Proofpoint Enterprise Archive: Email Archiving Process

Microsoft Exchange features a capability called journaling. When enabled, a copy of any email message that is sent or received though Exchange is added to the journaling mailbox. At configurable time intervals, the Proofpoint email archiving appliance uses MAPI calls (and a user account that is provided by the customer) to login to Exchange and access the journaling mailbox, in exactly the same way that Outlook accesses a user's mailbox. If there are email messages in the journaling mailbox, the Proofpoint email archiving appliance divides them into batches, creates a subfolder for each batch of messages and moves the message references into the folders.

The Exchange email batches are then processed by the Proofpoint email archiving appliance, DoubleBlind Encryption is applied, and email messages are submitted to the Proofpoint network for archival. Periodically, the Proofpoint email archiving appliance requests confirmation from the Proofpoint network that the Exchange email batch has been fully processed. Upon confirmation, the batch folder is removed from the journaling mailbox.

Unlike other hosted email archiving solutions that rely on Exchange to push email messages via SMTP, the Proofpoint email archiving appliance pulls email messages from the Exchange journaling mailbox. As such, in the event of an issue with the email archiving appliance, email messages simply queue in the Exchange journal mailbox until a replacement appliance is put into place. Messages that were submitted to Proofpoint for archiving that have not been confirmed remain in a folder within Exchange. Similarly, when your Internet connectivity goes down, email messages being submitted during that time can also be reprocessed, ensuring the integrity of your archive. Because the data is never removed from the batch folders within the Exchange journaling mailbox until the Proofpoint network confirms that the batch has been fully archived, even messages that were in-transit at the point of failure are safe.

Some outsourced vendors trap email messages in the middle of the Internet mail flow. In this setup, your company's internet domain (for email purposes, known as an MX record in a DNS server) is reconfigured to point to the archive provider, and not to your company directly. As such, all incoming mail goes to the archiving company first, who then forwards it to your company’s real mail server. For outbound mail, you configure your mail servers to send mail to the archive provider, who then forwards it to the actual recipient. This approach doesn't allow you to archive email messages sent between internal parties. In addition, because messages are captured in SMTP form, they lose much of the richness of the original message. For example, depending upon the configuration of the Exchange email archiving, you may not see all of the recipients, as internal BCC information may be lost. Similarly messages sent to distribution lists may not contain the full list of actual recipients.

According to Microsoft Exchange, enabling journaling adds about 15% to the load on the Exchange server. Retrieving the email messages from the Exchange journal is similar to having an additional user accessing their own mailbox, albeit a highly active user. All told, you can expect to see a 20% increase in load on your Exchange server with Proofpoint email archiving in place (as compared to a system without journaling enabled). With all of the mail archived, however, customers may find it easier to enforce tighter restrictions on how much mail or how long mail can be stored within users’ mailboxes. As Exchange performance is highly related to the size of the message stores, the Exchange performance gains from tighter restrictions may exceed the load created from the journaling/archiving process.

Depending on how much email is generated within an organization, there may be a slight increase in outbound corporate traffic. However, the Proofpoint email archiving appliance compresses content and provides the capability to control when email is sent to the Proofpoint network to minimize any impact.

Yes. In Exchange, journaling is configured on a per storage group basis. As such, you can enable journaling for one storage group and not another. The Proofpoint email archiving appliance inspects the mailbox that the customer defines to retrieve email messages for archiving. To archive email messages for a subset of users, customers can configure Exchange to journal to a different mailbox than the one monitored by the Proofpoint email archiving appliance. Exchange server rules can be configured to selectively move messages from one mailbox to the other for archiving.

In Exchange 2007, the email archiving process has been made even easier, with rules that allow you to specify which mailboxes are journaled.

Yes. While each email archiving appliance can process mail from multiple journaling mailboxes (each of which can reside on a separate Exchange server), larger organizations may need multiple email archiving appliances to support the volume of messages. As each of these email archiving appliances will be configured with the same customer ID and encryption key, they can feed data into the same archive for unified search and discovery capabilities.

When the Proofpoint email archiving appliance retrieves a message from Exchange, it records who the email message was addressed to. In the case of email messages sent to distribution lists, the Proofpoint email archiving appliance communicates with Active Directory to determine the actual recipients that received the message. Both the original address list (referencing the distribution list) and the "resolved" list of actual recipients is archived. For legal discovery purposes, you can search for these messages based upon the distribution list or any of the resolved recipients.