Proofpoint SPF record setup for Essentials outbound mail
Set up a Proofpoint SPF record for Proofpoint Essentials outbound mail, choose the correct regional include, merge it into one SPF record, and verify DMARC.
Proofpoint SPF setup depends on which Proofpoint product and region handles your outbound mail.
For Proofpoint Essentials, Proofpoint’s connection details list regional SPF values such as:
v=spf1 include:_spf-us.ppe-hosted.com ~all
v=spf1 include:_spf-eu.ppe-hosted.com ~all
Use the region assigned to your Proofpoint Essentials environment. Do not add both unless Proofpoint support or your tenant configuration says both regions send for your domain.
Before you start
Confirm that Proofpoint is actually sending outbound mail for your domain. Many organizations use Proofpoint only for inbound filtering. SPF should authorize services that send mail, not every service that scans inbound mail.
You also need to know your Proofpoint region. Proofpoint Essentials environments use different hosted domains and smart hosts for US and EU tenants.
Run your domain through the DMARCTrust domain checker before editing DNS so you can see the current SPF record and lookup count.
Step 1: find your current SPF record
In DNS, look for the TXT record at the root domain that starts with v=spf1.
If one exists, edit it. If none exists, create one.
Never publish a separate Proofpoint SPF TXT record beside an existing Google, Microsoft, or Salesforce SPF record. SPF allows one record per domain.
Step 2: add the Proofpoint include
For a US Proofpoint Essentials tenant, your SPF record may look like:
v=spf1 include:_spf-us.ppe-hosted.com ~all
For an EU Proofpoint Essentials tenant:
v=spf1 include:_spf-eu.ppe-hosted.com ~all
If Microsoft 365 sends outbound mail through Proofpoint, your combined record might be:
v=spf1 include:spf.protection.outlook.com include:_spf-us.ppe-hosted.com ~all
If Google Workspace also sends directly:
v=spf1 include:_spf.google.com include:_spf-us.ppe-hosted.com ~all
Replace the region include with the one Proofpoint documents for your tenant.
Step 3: keep the lookup count under 10
Proofpoint, Google, Microsoft, Salesforce, Zendesk, HubSpot, and other senders all add DNS lookups.
SPF fails at more than 10 DNS lookups. Before adding Proofpoint, remove old vendors you no longer use. If the record is already close to the limit, use DMARC reports to identify which senders still matter.
Step 4: verify real outbound mail
After DNS propagates, send a message that actually routes through Proofpoint.
Check:
- SPF passes for the envelope sender domain.
- There is exactly one SPF record.
- DMARC passes through aligned SPF or aligned DKIM.
- Proofpoint appears correctly in DMARC aggregate reports.
Use DMARCTrust for the DNS check and your DMARCTrust dashboard for real report data.
Common mistakes
Adding Proofpoint when it is inbound-only. If Proofpoint does not send outbound mail for your domain, it does not belong in SPF.
Using the wrong region. US and EU Proofpoint Essentials tenants use different includes.
Creating a duplicate SPF record. Merge Proofpoint into the existing SPF record.
Assuming SPF solves DMARC. SPF must align with the visible From domain. If routing changes the return-path domain, DKIM may be the better DMARC path.
What about DKIM?
Proofpoint Essentials can be part of outbound DKIM signing, but the DNS record is not a universal public value. Your tenant or Proofpoint support must provide the DKIM selector and DNS value.
Use the companion guide: Proofpoint DKIM setup.
FAQ
What is the Proofpoint SPF record?
For Proofpoint Essentials, the regional includes commonly documented by Proofpoint are _spf-us.ppe-hosted.com for US and _spf-eu.ppe-hosted.com for EU.
Should I add Proofpoint to SPF if it only filters inbound mail?
No. SPF authorizes outbound senders. Inbound filtering alone does not require SPF authorization.
Can I have Microsoft 365 and Proofpoint in one SPF record?
Yes. Merge both includes into one SPF TXT record and verify the lookup count.
