TL;DR - The Easy Button Version
IRONSCALES activation: 10 minutes (no changes required to your current setup)
Proofpoint removal: 1-2 days (when you're ready)
Friday Evening (30 minutes)
- IRONSCALES Activate IRONSCALES - works immediately via API, no mail flow changes needed
- DNS Point MX records to Microsoft 365 instead of Proofpoint
- DNS Update SPF record to include Microsoft 365
Saturday (30 minutes)
- DNS Remove Proofpoint from SPF record
- MICROSOFT Disable Proofpoint connectors in Exchange Online
- MICROSOFT Remove Proofpoint transport rules
That's it! Everything else below is optional documentation and best practices.
Important Notes Before You Begin
What IRONSCALES Handles Automatically
- Anti-spam: No need to configure in Microsoft - IRONSCALES provides this
- Impersonation protection: Automatically learns your users and their behavior - no manual configuration needed
- URL protection: Built-in, no conflict with existing systems
- Attachment scanning: Automatic sandboxing and analysis
Managing False Positives and False Negatives in IRONSCALES
- False Positive (legitimate email quarantined): Click the "Safe" or "Reclassify" button in the incident cluster details
- False Negative (missed threat): Use Investigation Panel to find and reclassify, or use Report Phishing button/911 mailbox for automated workflow
- Allow lists: Not recommended (disrupts behavioral learning) unless absolutely required for business-critical automated workflows
- Block lists: Not needed - IRONSCALES automatically updates machine learning when threats are reported via Report Phishing button
Comprehensive Migration Guide
For organizations wanting detailed documentation and a methodical approach
Overview
This document provides step-by-step technical instructions for migrating email security from Proofpoint to Microsoft 365 with IRONSCALES.
Key Points:
- IRONSCALES can be activated immediately without affecting current mail flow (API-based, not MX-based)
- No security gap during migration - run IRONSCALES alongside Proofpoint if desired
- Core migration is just DNS changes and connector removal
The migration involves three components (color coded throughout):
- DNS DNS changes: Redirecting mail flow from Proofpoint to Microsoft 365
- MICROSOFT Connector removal: Removing Proofpoint infrastructure from Exchange Online
- IRONSCALES IRONSCALES deployment: API-based security activated independently of mail flow
Week 1: Pre-Migration Preparation (Optional but Recommended)
Step 1: MICROSOFT Document existing Proofpoint configuration (Optional)
Only if needed for compliance or rollback planning:
Connect-ExchangeOnline
Get-InboundConnector | Where-Object {$_.Name -like "*Proofpoint*" -or $_.SenderIPAddresses -like "*67.231.*" -or $_.SenderIPAddresses -like "*148.163.*"} | Export-Clixml -Path "C:\Backup\ProofpointInboundConnector.xml"
Get-OutboundConnector | Where-Object {$_.Name -like "*Proofpoint*" -or $_.SmartHosts -like "*ppe-hosted.com*"} | Export-Clixml -Path "C:\Backup\ProofpointOutboundConnector.xml"
Step 2: PROOFPOINT Identify Proofpoint IP ranges and smart hosts
Document the specific Proofpoint infrastructure in use:
- US IP ranges: 67.231.152.0/24-67.231.156.0/24, 148.163.128.0/19
- EU IP ranges: 91.209.104.0/24, 185.132.180.0/24-185.132.183.0/24
- Smart hosts:
outbound-us1.ppe-hosted.com, outbound-eu1.ppe-hosted.com
Step 3: DNS Reduce DNS TTL values
Three days before cutover, reduce TTL on all mail-related DNS records:
- MX records: Set TTL to 300 seconds
- SPF TXT records: Set TTL to 600 seconds
- DKIM CNAME records: Set TTL to 600 seconds
Step 4: MICROSOFT Generate Microsoft 365 DKIM keys
- Navigate to Microsoft 365 Defender Portal > Email & collaboration > Policies & rules > Threat policies
- Select DKIM
- Select your domain and enable DKIM signing
- Note the two CNAME records for later DNS addition
Step 5: IRONSCALES Activate IRONSCALES protection
Contact IRONSCALES to provision your tenant:
- IRONSCALES activation takes ~10 minutes
- No mail flow changes required - works immediately via API
- Can run alongside Proofpoint without conflict
- You'll receive login instructions and configuration guides
Week 2: Pre-Cutover Validation (Optional)
Step 1: MICROSOFT Verify Microsoft 365 configuration
Confirm Microsoft 365 is ready to receive mail:
- Check that your domain is verified in Microsoft 365 admin center
- Confirm all user mailboxes are created and licensed
- Verify Exchange Online Protection is enabled
- Test internal mail flow between Microsoft 365 users
Step 2: MICROSOFT Document transport rules requiring modification
List all transport rules that reference:
- Proofpoint IP addresses
- SCL score modifications (-1)
- Header modifications (
X-EOP-Direct-Delivery)
- SafeLinks bypass (
X-MS-Exchange-Organization-SkipSafeLinksProcessing)
Step 3: Create rollback plan
Document exact steps to revert if issues arise:
- DNS record values to restore (screenshot current DNS settings)
- Connector configurations to re-enable
- Transport rules to reactivate
Week 3: Production Cutover (The Actual Migration)
Day 1 (Friday evening/maintenance window)
Step 1: DNS Add Microsoft 365 MX record (staged approach)
Add new MX record with higher preference number (lower priority):
MX Priority 20: [domain-name]-com.mail.protection.outlook.com
MX Priority 10: mx1.ppe-hosted.com (existing Proofpoint)
Step 2: DNS Update SPF record
Modify SPF to include both providers temporarily:
v=spf1 include:_spf-us.ppe-hosted.com include:spf.protection.outlook.com -all
Step 3: DNS Add Microsoft 365 DKIM CNAME records
Add the two CNAME records generated in Week 1, Step 4.
Day 2 (Saturday)
Step 4: DNS Swap MX priorities
Change MX records so Microsoft 365 has highest priority:
MX Priority 0: [domain-name]-com.mail.protection.outlook.com
MX Priority 20: mx1.ppe-hosted.com (Proofpoint backup)
Step 5: IRONSCALES Verify IRONSCALES is active
- If not already activated, complete the 10-minute setup
- No configuration needed for anti-spam or impersonation protection
- System begins learning immediately
Step 6: MICROSOFT Monitor mail flow
Use message trace to confirm mail routing through Microsoft 365:
Get-MessageTrace -StartDate (Get-Date).AddHours(-1) -EndDate (Get-Date) | Select MessageId, Received, SenderAddress, RecipientAddress, Subject, Status
Day 3 (Sunday)
Step 7: DNS Remove Proofpoint MX record
After confirming stable mail flow for 24 hours, remove Proofpoint MX entries entirely.
Step 8: DNS Update SPF record
Remove Proofpoint includes from SPF:
v=spf1 include:spf.protection.outlook.com -all
Week 4: Cleanup and Optimization (Post-Migration - Optional)
Step 1: MICROSOFT Disable Proofpoint connectors (Day 1)
Do not delete yet, only disable to allow rollback if needed:
Set-InboundConnector "Proofpoint Inbound Connector" -Enabled $false
Set-OutboundConnector "Proofpoint Outbound Connector" -Enabled $false
Step 2: MICROSOFT Remove transport rules (Day 2)
Delete rules referencing Proofpoint after confirming no impact:
Remove-TransportRule "Proofpoint Bypass Rule" -Confirm:$false
Remove-TransportRule "Proofpoint SCL Override" -Confirm:$false
Step 3: MICROSOFT Remove disabled connectors (Day 3)
After 48 hours with no issues, permanently remove connectors:
Remove-InboundConnector "Proofpoint Inbound Connector" -Confirm:$false
Remove-OutboundConnector "Proofpoint Outbound Connector" -Confirm:$false
Step 4: PROOFPOINT Export Proofpoint data (Day 5 - Optional)
Only if required for compliance:
- Export message logs from Proofpoint admin console
- Download any quarantined messages requiring retention
- Save configuration documentation for compliance records
Post-Migration Monitoring (Optional Ongoing Tasks)
Daily tasks (first week)
- MICROSOFT Review message trace logs for delivery failures
- MICROSOFT Monitor help desk tickets for user-reported issues
- IRONSCALES Review any reclassification requests
Weekly tasks (first month)
- MICROSOFT Review mail flow statistics in Exchange admin center
- MICROSOFT Validate compliance and retention policies
- IRONSCALES Review threat reports and trends
Rollback Procedures
Within 4 hours of cutover
- DNS Revert MX records to original Proofpoint values
- MICROSOFT Re-enable Proofpoint connectors
- DNS Restore original SPF record
- Notify users of temporary reversion
After 4 hours but within 48 hours
- DNS Add Proofpoint MX records with higher priority
- MICROSOFT Re-enable disabled connectors
- DNS Add Proofpoint back to SPF record
- MICROSOFT Create transport rules to route specific mail through Proofpoint
Known Issues and Resolutions
URL Defense / SafeLinks interaction
- Issue: During transition, if both systems are active, URLs might get double-encoded
- Resolution: Not a concern with IRONSCALES - our URL protection doesn't conflict with existing rewrites
Attachment scanning delays
- Issue: "[Unscanned Attachment]" tags from Proofpoint
- Resolution: Tags disappear once Proofpoint removed from mail flow; IRONSCALES handles attachment scanning automatically
Directory synchronization
- Issue: Proofpoint marks users as invalid during transition
- Resolution: Only relevant if rollback needed - manual reactivation through Proofpoint interface
Support Resources
For assistance with IRONSCALES deployment or configuration:
- Customer Success Team: success@ironscales.com
- Tenant provisioning (10-minute process)
- Onboarding assistance
- Best practices guidance
- Support Team: support@ironscales.com
- Technical issues
- Troubleshooting assistance
- False positive/negative handling
- Knowledge Base: Detailed guides provided when your IRONSCALES tenant is provisioned
For Microsoft 365 configuration issues, consult Microsoft documentation at https://docs.microsoft.com/defender-office-365/ or contact Microsoft Support through your tenant admin portal.
/Concentrix%20Case%20Study.webp?width=568&height=326&name=Concentrix%20Case%20Study.webp)
/ironscales-news-thumbnail.webp)
