Proofpoint is a filtering solution that can protect your domain against spoofing emails. However, Proofpoint does not fully adhere to the DMARC Reject policy, so if your DMARC policy is set to “Reject,” emails will not be bounced or rejected.
If a DMARC policy is on Reject or Quarantine and the email fails the DMARC check, the email is categorized as Fraud and appears in the digest of end users, but it will never be rejected or bounced.
When a DMARC policy is set to None and an email fails its DMARC check, no action is taken, and the email is sent.
If you want inbound emails to bounce and be rejected when they fail their DMARC check, you need to enable the Anti-Spoofing Feature in your ProofPoint platform.
Here’s how:
- Navigate to Administration > Account Management > Features
- Check the box labeled ‘Enable Anti-Spoofing Policies’
- Click Save
Once the Feature is enabled, you must configure the anti-spoofing policy you wish to apply to the organization. - Navigate to Security Settings > Malicious Content > Anti-Spoofing
Then, there are three separate policies available to configure:
- Inbound DMARC
- Inbound SPF
- Inbound DKIM
Inbound DMARC
- Check the option you wish to apply for inbound DMARC policy evaluation
The recommended configuration for this policy is “Allow the sending domain’s DMARC policy to determine whether or not to block messages.“. You must click on this option to let ProofPoint decide based on your DMARC policy.
But if “Ignore the sending domain’s DMARC policy, but log the result” is chosen, messages that fail the DMARC check will be passed through the system. The result will be logged in logs and in the message’s header.
Inbound SPF
- Check options you wish to apply for inbound SPF policy evaluation.
If a DMARC policy is not present for the sending domain, or you have chosen to ignore the DMARC policy, you can choose to evaluate the sender’s SPF policy (if it exists) and these policies will apply. There are three results which can be acted on:
- Failure: The message has failed the SPF check. This indicates that the message has been spoofed.
- Temporary Error: An transient error occurred while retrieving the foreign domain’s SPF policy in DNS.
- Permanent Error: An error occurred while parsing the foreign domain’s SPF policy in DNS. This means that the record is malformed in some way.
Inbound DKIM
- Check the options you wish to apply for inbound DKIM policy evaluation.
If a DMARC policy is not present for the sending domain, or you have chosen to ignore the DMARC policy, you can choose to evaluate the message to see if it has been signed with DKIM. There are three results which can be acted on:
- Failure: The message has failed the DKIM check. This indicates that the message has been spoofed.
- Temporary Error: A transient error occurred while retrieving the foreign domain’s DKIM key in DNS.
- Permanent Error: An error occurred while DNS parsing the foreign domain’s DKIM key. This means that the record is malformed in some way.
- Click Save
If you want to prevent emails from being delivered, choose “Quarantine” for each check mark, which prevents the message from being delivered to its intended recipient. Otherwise, if you wish to keep the emails being delivered, you can choose “Take no action” which allows the message to continue to be processed, or “Tag subject line with text” which prepends the supplied text to the message’s subject line. The message is Tagged and Logged but will continue to be processed.
In addition, a list of exceptions can be created for each Anti-Spoofing policy to exclude individual domains from the policies. We highlighted the critical point regarding the functionality of DMARC policy on ProofPoint for your inbound emails. It explains that even if the DMARC policy is set to “Reject,” emails will still be delivered to the recipient unless the Anti-Spoofing function is enabled. To ensure proper filtering based on the DMARC policy, we suggest following the mentioned steps to trigger all check marks in the above section to “Quarantine.” This will allow the filtering system to function effectively in accordance with the “Reject” policy.
Further read: The best Proofpoint Alternatives in 2024