Mxroute behind proofpoint essentials

#1

Hi,

I got an question on using mxroute behind proofpoint essentials.
Proofpoint is an product that clean mails for spam, viruses etc.

Because of this proofpoint has the main mx record for the domain.
https://help.proofpoint.com/Proofpoint_Essentials/Administrator_Topics/000_gettingstarted/020_connectiondetails

And you configure proofpoint to forward the mails to mxroute.
But this seems to fail for some domains. Probably because of SPF records?

host arrow.mxrouting.net[116.202.115.120] said: 550-SPF:
185.132.181.6 is not allowed to send mail from

Is it possible to somehow “whitelist” the domains that Proofpoint uses for forwarding?
Can’t find any option for this.

Thank you

#3

So what we’d actually need to do here is whitelist the IPs of theirs on the server side, for the purpose of excluding them from SPF checks. I don’t currently have a plan for that on this product iteration, but I will dig into it and let you know what I come up with.

#2

You would need to combine the SPF records so that both MXroute and proofpoint are allowed to send from your domain. Theirs is "v=spf1 a:dispatch-eu.ppe-hosted.com ~all", ours is "v=spf1 include:mxroute.com ~all" Combining them you would get this record: "v=spf1 include:mxroute.com a:dispatch-eu.ppe-hosted.com ~all"

You would need the above if you were sending from your domain using proofpoint. I misunderstood their service. They forward email to us without using SRS, thus spf fails. Check Jarland’s answer.

#4

I’ve not found Proofpoint, mxguardian, and so on particularly helpful in shared mail environments.

From prior experience, spammers will directly connect to the mail server instead of “following the rules” and using the MX records. On a dedicated mail server (e.g. company Exchange server), you can whitelist only Proofpoint and then deny everything else. That’s not possible to do in a shared mail environment.

https://www.spamhero.com/support/102935/Preventing_Spammers_from_Sending_Email_Directly_to_Dedi

#5

Ideally they wouldn’t know what server to connect to since the MX would point elsewhere, but they still might find out. Some great DNS history tools out there these days.

#6

Usually they just look for the CNAME of mail, webmail, imap, smtp, etc. and try that. Most business I’ve seen use mail as a convenience to their users, and that’s what the bots pick up as well. It is definitely not as large as the MX angle, but looking at logs about 20% of attempts bypass proofpoint-style approaches. For these 20%, it’s less traditional “spam” and more crypto/malware attacks.

1 Like