Moving a client from stack to stack on proofpoint

Created by Yves Lacombe, Modified on Thu, 12 Jan 2023 at 04:30 PM by Yves Lacombe

Who is this for:

MSP partners that have clients on multiple stacks that would prefer having everyting grouped up in a single stack.


We can move most things from stack to another, except for the quarantine contents and mail archives.  So this process should only be used with clients that don't have an archive.  And it does require our intervention.


Proofpoint does plan on going stackless at some point in the future.

Process of moving a client from stack to stack, in a nutshell

Destination stack = US4
Source stack = US1

Lets say the domain is called

  1. We extract the user WL/BL from US1 into a .json file 

  2. We setup on as a temporary spam filter in preperation for the swap [ is a mail filtering cluster we use with vircom clients who don't necessarily want to go with proofpoint, we use it as temporary filter since there's normally downtime during a procedure like this.  This is a temporary mail flow maintenance method]

  3. On the client's O365 tenant or exchange (firewall), make sure it can accept mail from's IPs (telnet test should reveal this)

  4. We make sure that is in client's SPF records, and also o365 itself and exchange IP (if on prem)

  5. We need to temporarily configure office365/exchange to send mail out directly to the internet instead of proofpoint.

  6. We get the client to switch their mail traffic from to use instead, temporarily

  7. We wait till mail flow is established (say, 24 hours)

  8. We set the original tenant on US1 as a management domain instead of relayed domain (

  9. We create the company on US4 as a relayed domain and get it verified (TXT record added to verify the domain)

  10. We setup the azure sync on US4 (office365) or AD Sync (exchange) and populate on  US4.

  11. We import the user WL/BL from the .json file taken originally on US1 into US4

  12. telnet test to on port 25 to see if proofpoint ready to relay mail inbound again (via US4 this time)

  13. Once confirmed, we change the mx record back for the client from mx1/

  14. We configure office365/exchange to point back to proofpoint for outbound mail traffic.

  15. At this point, client is live on new stack.  You can still manually release content from the old stack

  16. After a few days, disable client on US1.

That's pretty much it.

So we use as a temporary solution to prevent mail flow interruption in between.