>
    Set Up a Proofpoint Server for Email Encryption
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Configure Enterprise DLP
    4. Email DLP
    5. Onboard Gmail
    6. Set Up a Proofpoint Server for Email Encryption
    Download PDF
    Enterprise DLP

    Set Up a Proofpoint Server for Email Encryption

    Table of Contents

    Set Up a Proofpoint Server for Email Encryption

    Set up a route to your Proofpoint server to encrypt emails inspected by Enterprise Data Loss Prevention (E-DLP) when using Email DLP.
    Where Can I Use This?What Do I Need?
    • Data Security
    • One of the following licenses that include the Enterprise DLP license
      Review the Supported Platforms for details on the required license for each enforcement point.
      • Prisma Access CASB license
      • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
      • Data Security license
    • Email DLP license
    Set up routing to your Proofpoint server to encrypt emails inspected by Enterprise Data Loss Prevention (E-DLP) that match your encryption Email DLP policy rule.
    1. Prepare your Proofpoint server to encrypt emails inspected by Enterprise DLP.
      1. Enable DKIM signing for your Proofpoint server.
        When enabling DKIM signing, you must also select Enabled for the domain.
        Additionally, keep a record of your DKIM public key. This is required when updating your domain host records.
      2. Contact your email domain provider to update your SPF record.
        • Add your Proofpoint IP address to your SPF record.
          This is required to forward emails to Proofpoint for encryption. Skip this step if you have already updated your SPF record with your Proofpoint IP address.
        • Add the DKIM public key to your domain host records.
    2. Log in to the Google Admin Console.
    3. In the Dashboard, select AppsGoogle WorkspaceGmailHosts and Add Route.
    4. Configure your Proofpoint server.
      1. Enter a descriptive Name for the Proofpoint server route.
      2. In Specify email server, verify Single host is selected.
        Only a single host Proofpoint server is supported.
      3. Enter the hostname and port for the Proofpoint server.
      4. For the Options, verify the following settings are enabled.
        • Require mail to be transmitted via a secure (TLS) connection
        • Require CA signed certificate
        • Validate certificate hostname
      5. Test TLS connection to verify that your Proofpoint server can successfully connect to Enterprise DLP.
      6. Save.
    5. Back in the Hosts page, verify that the Proofpoint server route is displayed.
    6. Set Up the Email DLP Host.
      This is required to forward emails to Enterprise DLP for inspection and verdict rendering to prevent exfiltration of sensitive data. Skip this step if you already configured routing to Enterprise DLP.
    7. Create Gmail Transport Rules.
      After you successfully set up the Email DLP host on Gmail, you must create the Gmail transports rule to instruct Gmail to forward emails to Enterprise DLP and establish the actions Gmail takes based on verdicts rendered by Enterprise DLP.
      This is required to forward emails to Enterprise DLP for inspection and verdict rendering to prevent exfiltration of sensitive data. Skip this step if you already configured routing to Enterprise DLP.
      A transport rule isn't required for emails that match your Email DLP policy where the action is set to Monitor. In this case, Enterprise DLP adds x-panw-action - monitor to the email header, a DLP incident is created, and the email continues to its intended recipient.

    © 2024 Palo Alto Networks, Inc. All rights reserved.