Before email can be directed properly, DNS needs to be configured to route email to Proofpoint. To ensure proper entry of the required records, you may need to contact your DNS hosting provider to make the necessary changes.
Policies for the timing of changes need to be understood by the agency administrator. Those policies can be internal to the company and/or external with a DNS hosting provider. Appropriate permission and access need to be provided to the administrator in order to submit the necessary DNS changes.
This document covers public DNS entries. If for some reason, an agency has a DNS zone in their internal name servers for their email domains, the DNS records will need to be changed there, as well. Where appropriate, this document notes differences between public and internal DNS changes.
Where possible, we recommend two phases of DNS changes associated with your migration. In the first phase, you will gather information and prepare your existing environment for migration with non-intrusive changes to your DNS. In the second phase, you will finalize the configuration of your DNS.
If there are any questions or concerns at any time during the execution of this document, please submit your inquiry to the distribution group created as part of the migration project.
These steps should be completed no later than four days prior to the scheduled cutover.
The TTL (Time To Live) values for the MX records, A records for webmail and autodiscover, SRV record for autodiscover (where applicable), and TXT records for SPF should be reduced to the minimum values allowed by the DNS host or 300 seconds (whichever is greater). This reduction allows for faster propagation of the DNS changes during the final cutover tasks.
If you have any devices connecting directly to your email system via A records (e.g. an SMTP-capable scanner directly pointing to
mail-relay.example-agency.com), please document those at this time and provide the list to the distribution group created as part of the migration project. These devices will need to be reconfigured during the final DNS changes.
For Outlook AutoDiscover, make sure you have identified all related A, CNAME, and SRV records to be removed or modified at the time of final DNS changes.
Please ensure your own autodiscover service is configured correctly before migration. Mobile devices may require manual configuration during this period.
When your email migration is complete, you will need to make the final modifications to your DNS entries. Please follow the relevant DNS guide to implement these changes.
If the MX records' TTL values within DNS for each domain were decreased to their minimum value earlier in the preparation process, now would be the time to submit the change to return their TTL values to the standard defined by the DNS service provider or the agency. This reduces the load on the DNS servers at your provider and is consistent with best practices established within the industry. CDS recommends a value of 3,600 seconds (one hour).
At this time, all of your previous MX records should be removed. Extraneous MX records can cause a sender’s email systems to deliver email to an incorrect location or, in a worst case, allow spammers a “back door” into your system that bypasses the anti-spam and anti-virus capabilities provided by Proofpoint.
If you are using HOSTS files in your environment to resolve domain names to IP addresses on individual client systems, you will need to remove all email-related entries from the file. For instance, Exchange Server hostnames, autodiscover, and webmail will all need to be removed.
Using the list generated in the initial phase of DNS changes, you should now work with your engineering resource to update the configuration of all of these devices to point to the CDS high-availability SMTP relay appliances.