Documentation
Start typing to search…

Proofpoint Migration Guide

Phase 1: Discovery & Planning (1-2 Weeks Before Cutover)

1.1 Current State Evaluation

  • Document current Proofpoint configuration
  • User accounts and groups
  • Filtering policies and rules
  • Safe/blocked sender lists
  • Custom configurations
  • Document current MX records for all domains
  • List all mail flow connectors and routing rules
  • Identify admin users and service accounts

1.2 Archive Data Export

  • Export email archive data (if using Proofpoint Archive)
  • Log into Proofpoint admin console
  • Navigate to Archive section
  • Search and select data to export
  • Export in .eml format (compressed .zip files)
  • Limitation: Maximum 100K messages per export
  • Documentation: Proofpoint Archive Export Guide
  • Export email quarantine data

1.3 Compliance & Legal Requirements

  • Verify data retention compliance requirements
  • Coordinate with your Legal team on data retention requirements
  • Ensure audit trail preservation for compliance purposes
  • Export audit logs and compliance reports as needed

Phase 2: Pre-Migration Setup (48-72 Hours Before Cutover)

2.1 DNS Preparation

  • Lower DNS TTL values for MX and TXT records to 300-600 seconds
  • Critical: This must be done at least 24-48 hours before cutover to ensure old TTL values expire
  • This enables faster propagation and rollback if needed during cutover
  • Prepare (but do not apply) new MX records for direct mail delivery
  • Document current SPF records that include Proofpoint

2.2 Configuration Transfer to Sublime

  • Transfer user safe/blocked sender lists to Sublime Lists
  • Use "Request Safe/Blocked Senders List" feature in Proofpoint
  • Export lists and convert to Sublime lists
  • Migrate all admin users & service accounts to Sublime
  • Transfer filtering rules and policies
  • Screenshot or document all custom rules
  • Export DLP policies, if configured

2.3 Sublime Verification

  • Confirm Sublime is fully configured and malicious auto-remediations are enabled

  • Your team should also consider enabling Sublime's graymail prevention ahead of the cut-over as well

  • Verify all policies are active and correctly configured

  • Confirm API connections to M365/Google Workspace are functional

  • Test detection rules with sample messages (if possible)

2.4 Rollback Plan Documentation

  • Document current Proofpoint MX records for quick restoration
  • Establish communication plan with end users

Phase 3: Cutover (Scheduled Maintenance Window)

Recommendation: Schedule during low email volume hours.

3.1 Update DNS Records (Do This First)

  • Update MX records for all domains
  • Replace Proofpoint MX records with direct delivery records
  • Remove mxa...pphosted.com and mxb...pphosted.com
  • Google Workspace: MX Record Setup
  • Microsoft 365: MX Record Setup
  • Reference: Proofpoint MX Record Guide
  • Monitor DNS propagation
  • Use dig mx <your_domain> or nslookup -type=mx <your_domain>
  • Verify new MX records are resolving before proceeding
  • Allow 15-30 minutes for initial propagation with lowered TTL

3.2 Update SPF Records

  • Remove Proofpoint include statements from SPF:
  • Remove include:...pphosted.com
  • Verify SPF record syntax is valid after changes

3.3 Update DKIM Configuration

  • Remove Proofpoint DKIM selectors if configured
  • Reconfigure DKIM signing for direct mail flow
  • Verify DKIM is signing correctly

3.4 Remove Proofpoint Mail Flow Configuration

For Microsoft 365:

  • Remove Proofpoint connectors
  • Navigate to Exchange Admin Center > Mail Flow > Connectors
  • Delete inbound connector from Proofpoint
  • Delete outbound connector to Proofpoint
  • Remove mail flow rules
  • Delete bypass spam filtering rules for Proofpoint IPs
  • Remove any custom routing rules to Proofpoint
  • Clean up SCL (Spam Confidence Level) bypass rules
  • Remove transport rules created for Proofpoint integration
  • Re-enable native protection
  • Turn on Exchange Online Protection
  • Re-enable "Apply future recommended settings automatically"
  • Configure built-in anti-spam and anti-malware settings

For Google Workspace:

  • Disable inbound gateway settings
  • Go to Apps > Google Workspace > Gmail > Spam, Phishing, and Malware
  • Edit Inbound Gateway and check "Disable"
  • Important: If you have additional IPs using your inbound gateway, only remove the Proofpoint IPs
  • Remove Proofpoint IP addresses from gateway settings
  • Remove routing rules
  • Navigate to Settings for Gmail > Routing
  • Disable or delete Proofpoint routing rules
  • Remove any custom routing configurations

3.5 Cutover Verification

  • Send test emails (internal to internal, external to internal, internal to external)
  • Verify emails are flowing through Sublime correctly
  • Check Sublime dashboard for incoming mail processing
  • Monitor for any bounce-backs or delivery failures
  • Confirm no mail is queuing in Proofpoint

Phase 4: Post-Cutover (24-48 Hours After)

4.1 Monitoring Period

  • Monitor mail flow for 24-48 hours
  • Review Sublime detection logs for false positives/negatives
  • Check user reports of missing or delayed emails
  • Verify all mail is bypassing Proofpoint completely

4.2 DNS Finalization

  • Verify full DNS propagation (24-48 hours)
  • Use multiple DNS checking tools to confirm global propagation
  • Restore DNS TTL values to normal (3600+ seconds)

4.3 Infrastructure Cleanup

  • Remove firewall rules allowing Proofpoint IP ranges
  • Disconnect Proofpoint API integrations
  • Remove API keys and service accounts
  • Update SIEM integrations if Proofpoint logs were being forwarded
  • Clean up any monitoring or alerting for Proofpoint services
  • Remove Proofpoint Outlook/desktop plugins from user endpoints (if deployed)

Updated about 7 hours ago