>
    Strata Copilot
    Set Up a Proofpoint Server for Email Encryption
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Configure Enterprise DLP
    5. Email DLP
    6. Onboard Gmail
    7. Set Up a Proofpoint Server for Email Encryption
    Download PDF
    Enterprise DLP

    Set Up a Proofpoint Server for Email Encryption

    Table of Contents

    Set Up a Proofpoint Server for Email Encryption

    Set up a route to your Proofpoint server to encrypt emails inspected by Enterprise Data Loss Prevention (E-DLP) when using Email DLP.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • Data Security
    • One of the following licenses that include the Enterprise DLP license
      Review the Supported Platforms for details on the required license for each enforcement point.
      • Prisma Access CASB license
      • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
      • Data Security license
    • Email DLP license
    If you use Proofpoint as your email security gateway and your Email DLP policy action includes Encrypt, set up routing to your Proofpoint server to encrypt emails that match your encryption policy rule.
    Skip this task if you don't use Proofpoint as your email security gateway for Gmail encryption.
    1. Prepare your Proofpoint server to encrypt emails inspected by Enterprise DLP.
      1. Enable DKIM signing for your Proofpoint server.
        When enabling DKIM signing, you must also select Enabled for the domain.
        Additionally, keep a record of your DKIM public key. This is required when updating your domain host records.
      2. Contact your email domain provider to update your SPF record.
        • Add your Proofpoint IP address to your SPF record.
          This is required to forward emails to Proofpoint for encryption. Skip this step if you have already updated your SPF record with your Proofpoint IP address.
        • Add the DKIM public key to your domain host records.
    2. Log in to the Google Admin Console.
    3. In the Dashboard, select AppsGoogle WorkspaceGmailHosts and Add Route.
    4. Configure your Proofpoint server.
      1. Enter a descriptive Name for the Proofpoint server route.
      2. In Specify email server, verify Single host is selected.
        Only a single host Proofpoint server is supported.
      3. Enter the hostname and port for the Proofpoint server.
      4. For the Options, verify the following settings are enabled.
        • Require mail to be transmitted via a secure (TLS) connection
        • Require CA signed certificate
        • Validate certificate hostname
      5. Test TLS connection to verify that your Proofpoint server can successfully connect to Enterprise DLP.
      6. Save.
    5. Back in the Hosts page, verify that the Proofpoint server route is displayed.
    6. Set Up the Email DLP Host.
      You must set up the Email DLP Host configure the routing from Gmail. Skip this step if you already configured routing to Enterprise DLP.
    7. Create Gmail Transport Rules.
      After you set up the Email DLP host on Gmail, create Gmail transport rules to instruct Gmail to forward emails to Enterprise DLP and to specify the actions Gmail takes based on verdicts rendered by Enterprise DLP.
      If your Email DLP policy action is set to Monitor, only the Email Transport rule is required. You don't need to create Quarantine, Block, or Encrypt transport rules.
      In this case, Enterprise DLP adds x-panw-action - monitor to the email header, creates a DLP incident, and sends the email to its intended recipient.

    © 2026 Palo Alto Networks, Inc. All rights reserved.