Proofpoint Postmaster

Welcome to the Proofpoint Postmaster portal

Proofpoint is a leading cybersecurity company dedicated to protecting organizations from advanced threats and compliance risks—including malicious or harmful email. To keep customers safe, our systems evaluate the reputation of sending IP addresses and domains. Factors such as spam-like behavior, malicious content, or improper authentication can negatively impact reputation, which may lead to delayed or blocked messages. 

This site is designed to help email senders improve their reputation and maximize deliverability to our customers. Here, you’ll find best practices for email delivery, authentication, and troubleshooting to ensure your messages reach their intended recipients.

Email delivery best practices

DNS and Technical Standards

Proper DNS configuration and adherence to technical standards are foundational to email deliverability. Proofpoint evaluates DNS records and protocol compliance to assess sender legitimacy and prevent abuse.

Forward and Reverse DNS (rDNS)

• Forward DNS: Ensure that your sending IP address resolves to a valid hostname. The hostname should be representative of a mail server (e.g. mail.example.com, mta.example.com, etc).
• Reverse DNS (PTR Record): The IP address must map back to the same hostname used in the forward DNS.

HELO/EHLO Hostname

The HELO/EHLO command should use a fully qualified domain name (FQDN) that matches the sending server’s reverse DNS. Avoid using generic or invalid hostnames (e.g., "localhost" or IP addresses) in the HELO/EHLO string.

Consistent DNS Records

• MX Records: Ensure your domain has valid and reachable MX records.
• A and AAAA Records: These should resolve correctly for all sending domains and subdomains.
• SPF, DKIM, and DMARC: Must be published in DNS and kept up to date.

TLS Encryption

Transport Layer Security (TLS) is required to ensure secure transmission of email. Configure your mail servers to support STARTTLS and enforce encryption for outbound and inbound mail where possible.

Compliance with Internet Standards

Ensure your email infrastructure complies with relevant RFCs, including:

• RFC 5321 (SMTP)
• RFC 5322 (Internet Message Format)
• RFC 7208 (SPF)
• RFC 6376 (DKIM)
• RFC 7489 (DMARC)

Avoid non-standard headers, malformed MIME structures, or improper line breaks.

Authentication

Proper email authentication is essential for ensuring message integrity, preventing spoofing, and improving deliverability. Proofpoint, along with major mailbox providers requires senders to implement the following authentication protocols: 

SPF (Sender Policy Framework)

SPF allows domain owners to specify which IP addresses are authorized to send mail on their behalf. Publish an SPF record in DNS that includes all outbound mail servers.

DKIM (DomainKeys Identified Mail)

DKIM uses cryptographic signatures to verify that an email was not altered in transit and that it was sent by an authorized domain.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM by specifying how to handle messages that fail authentication and provides visibility into abuse via reporting.

Additional Recommendations

Alignment: Ensure that the domain in the "From" header aligns with the domains authenticated via SPF and DKIM (required for DMARC compliance).

Troubleshooting (why isn’t my email getting delivered?)

Outbound spam (intentional or unintentional)

Spam refers to unsolicited emails or other digital communications sent to an individual or group of recipients. This includes unsolicited commercial messages or malicious messages like phishing scams. When a spam filter identifies spam emails, the IP addresses or domains may be blocked, prohibiting the delivery of the messages. Some proactive steps you can take to avoid legitimate emails from being identified as spam or your IP and/or domain from being blocked due to the detection of malicious spam include:

• Ensure email best practices are followed
• Secure internal systems against unauthorized use
• Be compliant with Internet privacy laws
• Authenticate your emails
• Avoid using misleading subject lines
• Send relevant content
• Send emails to recipients who have opted in or requested communications

Infected website / domain

If your website or domain is infected, emails linked to it will be blocked. Threat actors can exploit vulnerabilities in a website or device to spread spam or harmful content. This affects email delivery and your domain’s reputation. Protect against these threats by:

• Regularly evaluating websites and internal networks for malware
• Keep software and plugins updated
• Implement robust security measures and detections

If your domain is blocklisted, identify and remove the infection, then request delisting from blocklists to restore your email deliverability.

Other considerations / recommendations

New IPs

Due to new IP reputation, emails sent from new IPs are often marked as spam. To help establish the IPs reputation and avoid having emails sent from the IPs blocked as spam, gradually increase email volume (no more than 2x the previous volume) and ensure compliance with email best practices.

Use dedicated IPs

Dedicated IPS are better than shared IPs. Dedicated IP addresses can improve email deliverability by ensuring sending reputation is solely based on a controlled email source. With a dedicated IP, there is no risk of contamination from other sender's poor practices or delivery rates.

Isolate Marketing Email from User Email

Do not send marketing emails from the same IPs used for transactional or user emails. Separating these helps maintain the reputation of your transactional IPs and ensure critical emails are delivered reliably.

Unsubscribe

Include a clear and easy-to-find unsubscribe option in all marketing emails. Providing a straightforward way for recipients to opt-out not only complies with legal requirements but will also help maintain a healthy sender reputation by reducing spam complaints and scrubbing email lists.

• List-Unsubscribe Header: Major ISP now require a one-click unsubscribe mechanism via the List-Unsubscribe header (RFC 8058).
• Honor Unsubscribes Promptly: Ensure opt-outs are processed within 2 days

Keep lists clean

Maintaining good list hygiene is crucial for email deliverability. The regular scrubbing of email lists by removing inactive, invalid, or unengaged addresses reduces bounce rates and spam complaints, and ensures emails reach an engaged and interested audience. An industry standard for complaint rates is <0.3% (less than 3 complaints per 1000 messages sent)

Pay attention to error messages

Mail logs can show why emails are not delivered. Common errors can indicate issues such as authentication failures, blocklisting, or content-related problems, allowing focused troubleshooting and resolution of delivery issues.

Proofpoint’s SMTP error codes and what they mean

Error: 554 Blocked - see https://proofpoint.com/postmaster/?ip=1.2.3.4

• Your IP and/or domain has been blocked due to spam received or malicious activity detected

Error: 421 Deferred - see https://proofpoint.com/postmaster/?ip=1.2.3.4

• Your IP is being throttled due to unusual or unexpected sending patterns.

No error:

• Messages can be filtered for content. In this case no error message is returned

Deliverability support contact options

Proofpoint customers requiring additional postmaster assistance can visit our Community Portal.

If you are following the guidelines, policies, and best practices outlined on this site and continue to experience deliverability issues, you are welcome to submit a delist request. Please note that we may not be able to assist if your setup does not meet the above guidelines.

Additional Resources:

Business guide for Federal CAN-SPAM compliance:
https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business

Canada's anti-spam legislation:
https://ised-isde.canada.ca/site/canada-anti-spam-legislation/en

M3AAWG Sender Best Common Practices:
https://www.m3aawg.org/sites/default/files/document/M3AAWG_Senders_BCP_Ver3-2015-02.pdf