Ask HN: Proofpoint is blocking our emails. Any recourse?

23 points by internet1776 7 days ago

We have a valid email domain that is battletested and used for sending out notifications, invoices, upgrade notices to customers. Our emails goes through all systems and ESP such as Google, Outlook, Proton etc.

However, anytime a customer uses proofpoint they block our emails. I have asked for whitelisting but no reply from them for months. We have SPF, DKIM, DMARC records set. This domain is 2 year old. We run our own email infrastructure – probably only sin we committed so far.

It seems that these companies - Proofpoint, Microsoft, Google - make arbitrary and undisclosed rules for email delivery. Why can't FTC go after these companies and fine them. Microsoft is one of the worst offender. Unless you are a customer of Microsoft and use one of their system, you will face delivery problems.

Either way, does anyone know what can we do for getting past Proofpoint block?

jfil 7 days ago

Email is probably the least concentrated and gate-kept space on the Internet. You'll be waiting for a very long time until these issues are on regulators' radar.

Proofpoint: * Does very aggressive "bot click" checks when they suspect your email is spam. They'll hit every link in every email, trying to check if the destination page is legit. They'll be rotating IPs and user agents for every hit and probably using the AWS IP range - of your web server blocks this behaviour, then that might be the reason why they penalize your emails. * They will block you based on the behaviour of other mailers that share the same sending IP. If you're not sending from a stable IP that's exclusively yours, then that could be the problem. Think about what other systems live/send email from that IP.

If you send me an email directly from your system (not forwarding an email) then I could take a quick look.

garbagepoint76 7 days ago

I encountered the same issue earlier this year, it's one of the most maddening things I've had to deal with in nearly 2 decades of sysadmin work.

In our case, the domain was registered 15 years ago and email is only sent using Google Workspace. SPF, DKIM, DMARC (strict) all set up as they should be. The customers using proofpoint who suddenly stopped getting our emails had previously had no issues for 10+ years. In some cases (not all), those customers couldn't email us either - emails both directions got silently dropped, so even the employees of some customers didn't know their emails were not going through until we got angry calls asking why we weren't responding to them anymore.

Ultimately, I discovered the trigger was a compromised WordPress plugin quietly injecting SEO spam... running on wpengine. That WordPress site was fully owned/managed by our marketing team and in no way connected to our corporate infrastructure, other than by a CNAME of the same domain email is sent from. I had the marketing team revert to a backup that wasn't compromised, update all the plugins, and used quttera's scanner (which found it initially) to confirm the issue was gone, and within a few weeks it appeared we were no longer blocked. I say appeared because long before that point we had contacted all customers who had MX records indicating proofpoint was used, requesting manual whitelisting.

As much as I'd love to ban WordPress use at the company, we had to settle for using an internal-only WP instance and a plugin that generates a static site export to eliminate any chances of this happening again.

stevenicr 7 days ago

I've run into similar recently with delivering to our own company's email boxes from our own server - company uses office365 / msoft business(?)

after jumping into dkim spf and all that, I can get delivered from our server to gmail.. but not to the company outlook boxes.. tried to get [third party corporate IT] to whitelist the ip or domain - they cant find receive attempts in logs..

back and forth, showing screenshots with timestamps, paying stupid money per hour to [NotNaming].. get told that well their msoft thing depends on AWS as a middle man and it is hardcore about spam stuff and if that's the problem it will take a ton of 3 team digging?

Giving up - now trying to find a way to have the server send an email to gmail and then forwarding to company's office365 - maybe, I dunno yet.

  • fragmede 7 days ago

    if corp IT isn't seeing the connection attempt then some thing is blackholing the traffic. If the IP it's being sent from was caught sending spam anytime in the past (like even decades ago) it might be on a list. check via https://mxtoolbox.com/

    There's also https://sender.office.com/ for o365.

    The other question is how far is it getting before getting blackholed. if you're lucky "mtr -P 587 -T smtp.office365.com" from the company email server from might tell you who down the path is actually dropping the packets.

    If there's budget for it, you can run a VPS in Azure and send it through that, connecting to 587 which is authenticated (25 is blocked), or use Sendgrid/similar that partners with Microsoft.

  • internet1776 7 days ago

    Regulators need to do their job well instead of turning blind eye. Email is critical infra. for communication. These top players can't have monopolies on all communication.

citrin_ru 6 days ago

> It seems that these companies - Proofpoint, Microsoft, Google - make arbitrary and undisclosed rules for email delivery

I don't think that secret rules are the main problem. Two group of rules are public: don't send spam/phishing/malware and follow all relevant RFC (SMTP/MIME/SPF/DKIM/DMARC). The list of small things which affect mail delivery is long so I recommend to use tools like https://www.mail-tester.com/ which can highlight problems in your mail setup (a couple of checks are unnecessary strict though and some are relevant only to newsletters/maillists and not relevant for individual messages sent by humans but most items in their list you need to follow).

Everything else usually secret on purpose - so it would be harder for spammers to evade spam filters.

A much bigger problem is that any spam filter can mark a non-spam message as spam (False Positive) or spam message as ham (False Negative) and there is an inherent trade-off between FP and FN rates. It's easy to reduce one of them while letting another to increase. If I would build an anti-spam system I would target near zero FP and then will try to reduce FN to the extent it is possible not increasing FP. But looks like leadership of mail companies (like PP, O365 e.t.c.) targets low FN and cares much less about FP. Don't know why - may be their customers demand low FN and don't understand that asking for low FN they are getting high FP.

Having said that it is likely that your problem can be solved in 15 minutes (e. g. by removing you domain from a blocklist in which it can end up because of a system error - see above about FPs) if you can get a PP employee to check their logs. But that's the main problem - these companies don't invest nearly enough in processing feedback from non-customers, we are lucky if they hire a couple of (underpaid) contractors to process all non-customer feedback they are getting. So looks like the only way to solve the problem is to find some PP employee via friends of friends or find a PP customer who can file a support ticket.

tre_md_x 7 days ago

I wasn't able to get a response from Proofpoint directly but by complaining to Icloud support I was able to get forwarded to an individual at Proofpoint and he got me setup. Proofpoint does not care about you if you are not a customer. So you have to harass Proofpoint's customers and if they care about getting your emails they will help you out.

I think the process took 2 weeks.

EDIT: I wish there was a more professional/straightforward way

zblevins 7 days ago

This happened to me last year. I had to email the CEO and threaten legal action. Let me know if you need any help I’d be happy to.

  • internet1776 7 days ago

    I would love to chat. Do you a preferred mechanism for reaching out? Let me know your email or twitter or LinkedIn or anything else that you prefer.

    • zblevins 6 days ago

      zachary.a.blevins@gmail.com

Meph504 5 days ago

> Why can't FTC go after these companies and fine them.

For protecting their customers from bad actors, seems like an odd thing for them to go after.

zdware 7 days ago

I worked at a company that used Proofpoint. Often had to reach out to get emails out of quarantine, etc.

Have you tried contacting the customer and asking them to have their IT team allowlist you?

Had similar issues with Yahoo/AOL.

  • internet1776 7 days ago

    Customer service do not entertain us because we are not Proofpoint active customer. Only way to get in touch with us is a dynamic URL generated by them for our IP address. We filled it out immediately about two month ago but they did not respond. It seems like a black hole.

grustar 7 days ago

Try looking up if IP is compromised or if you have any plug-in or software generating spam.

QuadmasterXLII 7 days ago

What is an upgrade notice?

  • internet1776 7 days ago

    We have certain plans that offer no-charge for customers for first 30 days with CC data on file maintained by Stripe. We send notice to them that their credit card about to be charged a monthly subscription fee. They have option to terminate the service if they wish.

brudgers 7 days ago

We have a valid email domain that is battletested

If it is blocked by your clients’ infrastructure, it is not passing the test.

Unless this is a hill you want your business to die upon, finding another email service might be a better option. Changing your business practices is probably within your control. Changing another business’s business practices probably is not.

Good luck.

  • internet1776 7 days ago

    Thanks for the comment. I totally understand email is not something one should build themselves. But, the greater question is why do "selected" players get to define rules instead of keeping internet free?

    Our emails go through all providers and land in inbox except when they are fronted by proofpoint.

    • Spooky23 4 days ago

      Because there is an army of people abusing the commons, users are forced to adopt increasingly aggressive techniques to protect themselves.

    • brudgers 7 days ago

      Proofpoint delivers more value to some of your customers’ inboxes than you do. There is no larger question.

      • grustar 7 days ago

        That’s your opinion. I am with OP on this one. Why proofpoint gets to silently drop the email instead of letting it go to spam folder. If you have vested interest in proofpoint you should disclose it or keep sucking for big guys.

        • brudgers 5 days ago

          I have no vested interest in a nything related to this thread. Just a vested interest in horse sense.

          I read the OP’s description of what they send to customers inboxes and it is exactly the sort of email I mark as spam. In a corporate environment, it is exactly what I would expect a paid spam filter to filter.

        • nineteen999 6 days ago

          FWIW I agree with you 100%, but unfortunately that ship sailed long ago with the horse and barn doors bolted to it, when everyone migrated to Gmail + O365.

    • paulcole 5 days ago

      > But, the greater question is why do "selected" players get to define rules instead of keeping internet free?

      Yeah it’s crazy. Large established entities rarely if ever get preferential treatment or make the rules outside of the internet.

      If I were you, I’d expend a ton of time and energy trying to win this battle.