Spam filters

Proofpoint overview and troubleshooting tips

Proofpoint is a leading cybersecurity vendor with products spanning email, social, mobile applications, and data security. Their products are used by thousands of businesses worldwide. Their Email Protection Product Suite protects end users from spam, malware, and phishing attacks.

Proofpoint uses numerous layers of threat detection techniques to identify spam and other harmful messages.

  • Virus blocking
  • Spam filtering
  • Phishing detection
  • Content filtering

Infrastructure

Regions

North America, Europe, Middle East, Africa, Asia-Pacific

Website

Proofpoint main website

Related companies

Proofpoint owns and runs: Cloudmark, SORBS blocklist, and the Proofpoint blocklist

Safe sender list

Proofpoint administrators and end users may create a safe sender list for trusted senders. 

Messages on the safe sender list bypass Proofpoint's spam filter and is delivered to the end user's inbox.


Methodology

To give businesses more flexibility, Proofpoint allows administrators to customize the Proofpoint Email Protection Product Suite product settings to fit their business needs.  This flexibility can lead to inconsistent filtering results for a sender at different businesses using Proofpoint.

  • All incoming email is scanned for potential threats and assigned a spam score. The spam score measures the probability that the message is spam.
  • Administrators set the action taken when your email crosses the spam score threshold related to the selected sensitivity setting.
    • Spam sensitivity settings range from very loose to very strict.
    • Email with a score below the sensitivity setting is sent to the inbox.
    • Email with a score above the sensitivity setting is quarantined.
  • Senders receive bounce messages (non-delivery reports) from the mailbox provider for deferred and blocked messages.

Troubleshooting

  • Ensure your MFrom sending domain (aka Return-Path domain) has valid MX and A records. Missing, malformed, or misconfigured records are likely to result in rejected messages.
  • Ensure you have valid PTR records for your sending IPs.
  • Ensure your email system is not sending spam or viruses from an unauthorized third party.
  • Ensure you are using either a shared or dedicated IP address for your bulk marketing email. Do not use a dynamic IP address as they are frequently used by spammers.
  • Are you sending to unresponsive subscribers? Non-responders may be spam traps. Sending to spam traps may land your IP on the Proofpoint block list or have your content marked as spammy by Cloudmark.
  • Check if you are using link shorteners such as bit.ly in your content. Link shortening services are often used to hide malicious website domains.
    • Use the full URL string for your website or images.
  • Check your overall complaint rates and volumes through complaint feedback loops. Proofpoint does not provide a complaint feedback loop, however, high complaint rates at other providers can signal a problem with your list quality.
    • Cloudmark is owned by Proofpoint and end-user spam complaints is one of the data points used to identify spam.
    • Excessive spam complaints can also land your IP on the Proofpoint block list.
  • Ensure you have unsubscribe links in your email and immediately honor all unsubscribe requests.
  • Check your SMTP error codes to help you identify potential problems. 
  • If using TLS, ensure you are using TLS version 1.2 or higher. Not all Proofpoint customers require TLS, but enforcing it is an option.
  • Ensure you are respecting the Proofpoint customer's server resources. 
    • If you get an SMTP error message indicating invalid connections or too many recipients, lower your connections and throughput until the error message is no longer received.
  • Check the Proofpoint block list. Listed IPs result in delayed or blocked email.
  • Ensure all the URLs used in your email (including third party URLs) point to legitimate websites that are not infected with malware. Websites infected with malware are likely to appear on the domain block lists listed below. Perform a security scan for domains and servers you own.
  • Also check for other IP and domain blocklistings. This is especially important for new IPs and domains with limited sending history. Proofpoint has not disclosed which, if any, third party blocklists it uses. But, listed IPs and domains may indicate a problem that Proofpoint is factoring into their filtering decisions.
  • Is your new IP recently recycled? Ask your email service provider (ESP) when the last time the IP had any sending volume on it prior to being assigned for your use. IPs used recently by another sender could have a poor reputation attached to it.
    • A general guideline is for an IP to have zero sending volume for at least six months prior to it being assigned to another sender.
  • Are you using a new sending domain? New domains are often created by spammers to bypass IP reputation scans. New domains may receive additional scrutiny at Proofpoint, especially if the IPs have a bad sending reputation.
    • It is a best practice to notify recipients of your new sending domain prior to using it so they can add the new domain to their safe sender list.
  • Ensure you are authenticating all email with SPF, DKIM and DMARC and confirm they are passing checks at mailbox providers such as Gmail, Microsoft, and Yahoo.
    • Proofpoint only supports SPF, but their customers may use other spam filters that require DKIM and DMARC.
    • Make sure your SPF record is up to date with all sending IPs.
      • Based on the spam sensitivity set by an administrator, an SPF record with ~all that fails the SPF check may or may not be quarantined. An SPF record with -all that fails the SPF check is likely to be quarantined.
  • Make sure you are not sending attachments with bulk marketing email. Attachments sent to numerous recipients at the same time are likely to be perceived as spam or phishing.
    • If you want the recipient to download a whitepaper or other resource, use a link to your website where the recipient can download the document directly.
  • If you send an attachment in 1:1 communication, Proofpoint will scan it for potential threats. Make sure all attachments are free from viruses and malware.
  • What is the size of your email, including attachments? Proofpoint has a default size limit of 150MB. However, administrators may set a lower size limit based on their company's policy.
    • You should get an SMTP error message indicating your email size exceeded the limit.
    • Content encoding can add to the message size. If you think the file attachment is small enough, and you continue to exceed the limit, it may be because of content encoding.
    • If you continually exceed the message size, use a file sharing service such as Dropbox.
  • Ensure you are not asking for personally identifiable information from the recipient such as a bank account number, credit card number, social security number, insurance number, or driver's license number. 
    • If you need the recipient to update their account information, ask them to login to their account at your website by opening a separate browser window. Existing customers know how to find you.
    • Including a link to your website for this type of email is not recommended because a popular phishing tactic is asking someone to click on a link to update their information and then sending them to a fake website.

Related articles

Turn your data into revenue

Whether you’re looking to optimize the performance of your email marketing, data management or sales functions, Validity is your trusted partner to ensure you’re reaching who you need to.

Company
Products
Solutions
Resources
Contact