PROBLEM
From time to time, we encouter issues where a client has a company that receives email from another company or division that are tightly knit together. The sending company's email go to quarantine or are otherwise blocked systematically because emails coming from that organisation are from distribution groups accepting external senders for instance which breaks email authentication.
SOLUTION
One way to fix this is to create a direct tunnel between the sister company (not necessarily on proofpoint) and the recipient company by having the sending org bypass MX resolution and just send directly to the O365 tenant of the recipient company.
ISSUE:
Most of the time, when we deploy Proofpoint Essentials with a client - there's a lock down rule that gets in the way which will prevent the tunelling to happen.
REQUIREMENTS:
Both tenants need to be on Microsoft365.
PROCEDURE:
So lets say the you have two organisations:
widgetinc.com, not on proofpoint, but you manage their O365 tenant.
gadgetinc.com. on proofpoint and you manage their O365 tenant
On the widgetinc.com side:
In Microsoft Exchange Online ...
Create a new connector
Call it "Direct To Gadget"
From O365 to Partner Organisation
If invoked by a rule
route the mail to gadgetinc-com.mail.protection.outlook.com
Create a new rule
Call it "GadgetDirect"
if the recipient domain is gadgetinc.com
add new header element name: "x-forwarded-from-widgetinc" with a value of "true"
and redirect to "Direct To Gadget" Connector
On the gadgetinc.com side:
Modify the existing Proofpoint Inbound lockdown rule and add a new exception:
... and if the header contains an element called: "x-forwarded-from-widgetinc" with a value of "true"
This will force widgetinc.com to send direct to gadgetinc.com and bypass the lockdown.
CAVEAT:
You're obviously bypassing the security between Widgetinc and Gadgetinc. So YMMV.