Mxroute behind proofpoint essentials

jochristian · December 4, 2019, 9:25pm

Hi,

I got an question on using mxroute behind proofpoint essentials.
Proofpoint is an product that clean mails for spam, viruses etc.

Because of this proofpoint has the main mx record for the domain.
https://help.proofpoint.com/Proofpoint_Essentials/Administrator_Topics/000_gettingstarted/020_connectiondetails

And you configure proofpoint to forward the mails to mxroute.
But this seems to fail for some domains. Probably because of SPF records?

host arrow.mxrouting.net[116.202.115.120] said: 550-SPF:
185.132.181.6 is not allowed to send mail from

Is it possible to somehow “whitelist” the domains that Proofpoint uses for forwarding?
Can’t find any option for this.

Thank you

Jarland · December 4, 2019, 9:25pm

So what we’d actually need to do here is whitelist the IPs of theirs on the server side, for the purpose of excluding them from SPF checks. I don’t currently have a plan for that on this product iteration, but I will dig into it and let you know what I come up with.

Louis · December 4, 2019, 9:25pm

You would need to combine the SPF records so that both MXroute and proofpoint are allowed to send from your domain. Theirs is "v=spf1 a:dispatch-eu.ppe-hosted.com ~all", ours is "v=spf1 include:mxroute.com ~all" Combining them you would get this record: "v=spf1 include:mxroute.com a:dispatch-eu.ppe-hosted.com ~all"

You would need the above if you were sending from your domain using proofpoint. I misunderstood their service. They forward email to us without using SRS, thus spf fails. Check Jarland’s answer.

barik · December 4, 2019, 9:25pm

I’ve not found Proofpoint, mxguardian, and so on particularly helpful in shared mail environments.

From prior experience, spammers will directly connect to the mail server instead of “following the rules” and using the MX records. On a dedicated mail server (e.g. company Exchange server), you can whitelist only Proofpoint and then deny everything else. That’s not possible to do in a shared mail environment.

https://www.spamhero.com/support/102935/Preventing_Spammers_from_Sending_Email_Directly_to_Dedi

Jarland · April 3, 2022, 6:43pm

Ideally they wouldn’t know what server to connect to since the MX would point elsewhere, but they still might find out. Some great DNS history tools out there these days.

barik · November 13, 2021, 8:35pm

Usually they just look for the CNAME of mail, webmail, imap, smtp, etc. and try that. Most business I’ve seen use mail as a convenience to their users, and that’s what the bots pick up as well. It is definitely not as large as the MX angle, but looking at logs about 20% of attempts bypass proofpoint-style approaches. For these 20%, it’s less traditional “spam” and more crypto/malware attacks.