Proofpoint Migration Guides

Migration Guide: Proofpoint to Microsoft 365 and IRONSCALES

Written by IRONSCALES | Nov 19, 2025 6:24:05 PM

TL;DR - The Easy Button Version

IRONSCALES activation: 10 minutes (no changes required to your current setup)
Proofpoint removal: 1-2 days (when you're ready)

Friday Evening (30 minutes)

  1. IRONSCALES Activate IRONSCALES - works immediately via API, no mail flow changes needed
  2. DNS Point MX records to Microsoft 365 instead of Proofpoint
  3. DNS Update SPF record to include Microsoft 365

Saturday (30 minutes)

  1. DNS Remove Proofpoint from SPF record
  2. MICROSOFT Disable Proofpoint connectors in Exchange Online
  3. MICROSOFT Remove Proofpoint transport rules

That's it! Everything else below is optional documentation and best practices.

Important Notes Before You Begin

What IRONSCALES Handles Automatically

  • Anti-spam: No need to configure in Microsoft - IRONSCALES provides this
  • Impersonation protection: Automatically learns your users and their behavior - no manual configuration needed
  • URL protection: Built-in, no conflict with existing systems
  • Attachment scanning: Automatic sandboxing and analysis

Managing False Positives and False Negatives in IRONSCALES

  • False Positive (legitimate email quarantined): Click the "Safe" or "Reclassify" button in the incident cluster details
  • False Negative (missed threat): Use Investigation Panel to find and reclassify, or use Report Phishing button/911 mailbox for automated workflow
  • Allow lists: Not recommended (disrupts behavioral learning) unless absolutely required for business-critical automated workflows
  • Block lists: Not needed - IRONSCALES automatically updates machine learning when threats are reported via Report Phishing button

Comprehensive Migration Guide

For organizations wanting detailed documentation and a methodical approach

Overview

This document provides step-by-step technical instructions for migrating email security from Proofpoint to Microsoft 365 with IRONSCALES.

Key Points:

  • IRONSCALES can be activated immediately without affecting current mail flow (API-based, not MX-based)
  • No security gap during migration - run IRONSCALES alongside Proofpoint if desired
  • Core migration is just DNS changes and connector removal

The migration involves three components (color coded throughout):

  • DNS DNS changes: Redirecting mail flow from Proofpoint to Microsoft 365
  • MICROSOFT Connector removal: Removing Proofpoint infrastructure from Exchange Online
  • IRONSCALES IRONSCALES deployment: API-based security activated independently of mail flow

Week 1: Pre-Migration Preparation (Optional but Recommended)

Step 1: MICROSOFT Document existing Proofpoint configuration (Optional)

Only if needed for compliance or rollback planning:

Connect-ExchangeOnline
Get-InboundConnector | Where-Object {$_.Name -like "*Proofpoint*" -or $_.SenderIPAddresses -like "*67.231.*" -or $_.SenderIPAddresses -like "*148.163.*"} | Export-Clixml -Path "C:\Backup\ProofpointInboundConnector.xml"
Get-OutboundConnector | Where-Object {$_.Name -like "*Proofpoint*" -or $_.SmartHosts -like "*ppe-hosted.com*"} | Export-Clixml -Path "C:\Backup\ProofpointOutboundConnector.xml"

Step 2: PROOFPOINT Identify Proofpoint IP ranges and smart hosts

Document the specific Proofpoint infrastructure in use:

  • US IP ranges: 67.231.152.0/24-67.231.156.0/24, 148.163.128.0/19
  • EU IP ranges: 91.209.104.0/24, 185.132.180.0/24-185.132.183.0/24
  • Smart hosts: outbound-us1.ppe-hosted.com, outbound-eu1.ppe-hosted.com

Step 3: DNS Reduce DNS TTL values

Three days before cutover, reduce TTL on all mail-related DNS records:

  • MX records: Set TTL to 300 seconds
  • SPF TXT records: Set TTL to 600 seconds
  • DKIM CNAME records: Set TTL to 600 seconds

Step 4: MICROSOFT Generate Microsoft 365 DKIM keys

  1. Navigate to Microsoft 365 Defender Portal > Email & collaboration > Policies & rules > Threat policies
  2. Select DKIM
  3. Select your domain and enable DKIM signing
  4. Note the two CNAME records for later DNS addition

Step 5: IRONSCALES Activate IRONSCALES protection

Contact IRONSCALES to provision your tenant:

  1. IRONSCALES activation takes ~10 minutes
  2. No mail flow changes required - works immediately via API
  3. Can run alongside Proofpoint without conflict
  4. You'll receive login instructions and configuration guides

Week 2: Pre-Cutover Validation (Optional)

Step 1: MICROSOFT Verify Microsoft 365 configuration

Confirm Microsoft 365 is ready to receive mail:

  1. Check that your domain is verified in Microsoft 365 admin center
  2. Confirm all user mailboxes are created and licensed
  3. Verify Exchange Online Protection is enabled
  4. Test internal mail flow between Microsoft 365 users

Step 2: MICROSOFT Document transport rules requiring modification

List all transport rules that reference:

  • Proofpoint IP addresses
  • SCL score modifications (-1)
  • Header modifications (X-EOP-Direct-Delivery)
  • SafeLinks bypass (X-MS-Exchange-Organization-SkipSafeLinksProcessing)

Step 3: Create rollback plan

Document exact steps to revert if issues arise:

  1. DNS record values to restore (screenshot current DNS settings)
  2. Connector configurations to re-enable
  3. Transport rules to reactivate

Week 3: Production Cutover (The Actual Migration)

Day 1 (Friday evening/maintenance window)


Step 1: DNS Add Microsoft 365 MX record (staged approach)

Add new MX record with higher preference number (lower priority):

MX Priority 20: [domain-name]-com.mail.protection.outlook.com
MX Priority 10: mx1.ppe-hosted.com (existing Proofpoint)

Step 2: DNS Update SPF record

Modify SPF to include both providers temporarily:

v=spf1 include:_spf-us.ppe-hosted.com include:spf.protection.outlook.com -all

Step 3: DNS Add Microsoft 365 DKIM CNAME records

Add the two CNAME records generated in Week 1, Step 4.

Day 2 (Saturday)

Step 4: DNS Swap MX priorities

Change MX records so Microsoft 365 has highest priority:

MX Priority 0: [domain-name]-com.mail.protection.outlook.com
MX Priority 20: mx1.ppe-hosted.com (Proofpoint backup)

Step 5: IRONSCALES Verify IRONSCALES is active

  • If not already activated, complete the 10-minute setup
  • No configuration needed for anti-spam or impersonation protection
  • System begins learning immediately

Step 6: MICROSOFT Monitor mail flow

Use message trace to confirm mail routing through Microsoft 365:

Get-MessageTrace -StartDate (Get-Date).AddHours(-1) -EndDate (Get-Date) | Select MessageId, Received, SenderAddress, RecipientAddress, Subject, Status

Day 3 (Sunday)

Step 7: DNS Remove Proofpoint MX record

After confirming stable mail flow for 24 hours, remove Proofpoint MX entries entirely.

Step 8: DNS Update SPF record

Remove Proofpoint includes from SPF:

v=spf1 include:spf.protection.outlook.com -all

Week 4: Cleanup and Optimization (Post-Migration - Optional)

Step 1: MICROSOFT Disable Proofpoint connectors (Day 1)

Do not delete yet, only disable to allow rollback if needed:

Set-InboundConnector "Proofpoint Inbound Connector" -Enabled $false
Set-OutboundConnector "Proofpoint Outbound Connector" -Enabled $false

Step 2: MICROSOFT Remove transport rules (Day 2)

Delete rules referencing Proofpoint after confirming no impact:

Remove-TransportRule "Proofpoint Bypass Rule" -Confirm:$false
Remove-TransportRule "Proofpoint SCL Override" -Confirm:$false

Step 3: MICROSOFT Remove disabled connectors (Day 3)

After 48 hours with no issues, permanently remove connectors:

Remove-InboundConnector "Proofpoint Inbound Connector" -Confirm:$false
Remove-OutboundConnector "Proofpoint Outbound Connector" -Confirm:$false

Step 4: PROOFPOINT Export Proofpoint data (Day 5 - Optional)

Only if required for compliance:

  1. Export message logs from Proofpoint admin console
  2. Download any quarantined messages requiring retention
  3. Save configuration documentation for compliance records

Post-Migration Monitoring (Optional Ongoing Tasks)

Daily tasks (first week)

  • MICROSOFT Review message trace logs for delivery failures
  • MICROSOFT Monitor help desk tickets for user-reported issues
  • IRONSCALES Review any reclassification requests

Weekly tasks (first month)

  • MICROSOFT Review mail flow statistics in Exchange admin center
  • MICROSOFT Validate compliance and retention policies
  • IRONSCALES Review threat reports and trends

Rollback Procedures

Within 4 hours of cutover

  1. DNS Revert MX records to original Proofpoint values
  2. MICROSOFT Re-enable Proofpoint connectors
  3. DNS Restore original SPF record
  4. Notify users of temporary reversion

After 4 hours but within 48 hours

  1. DNS Add Proofpoint MX records with higher priority
  2. MICROSOFT Re-enable disabled connectors
  3. DNS Add Proofpoint back to SPF record
  4. MICROSOFT Create transport rules to route specific mail through Proofpoint

Known Issues and Resolutions

URL Defense / SafeLinks interaction

  • Issue: During transition, if both systems are active, URLs might get double-encoded
  • Resolution: Not a concern with IRONSCALES - our URL protection doesn't conflict with existing rewrites

Attachment scanning delays

  • Issue: "[Unscanned Attachment]" tags from Proofpoint
  • Resolution: Tags disappear once Proofpoint removed from mail flow; IRONSCALES handles attachment scanning automatically

Directory synchronization

  • Issue: Proofpoint marks users as invalid during transition
  • Resolution: Only relevant if rollback needed - manual reactivation through Proofpoint interface

Support Resources

For assistance with IRONSCALES deployment or configuration:

  • Customer Success Team: success@ironscales.com
    • Tenant provisioning (10-minute process)
    • Onboarding assistance
    • Best practices guidance
  • Support Team: support@ironscales.com
    • Technical issues
    • Troubleshooting assistance
    • False positive/negative handling
  • Knowledge Base: Detailed guides provided when your IRONSCALES tenant is provisioned

For Microsoft 365 configuration issues, consult Microsoft documentation at https://docs.microsoft.com/defender-office-365/ or contact Microsoft Support through your tenant admin portal.
View full post