Requirements


  • This feature is only available on the following packages:
    • Professional
    • Professional+
  • The O365 account setting up archiving must have global administrator rights
  • You must also create a dedicated journaling email address on your domain for undeliverable reports to be sent to (i.e. undeliverable@yourdomain.com)
    • This email address will not have its messages archived


Enable Archiving in Proofpoint


Log into the Proofpoint portal that matches your tenant's region.



Navigate to Account Management > Features, then verify that the "enable email archive" box is checked. If this isn't currently enabled, then check this box and click Save at the bottom of the page.



Once this feature is enabled, a new Archiving option will appear in the top-left corner of the Proofpoint portal.



Configure O365 Connection in Archive


Click the new Archive option to the left, then hover over the bar with icons on the left side of the new page. From here, navigate to Data Management > Connections:



In the top right corner of the Connections page, click on Add Connection:



Under Description, enter a name such as O365. Set the connection type to SMTP (O365).


Fill in the "Undeliverable Journal Address" field with a dedicated email address that the archive can use for error reporting.

  • This address will not have any of their email archived, so do not fill in an active user's email address into this field.
  • The undeliverable address will also be needed for configuring the journal rule later.



Once this information is filled in, click Next. Copy down the SMTP address that Proofpoint provides here, as it will be needed later. (This address will end with "us.earchive.cloud" if you are a US customer or "eu.earchive.cloud" if you are an EU customer.)


 

Click Done at the bottom of the page when finished. This SMTP address can be viewed again later if needed by editing the connection.


Create Archive Outbound Connector in O365


Log into the Exchange Admin Center, then navigate to Mail Flow > Connectors > + Add a Connector


From here, build a connector with the following structure:

  • Select “from O365 to partner organization”
  • Set a name such as "Proofpoint Archive Connector"
  • Tick the "Turn it on" checkbox
  • Under “when do you want to use this connector,” select “only when email addresses are sent to these domains”
    • US customers: add *.earchive.cloud and *.earchive.cloud.us.earchive.cloud
    • EU customers: add *.earchive.cloud and *.earchive.cloud.eu.earchive.cloud
  • Under “how do you want to route email messages,” select “Use the MX record associated with the partner’s domain"
  • Under "security restrictions," leave the default value of “Always use TLS” and “issued by a trusted certificate authority”
  • Under "validation email," enter the following email address depending on your region:
    • US customers: verification@us.earchive.cloud
    • EU customers: verification@eu.earchive.cloud
  • When prompted to validate the connection, click Validate and wait for the validation operation to finish
    • Sometimes the verification step may fail, but this has no impact on how the connector will run. Even if the verification fails, you can continue with the rest of the setup.
  • When finished, click Save


Create Journal Rule / Set Undeliverable Reports


The configuration of journal rules in O365 has been moved out of the classic Exchange Admin Center and into Microsoft Purview, which can be found here: (https://compliance.microsoft.com/)


On the left side of this page, navigate to Data Lifecycle Management > Exchange (Legacy). Then, click Settings in the top-right corner.



Under "undeliverable reports," click Replace. Fill in this section with the exact same undeliverable journal address you specified when creating the archive connection in Proofpoint.



Click Save once you've finished. If this doesn't match the journal address listed in Proofpoint, the archiving will not work. 



Return to the Exchange (legacy) page. Navigate to the Journal Rules section, then click New Rule.



Fill in the following fields:

  • Under "Send journal reports to," enter the SMTP address of the journaling mailbox provided by Proofpoint that you copied down earlier (longstringoflettersandnumbers@us.earchive.cloud or longstringoflettersandnumbers@eu.earchive.cloud)
  • Fill in a name such as "Proofpoint Archive" under "Journal rule name"
  • Under "Journal messages sent or received from," select Everyone
  • Under "Type of message to journal," select All Messages
  • Click Next, then click Submit


Set Archive Permissions


Log back into Proofpoint as an organization admin (logging in with the same domain that this Proofpoint tenant is using). Using a channel admin account that a partner might use to view the settings of their customers will not work for this.


Click the Archive Tab, then in the Archive UI, click Users on the left.



Search for whichever user(s) should be able to search through the archive. Click on the three dots next to their email address on the right, then click "Manage Permissions."



To allow this user to search the archive, enable the option for Discovery User.

  • The "administrator" option will give this user permission to edit settings such as retention policies, connections, etc.
  • You may grant a Discovery User permission to search the archive for either everyone's mail or only specific mailboxes


When finished, click Save. Any account set as a Discovery User should now be able to search though and interact with the data in the Proofpoint email archives.