However, anytime a customer uses proofpoint they block our emails. I have asked for whitelisting but no reply from them for months. We have SPF, DKIM, DMARC records set. This domain is 2 year old. We run our own email infrastructure – probably only sin we committed so far.
It seems that these companies - Proofpoint, Microsoft, Google - make arbitrary and undisclosed rules for email delivery. Why can't FTC go after these companies and fine them. Microsoft is one of the worst offender. Unless you are a customer of Microsoft and use one of their system, you will face delivery problems.
Either way, does anyone know what can we do for getting past Proofpoint block?
Proofpoint: * Does very aggressive "bot click" checks when they suspect your email is spam. They'll hit every link in every email, trying to check if the destination page is legit. They'll be rotating IPs and user agents for every hit and probably using the AWS IP range - of your web server blocks this behaviour, then that might be the reason why they penalize your emails. * They will block you based on the behaviour of other mailers that share the same sending IP. If you're not sending from a stable IP that's exclusively yours, then that could be the problem. Think about what other systems live/send email from that IP.
If you send me an email directly from your system (not forwarding an email) then I could take a quick look.
In our case, the domain was registered 15 years ago and email is only sent using Google Workspace. SPF, DKIM, DMARC (strict) all set up as they should be. The customers using proofpoint who suddenly stopped getting our emails had previously had no issues for 10+ years. In some cases (not all), those customers couldn't email us either - emails both directions got silently dropped, so even the employees of some customers didn't know their emails were not going through until we got angry calls asking why we weren't responding to them anymore.
Ultimately, I discovered the trigger was a compromised WordPress plugin quietly injecting SEO spam... running on wpengine. That WordPress site was fully owned/managed by our marketing team and in no way connected to our corporate infrastructure, other than by a CNAME of the same domain email is sent from. I had the marketing team revert to a backup that wasn't compromised, update all the plugins, and used quttera's scanner (which found it initially) to confirm the issue was gone, and within a few weeks it appeared we were no longer blocked. I say appeared because long before that point we had contacted all customers who had MX records indicating proofpoint was used, requesting manual whitelisting.
As much as I'd love to ban WordPress use at the company, we had to settle for using an internal-only WP instance and a plugin that generates a static site export to eliminate any chances of this happening again.
after jumping into dkim spf and all that, I can get delivered from our server to gmail.. but not to the company outlook boxes.. tried to get [third party corporate IT] to whitelist the ip or domain - they cant find receive attempts in logs..
back and forth, showing screenshots with timestamps, paying stupid money per hour to [NotNaming].. get told that well their msoft thing depends on AWS as a middle man and it is hardcore about spam stuff and if that's the problem it will take a ton of 3 team digging?
Giving up - now trying to find a way to have the server send an email to gmail and then forwarding to company's office365 - maybe, I dunno yet.
I don't think that secret rules are the main problem. Two group of rules are public: don't send spam/phishing/malware and follow all relevant RFC (SMTP/MIME/SPF/DKIM/DMARC). The list of small things which affect mail delivery is long so I recommend to use tools like https://www.mail-tester.com/ which can highlight problems in your mail setup (a couple of checks are unnecessary strict though and some are relevant only to newsletters/maillists and not relevant for individual messages sent by humans but most items in their list you need to follow).
Everything else usually secret on purpose - so it would be harder for spammers to evade spam filters.
A much bigger problem is that any spam filter can mark a non-spam message as spam (False Positive) or spam message as ham (False Negative) and there is an inherent trade-off between FP and FN rates. It's easy to reduce one of them while letting another to increase. If I would build an anti-spam system I would target near zero FP and then will try to reduce FN to the extent it is possible not increasing FP. But looks like leadership of mail companies (like PP, O365 e.t.c.) targets low FN and cares much less about FP. Don't know why - may be their customers demand low FN and don't understand that asking for low FN they are getting high FP.
Having said that it is likely that your problem can be solved in 15 minutes (e. g. by removing you domain from a blocklist in which it can end up because of a system error - see above about FPs) if you can get a PP employee to check their logs. But that's the main problem - these companies don't invest nearly enough in processing feedback from non-customers, we are lucky if they hire a couple of (underpaid) contractors to process all non-customer feedback they are getting. So looks like the only way to solve the problem is to find some PP employee via friends of friends or find a PP customer who can file a support ticket.
I think the process took 2 weeks.
EDIT: I wish there was a more professional/straightforward way
Have you tried contacting the customer and asking them to have their IT team allowlist you?
Had similar issues with Yahoo/AOL.
For protecting their customers from bad actors, seems like an odd thing for them to go after.
If it is blocked by your clients’ infrastructure, it is not passing the test.
Unless this is a hill you want your business to die upon, finding another email service might be a better option. Changing your business practices is probably within your control. Changing another business’s business practices probably is not.
Good luck.