rspamd → Proofpoint Essentials
rspamd ↔ Proofpoint Essentials: integration to migration path.
Mail flow is load-bearing — break the gateway and every inbox stops at once. So rspamd deploys alongside Proofpoint Essentials first, scoring a shadow copy until its verdicts agree, then takes over the inbound path one phase at a time. No flag day, no forced re-credentialing, and every phase rolls back in minutes.
The honest exception: TAP URL Defence, attachment sandboxing, CLEAR-style retraction and WORM archive are SaaS-only. Where your contract includes them, we retain Proofpoint narrowly rather than pretend rspamd replaces them.
The idea
Score in the shadow first. Cut over last.
The integration topology that makes this zero-outage is split-MX into a chained edge: Proofpoint stays the authoritative gateway while rspamd first scores a journaled copy of every message, then — once its verdicts match Smart Search per message — moves to the front as the public MX, ARC-sealing and re-injecting to Proofpoint over enforced TLS. Proofpoint keeps owning disposition while rspamd proves itself on real traffic. Only after that do reject thresholds switch on and Proofpoint narrows to second-opinion — each layer independent, each reversible.
The phases
Six steps. Each one reversible.
Baseline & inventory
We document every domain's MX, SPF, DKIM selectors and DMARC posture, export your Essentials policy (Safe/Blocked org and per-user lists via the PPS API), and capture a 90-day Smart Search verdict baseline. Read-only — Proofpoint stays the authoritative gateway.
rspamd HA, shadow-tap
rspamd stands up in HA (≥2 proxy workers, shared Redis, ClamAV) and scores a journaled copy of your mail. No production mail flows through it. We join its verdicts to Smart Search by Message-ID to prove agreement before anything trusts it.
Outbound DLP through rspamd
Outbound mail routes through rspamd before Proofpoint's outbound relay, applying DLP (PAN/PHI/SSN regexes, attachment blocklist, ClamAV) and signing DKIM with your existing selector. Inbound is untouched; Proofpoint can sign in parallel.
Chained inbound (decision-bake)
MX points at rspamd. It scores, ARC-seals and re-injects to Proofpoint over enforced TLS; Proofpoint still owns final disposition. rspamd runs add-header-only — no rejects yet. This is the only stance where both engines see every message.
rspamd authoritative; Proofpoint second-opinion
rspamd's reject and soft-reject thresholds switch on, ramped over two weeks from the safest signal confluence outward. Proofpoint receives everything rspamd doesn't reject and acts as second-opinion plus quarantine UI. We stand up rspamd-side quarantine UX before this phase.
Partial retirement of Essentials
Mail flows MX → rspamd → mailbox host directly. Proofpoint is cancelled, or retained narrowly for archive, CLEAR-equivalent or continuity. We never retire archive without ≥30 days of overlap, and quarantine UX is fully rspamd-side first.
Feature parity
Where rspamd matches Essentials — and where it can't.
| Capability | rspamd | Proofpoint Essentials | Parity |
|---|---|---|---|
| Spam scoring | bayes + neural + symbols (X-Spamd-Result:) | Essentials spam engine (inter-tenant telemetry) + Smart Search | At parity |
| SPF / DKIM verify | spf, dkim modules | Essentials gateway SPF/DKIM | At parity |
| DKIM signing | dkim_signing (per-domain selector, KMS key custody) | Essentials outbound signing (Proofpoint or uploaded selector) | At parity |
| DMARC enforce | dmarc + force_actions per domain; dmarc_reporting sends rua | Essentials honours DMARC at the gateway | At parity |
| ARC sealing | arc module seals each hop, configurable authserv-id | Essentials ARC (support varies by release) | Partial |
| URL defence (click-time/sandbox) | phishing/surbl SMTP-time reputation only | TAP URL Defence | SaaS only |
| Attachment sandboxing | none native (ClamAV+YARA+CAPE is heavy ops, not equivalent) | TAP Attachment Defence | SaaS only |
| Impersonation / BEC detection | reputation + replyto_mismatch + multimap + display-name spoof vs directory | Vendor BEC ML (inter-tenant telemetry) | Partial |
| Closed-loop retraction | none (custom mailbox-API runbook required) | CLEAR-equivalent | SaaS only |
| Awareness training / phish sim | none (GoPhish is sim-only, no content) | PSAT-equivalent content library | SaaS only |
| Archive (WORM / SEC 17a-4) | none | Essentials Archive (archive of record) | SaaS only |
| Hosted continuity | warm-standby rspamd cluster (build-it) | Essentials Emergency Inbox | SaaS only |
| Quarantine | force_actions + minimal built-in UI (release portal = build/buy) | Proofpoint digest + release UI | Partial |
| MTA integration | Postfix milter (:11332), relay to pphosted hostpool | Essentials hostpool MTA / Outbound Relay | At parity |
| Reporting / SIEM API | /scan, /checkv2, /symbols, /history HTTP; ClickHouse history | PPS API (narrower than enterprise) + Smart Search export | At parity |
| Cost model | self-hosted compute + Redis + ClamAV + ops | per-mailbox seat licensing | Partial |
What we're honest about
The caveats most vendors leave out.
URL Defense and attachment sandboxing don't migrate
TAP URL Defense's click-time re-evaluation and Attachment Defense's detonation sandbox are SaaS-only — rspamd has reputation lookups at SMTP time, not click-time re-eval or live detonation. If your Essentials SKU includes them, dropping is a real control loss; OSS replacements like urlscan.io or a self-hosted isolated browser are not equivalent at SaaS throughput. We name the gap rather than pretend it away.
Closed-loop retraction (CLEAR) has no OSS parity
One-click user-reported phish that triages and retracts from recipient mailboxes is not OSS-native. The honest replacements are M365/GWS built-in report-phish plus a custom mailbox-API retraction runbook, or a paid product like PhishER or Cofense — none are a like-for-like CLEAR clone.
WORM archive (SEC 17a-4) and BEC ML are gaps
rspamd has no archive of record — for SEC 17a-4 or FINRA 4511 workloads you keep Essentials Archive or migrate to a SEC-attested peer before Phase 5, never without 30-day overlap. Proofpoint's BEC ML also trains on inter-tenant telemetry; rspamd's neural is in-tenant only, so expect a higher false-negative rate on novel BEC until it's tuned.
Self-hosting means you own uptime and the SOC
Once Proofpoint is gone there's no vendor SOC backstop and no managed continuity — if rspamd is down, inbound mail queues at sender retries. We run it HA across nodes with shared persistent Redis and a tested break-glass path to flip MX back within the TTL window, but Phase 5 only proceeds with confirmed 24×7 IR coverage.
Why this beats a flag day
Reversible at every phase; soaked before anything is cancelled.
Every phase carries an under-15-minute rollback — disable a journaling rule, flip MX back behind a 300s TTL, or drop reject thresholds to add-header only — so no single change can take mail down. And no phase advances on a hunch: each gate requires a soak of at least 30 days of agreeing verdicts and clean aggregates before the next step, and the Proofpoint contract is only cancelled after that soak proves rspamd holds the inbound path on its own.
See whether your mail stack migrates cleanly.
A 30-minute call with a senior email engineer. We map your domains, DKIM selectors and Essentials policies, find which features must stay on Proofpoint (URL Defence, archive, CLEAR), and tell you honestly what the path looks like — before you commit.
Map my migration →