By White Arrow Technology
It’s one of the most unsettling things that can happen to a sending domain. Your email has been flowing fine for months. Then, seemingly overnight, messages to a couple of your recipients start bouncing or landing in quarantine. The common thread: those recipients run Proofpoint as their email gateway.
The natural reaction is “but we didn’t change anything.” And that’s usually true. You didn’t. Yet the mail is failing, and the failures are real. Here’s what’s actually going on, how to prove it from your own data, and how to stop it happening again.
First, the reassuring part: this is almost never Proofpoint being difficult
When a Proofpoint-protected recipient suddenly starts rejecting your mail, it is rarely a new rule invented to annoy you. It is Proofpoint doing exactly what the standard tells it to do: checking whether your message passes DMARC, and honouring the policy it finds.
DMARC passes when at least one of two things is true. Either the message passes SPF and the SPF domain aligns with the domain in your visible From address, or it passes DKIM and the DKIM signing domain aligns with that From domain. If both of those fail, DMARC fails, and the receiver applies whatever policy your domain publishes: none, quarantine, or reject.
So if Proofpoint just started rejecting you, one of three things changed, even if it wasn’t obvious:
- Your own DMARC policy moved to quarantine or reject.
- Your SPF or DKIM alignment quietly broke.
- The recipient tightened how strictly it enforces DMARC.
The failures are the symptom. Alignment is almost always the disease.
Why “we changed nothing” is usually wrong in a way that isn’t your fault
The frustrating truth about email authentication is that things break without anyone touching your DNS. A few real world causes we see constantly:
A third-party sender fell out of alignment. You send some of your mail through a marketing platform, a CRM, an invoicing tool, or a helpdesk. That vendor changed its sending infrastructure, rotated a DKIM key, or altered its return-path. Your DNS looks identical, but the mail those tools send on your behalf no longer aligns, and it fails DMARC the moment it hits an enforcing receiver like Proofpoint.
An SPF record silently exceeded the 10 lookup limit. SPF permits a maximum of ten DNS lookups. Add one more vendor to an already crowded record and the whole thing can return a permerror, which fails SPF entirely. Nobody edited your record with bad intent. It simply tipped over a hard limit.
A DKIM selector or key stopped validating. A key rotation that wasn’t published correctly, a selector that got removed, or a signature that breaks in transit will drop DKIM. If SPF alignment was already marginal, DKIM was the only thing holding DMARC together, and now it’s gone.
The recipient moved from monitoring to enforcement. Plenty of organisations run their inbound Proofpoint in a posture that starts honouring sender DMARC policies more strictly over time. Your mail that “always worked” was quietly failing DMARC for months; the recipient just wasn’t acting on it yet. The day they flip to enforcement, your borderline mail becomes rejected mail.
In every one of these, your side technically didn’t change. The alignment did.
How to prove exactly what’s happening, using data you may already have
You don’t have to guess. This is precisely what DMARC aggregate reports are for.
If your domain publishes a DMARC record with an rua reporting address, receivers, including the Proofpoint-protected ones, send you daily XML reports showing every source sending as your domain, whether SPF aligned, whether DKIM aligned, and what policy was applied. Read against a failure like this, those reports tell you in minutes:
- Which sending source is failing. The reports group by sending IP and by result, so a broken vendor stands out immediately.
- Whether it’s SPF, DKIM, or both. You’ll see pass or fail for each, per source, so you know exactly which leg gave way.
- Whether alignment, not authentication, is the problem. A source can pass SPF outright yet still fail DMARC because the SPF domain doesn’t align with your From domain. The reports make that distinction visible, which raw bounce messages never will.
The catch: those XML reports are close to unreadable by hand, and a busy domain generates a lot of them. This is where a proper DMARC monitoring service earns its place, turning the raw feed into a clear picture of who is sending as you and where authentication is breaking.
How to fix it, in order
Once the reports have named the failing source, the fix is usually straightforward:
- If a vendor fell out of alignment, add or correct its SPF include and enable aligned DKIM signing for that service. Most reputable platforms document exactly what to publish.
- If SPF is over the lookup limit, flatten or consolidate the record, remove vendors you no longer use, and lean on DKIM as the more robust of the two mechanisms.
- If DKIM broke, republish the correct public key for the active selector and confirm signatures validate on a live message.
- If your own policy tightened faster than your setup was ready for, this is the classic lesson: never publish reject before your reports show every legitimate source passing. Move deliberately from none, to quarantine, to reject, and let the data tell you when it’s safe.
Then keep watching. Alignment isn’t a set-and-forget state. Every new tool your business adopts is a new sender that has to be brought into alignment before it starts failing at the next Proofpoint gateway you send to.
The real lesson: enforcement without monitoring is a trap
The organisations that get blindsided by “Proofpoint suddenly started rejecting us” almost always share one trait. They published a DMARC policy at some point, felt protected, and stopped looking at the reports. Enforcement without monitoring means you find out about a broken sender when your recipients do, through failed mail, instead of days earlier through your own data.
That’s the entire point of running DMARC as a managed, monitored service rather than a one-off DNS entry. The reports are already being generated for you. The only question is whether anyone is reading them before a problem reaches your customers.
We watch this so you don’t have to
At White Arrow Technology, DMARC monitoring is exactly what we do. We turn the raw aggregate reports from every receiver, Proofpoint included, into a plain-English view of who is sending as your domain, which sources are aligned, and what needs fixing before it turns into rejected mail. When a vendor drifts out of alignment, you hear it from us, not from an angry client whose email bounced.
If mail to Proofpoint-protected recipients has started failing, or you simply want to know whether your DMARC setup is genuinely protecting you or quietly waiting to break, let’s take a look at your reports together.
👉 Get a free DMARC health check or email [email protected]
In email authentication, “we didn’t change anything” is rarely the reassurance it sounds like. The alignment changes even when your DNS doesn’t. The reports are already telling the story. The only question is whether you’re reading them.
No responses yet