at 09:20 AM by Abderrahim Ibnou el kadi


This document is to sum up all the ten (10) steps needed to set up a client using office 365 on Proofpoint.

During the process you might be redirected other links but always return to this page to go to the next step.

1. Verify your domain

Get the TXT value (screen shot below). On your DNS portal add a new TXT record, populate it with this value. Wait few minutes then VERIFY your DOMAIN.

2. Configure Azure Directory Sync

The Azure Directory Sync will allow Proofpoint to automatically sync with office365 and pull any existing or new mailbox and add it to the Proofpoint portal.

To configure that, follow instructions in this link <Click here>

3. Set up the primary SMTP email server

a. Find what is your mail server FQDN on Office365

b. Once you get your o365 MX record add it to the Proofpoint portal by clicking on the 3 dots on far right then select Edit Domain in the menu (screen shot below)

4. Enable Inbound Relay

Once the this is turned on you must wait for 1 hour before external messages starts to get accepted otherwise all the messages will get rejected with error “Relay access denied”.

5. Enable Outbound relay 

Activate this option "Enable Outbound relaying " under (Account Management > Features) (Figure 1), then Add all office 365 IPs to the allow list under  under Management > Domains --> "Managed Hosted Services" button. check below   (Figure 2)

Important:   When this feature is enabled do not enable the SMART host yet from your Exchange online, make sure you give it time (about 1 hour) for the change to propagate across the Proofpoint platform.

If you get error “Relay access denied” then need to wait for few more minutes. Contact support  if you ever exceed 1 hour.

Figure 1:

Figure 2:

6. Create the necessary RULES and CONNECTORS

Once the Azure Sync is done, we need to create TWO rules and TWO connectors

Rules: First RULE is to lockdown the tenant so that only messages from Proofpoint IP addresses are accepted. The second is to NOT scan messages coming from Proofpoint.

Connectors: First connector is to Block all incoming connections NOT coming from Proofpoint IPs. The second is to ROUTE all outbound messages to Proofpoint platform so we can scan them and apply any rules i.e.: encryption, DLP then send to internet.


To complete this step, follow the instructions in this link <Click Here>

7. Deploy outlook Add-In

The Outlook Add-In is an extra feature that is offered to all users to be able to report SPAM, Block or Trust senders, they can also Decode URL, Go to Archive, or go to directly to their quarantine portal. Follow the instruction in the link below to deploy it for ALL/Some users.

To complete this step. follow the instructions in this link <Click here>

8. Enable Encryption (For Advanced and Professional plan only)


This is a feature for Outbound mail only and note that when you enable the Encryption it is not affecting ALL outbound mail. To trigger it you must either include the Key word in the subject line or use the Send Secure button from outlook. Follow the steps in the below link to set this up.

 To complete this step, follow the instructions in this link <Click here>

9. Enable Archive  (for Professional plan only)

With Proofpoint Essentials the ability to enable archive for inbound and outbound emails is now possible. The process requires the archive feature be enabled followed by creating a connector on Proofpoint Essentials and then finalizing the setup with Office 365 send connector.

To complete this step, follow the instruction in this link <Click here

10. Change MX record 

Finally, after enabling Inbound, outbound relay and waited for 1 hour, you can now:

a. change the MX record to point to both Proofpoint Mxs records.

Proofpoint Essentials-USProofpoint Essentials-EU

b. Enable the Outbound Connector "Proofpoint Outbound Connector via VircomPortalfrom your Exchange online to route ALL outbound mail to Proofpoint portal (Figure 1) and enable also the RULE "Proofpoint Bypass Spam Filtering Rule via VircomPortal"  under the RULES section (Figure 2).

Note:  After Two/Three days you can enable the remaining Rule and Connector.

Figure 1: 

Figure 2:

Just a Tip:

To verify if the MX propagation is done correctly in the DNS world, navigate to this site and enter the domain name, chose MX from the drop-down menu then click on search. The results will give you an idea on how fast and how many DNS servers picked up the new MX change.