Implementing Proofpoint Email Security Gateway Overview Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per da…

,\n r'\\.proofpoint\\.com

Implementing Proofpoint Email Security Gateway Overview Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per da…

,\n r'mail\\.protection\\.proofpoint\\.com

Implementing Proofpoint Email Security Gateway Overview Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per da…

,\n]\n\nPROOFPOINT_SPF_INCLUDES = [\n 'spf-a.proofpoint.com',\n 'spf-b.proofpoint.com',\n 'spf.proofpoint.com',\n 'pphosted.com',\n]\n\nPROOFPOINT_HEADER_MARKERS = [\n 'X-Proofpoint-Spam-Details',\n 'X-Proofpoint-Virus-Version',\n 'X-Proofpoint-GUID',\n 'X-Proofpoint-ORIG-GUID',\n]\n\n\ndef check_mx_records(domain: str) -> MXCheckResult:\n \"\"\"Check if domain MX records route through Proofpoint.\"\"\"\n result = MXCheckResult(domain=domain)\n\n if not HAS_DNS:\n result.issues.append(\"dnspython not installed. Install with: pip install dnspython\")\n return result\n\n try:\n answers = dns.resolver.resolve(domain, 'MX')\n for rdata in sorted(answers, key=lambda r: r.preference):\n mx_host = str(rdata.exchange).rstrip('.')\n result.mx_records.append({\n \"priority\": rdata.preference,\n \"host\": mx_host\n })\n for pattern in PROOFPOINT_MX_PATTERNS:\n if re.search(pattern, mx_host, re.IGNORECASE):\n result.routes_through_proofpoint = True\n result.proofpoint_mx = mx_host\n break\n except dns.resolver.NXDOMAIN:\n result.issues.append(f\"Domain {domain} does not exist\")\n except dns.resolver.NoAnswer:\n result.issues.append(f\"No MX records found for {domain}\")\n except Exception as e:\n result.issues.append(f\"DNS query failed: {str(e)}\")\n\n if not result.routes_through_proofpoint and result.mx_records:\n result.issues.append(\n \"MX records do not point to Proofpoint. \"\n \"Expected pattern: *.pphosted.com or *.proofpoint.com\"\n )\n\n return result\n\n\ndef check_authentication(domain: str) -> AuthCheckResult:\n \"\"\"Check SPF, DKIM, and DMARC records for Proofpoint alignment.\"\"\"\n result = AuthCheckResult(domain=domain)\n\n if not HAS_DNS:\n result.issues.append(\"dnspython not installed. Install with: pip install dnspython\")\n return result\n\n # Check SPF\n try:\n answers = dns.resolver.resolve(domain, 'TXT')\n for rdata in answers:\n txt = str(rdata).strip('\"')\n if txt.startswith('v=spf1'):\n result.spf_record = txt\n for include in PROOFPOINT_SPF_INCLUDES:\n if include in txt:\n result.spf_includes_proofpoint = True\n break\n break\n except Exception:\n result.issues.append(\"Could not retrieve SPF record\")\n\n if result.spf_record and not result.spf_includes_proofpoint:\n result.issues.append(\n \"SPF record does not include Proofpoint. \"\n \"Add: include:spf-a.proofpoint.com\"\n )\n\n # Check DMARC\n try:\n dmarc_domain = f\"_dmarc.{domain}\"\n answers = dns.resolver.resolve(dmarc_domain, 'TXT')\n for rdata in answers:\n txt = str(rdata).strip('\"')\n if txt.startswith('v=DMARC1'):\n result.dmarc_record = txt\n policy_match = re.search(r'p=(\\w+)', txt)\n if policy_match:\n result.dmarc_policy = policy_match.group(1)\n break\n except Exception:\n result.issues.append(\"No DMARC record found\")\n\n if result.dmarc_policy == \"none\":\n result.issues.append(\n \"DMARC policy is set to 'none' (monitoring only). \"\n \"Plan rollout to 'quarantine' then 'reject'\"\n )\n\n # Check Proofpoint DKIM selector\n try:\n dkim_domain = f\"proofpoint._domainkey.{domain}\"\n answers = dns.resolver.resolve(dkim_domain, 'TXT')\n for rdata in answers:\n result.dkim_selector = \"proofpoint\"\n break\n except Exception:\n pass\n\n return result\n\n\ndef analyze_headers(eml_content: str) -> HeaderAnalysis:\n \"\"\"Analyze email headers for Proofpoint routing and authentication.\"\"\"\n analysis = HeaderAnalysis()\n\n # Extract From header\n from_match = re.search(r'^From:\\s*(.+)

Implementing Proofpoint Email Security Gateway Overview Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per da…

, eml_content, re.MULTILINE | re.IGNORECASE)\n if from_match:\n analysis.from_address = from_match.group(1).strip()\n\n # Extract Return-Path\n rp_match = re.search(r'^Return-Path:\\s*(.+)

Implementing Proofpoint Email Security Gateway Overview Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per da…

, eml_content, re.MULTILINE | re.IGNORECASE)\n if rp_match:\n analysis.return_path = rp_match.group(1).strip()\n\n # Extract Received chain\n received_headers = re.findall(\n r'^Received:\\s*(.*?)(?=\\n\\S|\\nReceived:|\\n\\n)',\n eml_content, re.MULTILINE | re.DOTALL | re.IGNORECASE\n )\n for hdr in received_headers:\n clean = ' '.join(hdr.split())\n analysis.received_chain.append(clean)\n if any(p.replace(r'

Implementing Proofpoint Email Security Gateway Overview Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per da…

, '').replace(r'\\.', '.') in clean.lower()\n for p in ['pphosted.com', 'proofpoint.com']):\n analysis.passed_through_proofpoint = True\n\n # Extract Authentication-Results\n auth_match = re.search(\n r'^Authentication-Results:\\s*(.*?)(?=\\n\\S)',\n eml_content, re.MULTILINE | re.DOTALL | re.IGNORECASE\n )\n if auth_match:\n auth_text = auth_match.group(1)\n spf_match = re.search(r'spf=(\\w+)', auth_text)\n if spf_match:\n analysis.spf_result = spf_match.group(1)\n dkim_match = re.search(r'dkim=(\\w+)', auth_text)\n if dkim_match:\n analysis.dkim_result = dkim_match.group(1)\n dmarc_match = re.search(r'dmarc=(\\w+)', auth_text)\n if dmarc_match:\n analysis.dmarc_result = dmarc_match.group(1)\n\n # Check for Proofpoint-specific headers\n for marker in PROOFPOINT_HEADER_MARKERS:\n marker_match = re.search(\n rf'^{re.escape(marker)}:\\s*(.+)

Implementing Proofpoint Email Security Gateway Overview Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per da…

,\n eml_content, re.MULTILINE | re.IGNORECASE\n )\n if marker_match:\n analysis.proofpoint_headers.append({\n \"header\": marker,\n \"value\": marker_match.group(1).strip()\n })\n if marker == 'X-Proofpoint-Spam-Details':\n analysis.x_proofpoint_spam_details = marker_match.group(1).strip()\n elif marker == 'X-Proofpoint-Virus-Version':\n analysis.x_proofpoint_virus_version = marker_match.group(1).strip()\n\n if not analysis.passed_through_proofpoint and not analysis.proofpoint_headers:\n analysis.issues.append(\"Email does not appear to have routed through Proofpoint\")\n\n if analysis.spf_result and analysis.spf_result != 'pass':\n analysis.issues.append(f\"SPF check failed: {analysis.spf_result}\")\n if analysis.dkim_result and analysis.dkim_result != 'pass':\n analysis.issues.append(f\"DKIM check failed: {analysis.dkim_result}\")\n if analysis.dmarc_result and analysis.dmarc_result != 'pass':\n analysis.issues.append(f\"DMARC check failed: {analysis.dmarc_result}\")\n\n return analysis\n\n\ndef format_report(title: str, data: dict) -> str:\n \"\"\"Format check results as a readable report.\"\"\"\n lines = []\n lines.append(\"=\" * 60)\n lines.append(f\" {title}\")\n lines.append(\"=\" * 60)\n\n for key, value in data.items():\n if key == 'issues':\n if value:\n lines.append(f\"\\n [ISSUES]\")\n for i, issue in enumerate(value, 1):\n lines.append(f\" {i}. {issue}\")\n elif isinstance(value, list):\n lines.append(f\"\\n {key}:\")\n for item in value:\n if isinstance(item, dict):\n lines.append(f\" - {json.dumps(item)}\")\n else:\n lines.append(f\" - {item}\")\n elif isinstance(value, bool):\n status = \"YES\" if value else \"NO\"\n lines.append(f\" {key}: {status}\")\n else:\n lines.append(f\" {key}: {value}\")\n\n lines.append(\"=\" * 60)\n return \"\\n\".join(lines)\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"Proofpoint Email Gateway Validator\")\n subparsers = parser.add_subparsers(dest=\"command\")\n\n mx_parser = subparsers.add_parser(\"check-mx\", help=\"Check MX records for Proofpoint routing\")\n mx_parser.add_argument(\"--domain\", required=True, help=\"Domain to check\")\n\n auth_parser = subparsers.add_parser(\"check-auth\", help=\"Check email authentication records\")\n auth_parser.add_argument(\"--domain\", required=True, help=\"Domain to check\")\n\n hdr_parser = subparsers.add_parser(\"validate-headers\", help=\"Analyze email headers\")\n hdr_parser.add_argument(\"--eml-file\", required=True, help=\"Path to .eml file\")\n\n parser.add_argument(\"--json\", action=\"store_true\", help=\"Output as JSON\")\n\n args = parser.parse_args()\n\n if args.command == \"check-mx\":\n result = check_mx_records(args.domain)\n if args.json:\n print(json.dumps(asdict(result), indent=2))\n else:\n print(format_report(\"PROOFPOINT MX RECORD CHECK\", asdict(result)))\n\n elif args.command == \"check-auth\":\n result = check_authentication(args.domain)\n if args.json:\n print(json.dumps(asdict(result), indent=2))\n else:\n print(format_report(\"EMAIL AUTHENTICATION CHECK\", asdict(result)))\n\n elif args.command == \"validate-headers\":\n with open(args.eml_file, 'r', errors='replace') as f:\n content = f.read()\n result = analyze_headers(content)\n if args.json:\n print(json.dumps(asdict(result), indent=2))\n else:\n print(format_report(\"EMAIL HEADER ANALYSIS\", asdict(result)))\n\n else:\n parser.print_help()\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":11351,"content_sha256":"9e362e8e6b539b511100f882803f1be3f7b8d7f92908fb88b6fcd3a2cf6dc547"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Implementing Proofpoint Email Security Gateway","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per day.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When deploying or configuring implementing proofpoint email security gateway capabilities in your environment","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When establishing security controls aligned to compliance requirements","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When building or improving security architecture for this domain","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When conducting security assessments that require this implementation","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Proofpoint Email Protection license (PPS on-premises or Proofpoint on Demand cloud)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Administrative access to DNS management for MX record changes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Microsoft 365 or Google Workspace email environment","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Understanding of mail flow architecture and SPF/DKIM/DMARC","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network firewall rules permitting Proofpoint IP ranges","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Key Concepts","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Deployment Models","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"MX-Based Gateway (Traditional SEG)","type":"text","marks":[{"type":"strong"}]},{"text":": All mail routes through Proofpoint via MX record changes; intercepts threats before delivery","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"API-Based Integration","type":"text","marks":[{"type":"strong"}]},{"text":": Connects directly to Microsoft 365 or Google Workspace via API; no MX changes required; can be operational within 48 hours","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Hybrid Deployment","type":"text","marks":[{"type":"strong"}]},{"text":": Combines gateway and API for layered protection","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Core Detection Technologies","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Impostor Classifier","type":"text","marks":[{"type":"strong"}]},{"text":": ML model detecting BEC/impersonation with no malicious URLs or attachments","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"URL Defense","type":"text","marks":[{"type":"strong"}]},{"text":": Rewrites URLs and performs real-time sandboxing at time of click","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Attachment Defense","type":"text","marks":[{"type":"strong"}]},{"text":": Sandboxes suspicious attachments in virtual environments","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Nexus Threat Graph","type":"text","marks":[{"type":"strong"}]},{"text":": Cross-customer threat intelligence correlation engine","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Supplier Threat Detection","type":"text","marks":[{"type":"strong"}]},{"text":": Identifies compromised vendor email accounts","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Protection Layers","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Layer","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Technology","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Threat Type","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Connection","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"IP reputation, rate limiting","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Spam botnets","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Authentication","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SPF, DKIM, DMARC enforcement","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Spoofing","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Content","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ML classifiers, NLP analysis","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"BEC, phishing","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"URL","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Rewriting + time-of-click sandbox","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Credential theft","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Attachment","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Static + dynamic sandboxing","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Malware, ransomware","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Post-delivery","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"TRAP (auto-retraction)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Weaponized after delivery","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Plan Mail Flow Architecture","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document current MX records and mail flow path","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify all legitimate sending sources (marketing platforms, CRM, ticketing systems)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Map inbound connectors and transport rules in Microsoft 365 or Google Workspace","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Plan IP allowlisting for Proofpoint egress IPs on receiving infrastructure","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure SPF record to include Proofpoint: ","type":"text"},{"text":"v=spf1 include:spf.protection.outlook.com include:spf-a.proofpoint.com -all","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Configure Proofpoint Policies","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Create organizational units matching business structure","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Define inbound mail policies: anti-spam, anti-virus, impostor detection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure Smart Search quarantine with end-user digest notifications","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Set up Proofpoint Encryption for sensitive outbound messages","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable Targeted Attack Protection (TAP) for URL and attachment sandboxing","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Deploy Email Authentication","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure DKIM signing through Proofpoint for outbound messages","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Set DMARC policy to monitor mode initially: ","type":"text"},{"text":"v=DMARC1; p=none; rua=mailto:[email protected]","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable inbound DMARC enforcement to reject spoofed messages","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure anti-spoofing rules for executive impersonation protection","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Enable Advanced Threat Protection","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Activate URL Defense with rewriting enabled for all inbound messages","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure Attachment Defense sandbox policies (safe attachment mode)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable Threat Response Auto-Pull (TRAP) for post-delivery remediation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Set up TAP Dashboard alerts for targeted attack campaigns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure Supplier Risk monitoring for vendor email compromise","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Migrate MX Records","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Lower MX record TTL to 300 seconds 48 hours before cutover","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Update MX records to point to Proofpoint: ","type":"text"},{"text":"company-com.mail.protection.proofpoint.com","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure connector restrictions in Microsoft 365 to accept mail only from Proofpoint IPs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Monitor mail flow through Proofpoint Message Trace for 48-72 hours","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify no legitimate mail is being blocked or delayed","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 6: Tune and Optimize","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Review quarantine and false positive/negative rates weekly for first month","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Adjust spam thresholds based on organizational tolerance","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Add approved senders and safe lists for legitimate bulk mail","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure data loss prevention (DLP) rules for outbound sensitive content","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable email warning banners for external sender identification","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tools & Resources","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Proofpoint TAP Dashboard","type":"text","marks":[{"type":"strong"}]},{"text":": Real-time threat visibility and campaign tracking","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Proofpoint TRAP","type":"text","marks":[{"type":"strong"}]},{"text":": Automated post-delivery email retraction","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Proofpoint SER (Spam/End-user Release)","type":"text","marks":[{"type":"strong"}]},{"text":": Self-service quarantine management","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Proofpoint Closed-Loop Email Analysis (CLEAR)","type":"text","marks":[{"type":"strong"}]},{"text":": Phishing report button integration","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"MX Toolbox","type":"text","marks":[{"type":"strong"}]},{"text":": DNS record verification and mail flow testing","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Validation","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"All inbound email routes through Proofpoint (verify MX records and message headers)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"TAP Dashboard shows threat detections and blocked campaigns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"URL Defense rewrites links in test messages and sandboxes at click time","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Attachment Defense detonates test malware samples in sandbox","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"TRAP successfully retracts test phishing message from inboxes post-delivery","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"False positive rate below 0.1% after initial tuning period","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"DMARC/SPF/DKIM authentication passes for all legitimate outbound mail","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"implementing-proofpoint-email-security-gateway","tags":["email-security","proofpoint","secure-email-gateway","phishing","anti-spam","anti-malware","bec","email-filtering"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/implementing-proofpoint-email-security-gateway/SKILL.md","repo_owner":"mukul975","body_sha256":"f2c2dcb0bf5108e9aab28aeef51f11e302b50364e2b241c7d5f9763147005aaf","cluster_key":"28f2c48f91cfc4daad218bca1334a8f20900e270cbea788c741d0544823033a9","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/implementing-proofpoint-email-security-gateway/SKILL.md","attachments":[{"id":"0ba8b787-a6ec-59eb-84d3-0e08ef5fc8ae","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/0ba8b787-a6ec-59eb-84d3-0e08ef5fc8ae/attachment.md","path":"assets/template.md","size":1739,"sha256":"6e9d1e80c00dd605a5ea54c83ca4c933131f4fe76f578e86ab1ee7c19bd73b7c","contentType":"text/markdown; charset=utf-8"},{"id":"6673da6f-9900-5d29-9173-34ada907fa37","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/6673da6f-9900-5d29-9173-34ada907fa37/attachment.md","path":"references/api-reference.md","size":5181,"sha256":"ea0bb032eaf566519fe8e3e6df1be3232b69bba0bb1ecc240c77a9e0e9d7ba43","contentType":"text/markdown; charset=utf-8"},{"id":"9d4860ee-77a1-552d-917d-ecf8610c184e","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/9d4860ee-77a1-552d-917d-ecf8610c184e/attachment.md","path":"references/standards.md","size":1750,"sha256":"be6d7ee5f731375c34f7e2532514319218a5c823b0f22e0ca2580aaf0e8a378a","contentType":"text/markdown; charset=utf-8"},{"id":"b92938cf-2bab-526b-9776-6765cf224f61","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/b92938cf-2bab-526b-9776-6765cf224f61/attachment.md","path":"references/workflows.md","size":2727,"sha256":"3dc1be4f87c31c95fdc2076c4e91a8f995ef196f363b0c835113d77129e0f65b","contentType":"text/markdown; charset=utf-8"},{"id":"6a09591f-c676-542f-a47b-86bf080f4f9a","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/6a09591f-c676-542f-a47b-86bf080f4f9a/attachment.py","path":"scripts/agent.py","size":8392,"sha256":"eed0b88823d757da41873a1af3d9ba20b0a51456374ff55be2f03f80931cfccf","contentType":"text/x-python; charset=utf-8"},{"id":"628ee176-da12-5b45-990f-7100a168dbe5","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/628ee176-da12-5b45-990f-7100a168dbe5/attachment.py","path":"scripts/process.py","size":11351,"sha256":"9e362e8e6b539b511100f882803f1be3f7b8d7f92908fb88b6fcd3a2cf6dc547","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"7d398a215cad61340392985736c8d427a78c3959cd15bb1832af456e3b2efed1","attachment_count":6,"text_attachments":6,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/implementing-proofpoint-email-security-gateway/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["PR.AT-01","DE.CM-09","RS.CO-02","DE.AE-02"],"subdomain":"phishing-defense","import_tag":"clean-skills-v1","description":"Deploy and configure Proofpoint Email Protection as a secure email gateway to detect and block phishing, malware, BEC, and spam before messages reach user inboxes."}},"renderedAt":1782980373919}

Implementing Proofpoint Email Security Gateway Overview Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per da…