Email Whitelisting – Proofpoint

0
2
0

OutThink is a cybersecurity human risk management platform that sends simulated phishing emails during tests. To ensure these test emails reach users, follow Proofpoint’s best practices for whitelisting a third-party vendor. In practice, this means creating a dedicated policy route for OutThink’s sending IP addresses (and domain) and adding custom allow rules. For example, Proofpoint’s security-awareness platform uses known IPs which it explicitly safelists ; similarly you should safelist OutThink’s mail server IPs in your email filters.

Whitelist OutThink Email Servers

The following IP Addresses must be whitelisted to bypass spam filtering within your organization. OutThink will send phishing simulation emails from these servers.

147.253.222.115
199.15.227.83

Create a Policy Route for OutThink Tests

  1. Navigate to System > System > Policy Routes in the Proofpoint UI. Click Add New to create a policy route (for example, name it Phishing_Spam_Test or Phishing_OutThink_Test).
  2. Add a condition such as Sender IP Address matching OutThink’s known sending IPs (enter the specific IP addresses given above). This route will mark all messages from OutThink’s IPs as simulation tests.

Add Custom Spam-Safelisting Rules

  1. Go to Email Protection > Spam Detection > Custom Rules, and click Add Rule. Create a rule called Spam_OutThink_Safelist (or similar). Add the condition Policy Route = Phishing_OutThink_Test, and set the action to Classify as Not Spam
  2. Add another rule named Phish_OutThink_Safelist. For this rule set Policy Route = Phishing_Spam_OutThink and Set Classifier Score → Phish = 0 (to ensure the phishing classifier does not catch these test emails). These custom rules tell Proofpoint to treat OutThink’s simulation emails as legitimate mail.

Disable Reputation Filtering

  1. Navigate to Email Protection > Spam Detection > Reputation Service > Settings. In the Disable For Any Of list, add the Phishing_OutThink_Test route. This exempts OutThink’s simulation emails from IP/domain reputation checks that might otherwise quarantine them.
  2. (Alternative) If you already use a policy route like pdrsafe for safelisting (common in some Proofpoint setups), simply add OutThink’s IPs to that route instead, since pdrsafe is typically already on the disable list.

Exclude OutThink from Targeted Attack Protection

  1. If using TAP URL Defense, under Email Protection tab > Targeted Attack Protection > URL Defense > URL Rewrite > under Exceptions add OutThink’s IPs (given above) to the list.
  2. If using TAP Attachment Defense, under Email Protection tab > Targeted Attack Protection > Attachment Defense, and check Disable processing for selected policy routes… and pick the policy route Phishing_OutThink_Test (configured above). This change will bypass attachments containing Phishing test URLs from TAP Attachment Defense.

Disable Traffic Statistics and Bypass Anti-Spoofing

  1. Go to System > Settings > System. Uncheck Traffic Statistics for the Phishing_OutThink_Test route and add this route to Disable processing for selected policy routes. This prevents Proofpoint from pre-scanning simulation hyperlinks or skewing your traffic reports.
  2. (Optional) Under Send Feedback from Agent Directly, you can similarly create a route for OutThink’s IPs so that simulation emails are excluded from user feedback metrics.
  3. If Proofpoint’s anti-spoof rules or DMARC settings might flag the test emails, add OutThink’s IPs as an exception. For example, move the Phishing_OutThink_Test route into the Disable Processing list for the pp_antispoof rule, and in Email Authentication > DMARC configure it to bypass for that route.

Create a Policy Route to Bypass Traffic Statistics (Optional)

Under System > System > Settings > System, find the section called Send Feedback from Agent Directly.

Create a policy route with the OutThink IPs (given above) and add it to Disable processing for selected policy routes list in this section. This will remove traffic using that policy route from the traffic stats feedback.

Email Firewall Rules Bypass (Optional)

You may also need to use the policy route to bypass specific Email Firewall Rules. Commonly, the pp_antispoof rule will need to have this policy route moved to the Disable processing list.

It is also often necessary to have this policy route bypass the Email Authentication checks. If DMARC is enabled, this is done in Email Authentication > DMARC General.
For more information on such a bypass, please see the following article: [Email Protection (PPS/PoD)] Bypassing SPF/DKIM/DMARC for certain domains.

Was this helpful?

2 / 0