SMTP Proxy Tidbits (SPF and Proofpoint Tweak)

  • 26 January 2022
  • 2 replies

Badge +1


If you are deploying Netskope SMTP Proxy few notes of interest. (Various screenshots of interest attached).


1. If your upstream has SPF check ensure to add following record to your DNS server  so that the SPF check does not fail


2. To allow Netskope IP's refer to the following list


2.a If you are using Proofpoint as the upstream MTA there is a tweak to allow these IP's.

Proofpoint does not accept CIDR ranges. Also adding in CIDR notation e.g. /24 did not help in my case.

Use the following format (first 3 octets only) (screenshot attached)





NOTE: for complete list of IP's subscribe to this article. There is a table for SMTP Proxy "

Netskope Email DLP (SMTP) List for Allowlisting

The following list of IP ranges represents where SMTP traffic may egress from Netskope's NewEdge Security Cloud, and should be used for permitting traffic with upstream email providers. Netskope's recommendation is that customers' add all IP ranges when configuring allowlisting with email providers. If a tenant is assigned to a specific region (other than the global region), then only the relevant range(s) in the table below require allowlisting.



Global (default)

All DCs below

All prefixes below

All ranges below

North America

San Jose, CA, USA (SV5) - -

North America

San Jose, CA, USA (SJC1) -


Frankfurt, Germany (FR4) - -


Amsterdam, Netherlands (AM2) -


Melbourne, Australia (MEL2) -



2 replies

Badge +19

This is great information if you are looking to deploy Netskope SMTP Proxy, thank you @TMRT for sharing! Keep those Tidbits coming!



Badge +7

Hi @TMRT I am in the process of configuring netskope and proofpoint for smtp header - appreciate if you could send me any sample configuration or artciles that will help me set up - Thanks!