Release Notes for Release 8.22.

This document describes what is new in the Proofpoint Protection Server 8.22.X feature Release. The
information applies to both on-premise and PoD deployments unless stated otherwise.

Contents

Release 8.22.0 .............................................................................................................................................. 1

Unauthorized Relay Abuse Protection ..................................................................................................... 2

Upgrade Customers ......................................................................................................................... 2
New Installations .............................................................................................................................. 2
Added Message Headers Condition to Policy Routes ............................................................................. 2
Database Upgrade Progress ................................................................................................................... 2
SAML 2.0 Import Profiles and Certificates ............................................................................................... 3
SSLv3 – Deprecated ................................................................................................................................ 3
Support for TLS 1.3 .................................................................................................................................. 3
New Default TLS Minimum Protocol Version for New Installations ......................................................... 3
RSA Import Profile – Deprecated ............................................................................................................ 3
Change to Email Warning Tags ............................................................................................................... 3
Secure Reader Session Expiration .......................................................................................................... 4
New Secure Reader Options ................................................................................................................... 4
New Email Firewall Conditions ................................................................................................................ 4
Folder Limit .............................................................................................................................................. 5
Summary Digest ...................................................................................................................................... 5
Change to the Spam Detection Module ................................................................................................... 5
Upgrade Requirements for On-premise Deployments ............................................................................ 5
SSH Key Warning after Upgrading from Release 8.20.6 ................................................................. 5
Removing and Inserting Email Warning Tags ................................................................................. 5
Rollback Notes ................................................................................................................................. 6
Bugs Fixed in Release 8.22.0 .................................................................................................................. 6
Known Limitations .................................................................................................................................. 13
Re-ordering Rules .......................................................................................................................... 13

Release 8.22.0
The following sections describe new features, changes, and enhancements included in release 8.22.0.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 1 of 14
Unauthorized Relay Abuse Protection
Release 8.22.0 includes improvements to the Microsoft O365 Allow Relay option to protect your
deployment from unauthorized relay abuse. Administrators can enable Allow Relay for only the tenant
domains listed for Inbound Mail (System > Inbound Mail) and any additional tenant domains that are
trusted and allowed – these must be added to a list by the administrator on the System > Outbound Mail
> Allow Relay page. These tenant domains can be found in Settings > Domains in the Microsoft 365
admin center.

For testing and auditing purposes, messages that are not allowed from domains initially have a Delivery
Method of Continue to be delivered to the email infrastructure and a copy is sent to a new Quarantine
folder M365 Unauthorized Relay. Once administrators are satisfied that the configuration is working as
expected, they can change the Delivery Method for unauthorized messages to Reject and disable the
Quarantine copy.

Messages that land in the M365 Unauthorized Relay Quarantine folder are excluded from Digests for the
user community.

Proofpoint leverages the x-originatororg header that Microsoft applies to every message when it
leaves its tenant to identify these messages for the M365 Allow Relay feature.

Upgrade Customers

Nothing will change for customers upgrading from a previous release who have enabled Allow Relay for
Any M365 tenant – Email Firewall rules they already have in place for unauthorized domains will not be
touched, and the Delivery Method for those messages will remain in place. After an upgrade,
administrators can decide if they want to configure Allow Relay for Microsoft Office 365 to reject
messages from unauthorized M365 domains using the new parameters on the System > Outbound Mail
> Allow Relay page.

New Installations

New customers will have the default setting Allow Relay for Only M365 tenant domains listed in Inbound
Mail and the additional domains below enabled by default, and the Delivery Method will be set to
Continue by default, with a copy of unauthorized messages sent to the M365 Unauthorized Relay
Quarantine folder. Administrators can test the feature and then change the Delivery Method to Reject and
disable the Quarantine copy for unauthorized messages when satisfied with the results.

Added Message Headers Condition to Policy Routes

The Message Headers condition has been added to the list of conditions for Policy Routes.

Database Upgrade Progress

This improvement applies only to on-premise deployments. Administrators will now see progress status
during a database upgrade. On the System > Servers page, administrators will see an Upgrade In
Progress message and can check the progress by selecting the Click here link next to Status.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 2 of 14
SAML 2.0 Import Profiles and Certificates
This change applies to the SAML 2.0 Import/Auth Profile. Customers must generate a unique certificate
or supply their own certificate for request signing. They can no longer use the default Proofpoint
certificate for request signing. If you are currently using a Proofpoint certificate, upon upgrade you will see
a warning dialog to generate a new certificate. The SAML 2.0 Import/Auth Profile dialog box displays a
new link, Manage Certificates that takes you to the System > Certificates > Certificates page.

SSLv3 – Deprecated
For the TLS Minimum Protocol Version (System > SMTP Encryption > Settings), SSLv3 is deprecated
for security reasons.

Customers currently using SSLv3 as the minimum protocol for SMTP Encryption will automatically be
updated to use TLS 1.0 as the minimum upon upgrading to release 8.22.0.

Support for TLS 1.3

TLS 1.3 will now be offered for both inbound and outbound SMTP connections. The ability to require TLS
1.3 as a minimum protocol or customize the ciphers will be added in a future version.

New Default TLS Minimum Protocol Version for New Installations

New installations will default to TLS 1.2. Customers can lower this to TLS 1.1 or TLS 1.0, however
Proofpoint does not recommend doing so. Existing installations will maintain their current configured
minimum value, unless set to SSLv3, which has been deprecated (see above).

RSA Import Profile – Deprecated

For security reasons, Proofpoint no longer supports the RSA Import/Auth Profile. Customers currently
using this profile will not be able to upgrade to release 8.22.0. Please configure a different Import/Auth
Profile for your organization.

Change to Email Warning Tags

When PPS inserts an email warning tag, it also inserts a block of hidden text before the tag which
duplicates the first few lines of the original message body text. This hidden text is invisible in the normal
message view and is intended to be shown in the email client’s preview of the message body, so users
do not see the warning text in the preview. On outbound, PPS can remove the warning tag, but prior to
release 8.22.0, the hidden text would remain.

Now in release 8.22.0, this hidden text will also be removed when the tag is removed.

This feature is off by default. If an outbound message contains a DLP violation in the first few lines of the
original message (the hidden text), it could trigger a DLP rule and be quarantined.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 3 of 14
Proofpoint on Demand customers need to open a support ticket to enable this change to Email Warning
Tags (remove the hidden text).

On-premise administrators who want to enable the feature can do so by changing these filter.cfg
keys to “t” .

com.proofpoint.filter.module.banner.construct.preheader.removal=t
com.proofpoint.filter.module.banner.destruct.preheader.removal=t

Secure Reader Session Expiration

Due to resource constraints, the Secure Reader Session Expiration parameter is now limited to a
maximum of 2 hours. Upon upgrade, any Session Expiration greater than 2 hours will be set to 2 hours.

New Secure Reader Options

This fix applies to Secure Reader. In some customer environments, third-party security solutions might
click the links in encrypted email or password reset email that Secure Reader uses during new user
registration and password resets using email. This can cause user confusion or invalidate the links,
making it impossible for the user to proceed with the reset password action they requested. New
configuration options are now available to replace the link that gets sent via email with a validation code
that the user must enter in Secure Reader to complete the process. This new configuration option is
disabled by default.

PoD customers must submit a helpdesk ticket to enable the new configuration option.

On-premise administrators who control the filter.cfg file must enable the following two keys:

com.proofpoint.encrypt.securereader.pwdreset.verificationcode.enable=t
(if password reset via Email is enabled for Secure Reader ) *

com.proofpoint.encrypt.securereader.registration.verificationcode.manual=t

*User Management > Password Policies > Encryption_Users > Password Reset tab.

New Email Firewall Conditions

TLS Connection - Administrators can now create rules to trigger for a TLS Connection – with the values
Connection used TLS or Connection did not use TLS. This condition is useful, for example, to make use
of the TLS connection status: encrypted or not encrypted. A use case is that now administrators can add
an annotation to messages that trigger an Email Firewall rule that contains this condition, letting the
recipient know if the message was encrypted or sent in clear text.

Variable – Added support for the Variable condition to the Email Firewall module. This condition is
generally used for custom rules and integrations and previously needed to be set up by Professional
Services. It is now exposed in the UI, allowing for administrators to make changes to rules referencing
this condition themselves.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 4 of 14
Folder Limit
Administrators are limited to 400 folders (total) for the Quarantine and Data Loss Protection Incidents. If
you try to create a folder that will exceed this limit, you will see an error message.

Summary Digest
Summary Digests are not compatible with the Proofpoint Cloud Quarantine Service. There are no plans at
present to re-introduce this functionality, but if it is important to you, please submit a Request for
Enhancement in the Proofpoint feedback portal. Proofpoint will consider similar feedback, if any, from our
broader customer base to determine if this request should be considered in the future. If users are
interested in viewing all messages in their quarantine, they can do so by logging in to the End User
Portal.

Change to the Spam Detection Module

As a result of major improvements to spam classification and implementation of Proofpoint’s detection
stack, the Delay Suspected Spam rule and Suspected Spam Quarantine folder have been deprecated
and will be removed from the Config Master management interface (Admin GUI) in a future release.
Please refer to this Proofpoint Communities article for more information.

Upgrade Requirements for On-premise Deployments

Your deployment must be running PPS release 8.20.[0-6] or later before upgrading to release 8.22.0.

Release 8.22.0 requires a minimum of 8 GB of RAM for each system in your deployment. Updates to
release 8.22.0 will fail if there is insufficient RAM on the Config Master and each agent in the cluster.

Proofpoint recommends a minimum 80 GB hard drive for release 8.22.0.

SSH Key Warning after Upgrading from Release 8.20.6

Release 8.22.X adds support for SSH keys using the ED25519 algorithm. Some SSH clients may refuse
to connect and authenticate due to the change in host key algorithms. There are three ways to resolve
this issue:

1. Configure the SSH client to only use the host key algorithm it already has, or
2. Manually add the ED25519 key to the SSH client’s known_hosts file, or
3. Delete the existing entry from the client’s known_hosts file and use the default Trust On First
Use option to obtain the new keys.

Removing and Inserting Email Warning Tags

If upgrading from a version prior to 8.18.6, administrators must upgrade all outbound clusters that
remove Email Warning Tags before upgrading inbound clusters that insert Email Warning Tags.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 5 of 14
Rollback Notes

Release 8.22.0 does not support rolling back to a previous release.

Bugs Fixed in Release 8.22.0

The bug fixes apply to both on-premise and PoD deployments, unless stated otherwise.

Reference Description

Previously, messages that were quarantined by Smart Send were not being
PPS-43204 consistently DKIM-signed when released from the Quarantine. This issue is
resolved.

In rare cases valid S/MIME signed messages would fail validation. This issue
PPS-44342
is resolved.

This fix applies to Appliance > SMTP Settings. Improvements so that

PPS-60297 duplicate entries are not allowed for the Virtual Domains and Rewrite Header
entries (virtusertable and genericstable).
This fix applies to regular expressions in a rule. Previously, the input validator
PPS-60298 would lowercase an uppercase letter in a regex, producing unexpected results.
This issue is resolved.
Some URLs rewritten by the URL Rewrite feature containing a backslash
character would not redirect properly when clicked. And some URLs
PPS-64686
constructed with a backslash character would not be rewritten. These issues
are resolved.
This issue applies to on-premise deployments. Previously, the Setup
Configuration Wizard had a Test Connection button for Proxy Settings. This
PPS-70119 button has been deprecated since you cannot test the connection from the
Wizard. However, the Test Connection button is available on the System >
Settings > Proxy page once the system is installed and activated.
Including certain HTML tags in the Reply to sender based on detected
PPS-70727 language Delivery Option was causing errors when saving the rule. This
limitation is fixed.
Previously, an HTML character reference next to a non-anchor URL could
prevent the URL from being found and rewritten - for example,
www.example.com . Also, HTML character references inside a URL
PPS-73392
could prevent the URL from being found and rewritten - for example,
wMw.example.com or https://example.com. This issue is
resolved.

The Quarantine REST API will now display Data Loss Protection (DLP)
PPS-75813
violations and details as expected.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 6 of 14
Reference Description

Previously, if you exported TLS Domains on the System > SMTP Encryption
> TLS Domains page, made edits to the CSV file, and imported the file, your
PPS-75815
changes were not preserved unless you also added a new domain to the
exported file. This issue is fixed and now works as expected.
Improvements to the user import process to better handle situations in which
the user database becomes unavailable during the import. When this
PPS-75987
happened, it could result in users being removed from the database. This
issue is resolved.
This issue applies to Message Defense for Targeted Attack Protection.
Previously, in the rare circumstance that Proofpoint experienced a
PPS-76158 communication failure in the TAP infrastructure during scanning, attachments
were being continuously re-submitted for scanning, possibly resulting in “loops
exceeded limit” error. This issue is fixed.

Attempting to add users to groups that contained certain combinations of

PPS-77450
characters in their names could result in an error. This issue is resolved.

Improvements have been made to reduce the likelihood of TLS connections

PPS-77582
failing to complete in certain circumstances.

Previously, after patch 4502 was installed, the System > Licenses and
Updates > General page in the Admin GUI would display garbled characters.
PPS-78960
This was purely a display issue and had no impact on the successful
installation of the patch. This issue is resolved.

Security improvements have been made to prevent cross-site request forgery

PPS-79003
attacks.

This fix applies to Email Warning Tags on the Tag Customization page.
Previously, if an administrator deleted the text in the Body text box and saved
PPS-79360
their changes, the text box would disappear until the administrator selected
Reset to Defaults. This issue is resolved.
Previously, new certificates added to the System > Certificates >
PPS-79557 Certificates page on the Config Master were not consistently being
propagated to new agents added to a cluster. This issue is resolved.
This issue applies to PPS Virtual Appliances. If your virtual appliance has a
PPS-80282 dual interface, the upgrade will fail with an appropriate message if your
deployment is configured with interfaces no longer supported by VMware.
This issue applies to PoD deployments. Administrators were receiving an error
PPS-80897 message if they tried to make changes to remote syslog configuration on the
Logs and Reports > Log Settings page. This issue is resolved.
In Smart Search, when you search for messages that triggered insertion of an
PPS-81423 Email Warning tag, Smart Search will only return messages that actually had a
tag inserted into a message or removed from the message.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 7 of 14
Reference Description

A nested multipart message could be modified by PPS, breaking S/MIME or

PPS-83663
other signature validation. This has been fixed.

The Extract Text from Images radio button on the System > Settings >
PPS-84219
System page will now appear as disabled by default upon an upgrade.

Querying the Quarantine API will now default to the Quarantine folder if no
PPS-84278
folder name is specified.

Querying the Quarantine API using the wildcard * in sender or recipient (from
PPS-84293
or rcpt) in the search criteria will now return the expected results.

This issue applies to Email Protection > Spam Detection > Settings >
Impostor Display Names. If you add a record to the Impostor Display
PPS-84365 Names page, and do not include an email address for the Display Name in the
dialog box, inbound messages address to that display name will be flagged as
Impostor.
This issue was found when the Send a copy of unmodified email to
address option is enabled for URL Rewrite Policies, and your organization
has purchased Proofpoint Archiving. If your deployment has also enabled
PPS-84373
Email Warning Tags, if the message contained more than one recipient, the
send a copy option would archive multiple copies of a tagged message. This
issue is resolved.
This fix applies to the Information Protection > DLP Incidents > Incidents
page. When viewing the Email DLP details, the matches in the left panel did
PPS-84391
not always highlight the proper matches for the content on the right panel. This
issue is fixed.
This issue would happen if a deployment contained a large number of
Quarantine folders. When the administrator clicked the magnifying glass in the
PPS-84440 Final Action column of a Smart Search query result to navigate to the
message details in the Quarantine, an error message was displayed instead of
the expected Quarantine details. This issue is resolved.
This issue applies to the Alerts feature for message injection rate for
PPS-84563 Quarantine and DLP Incidents folders. Previously, the alert did not accurately
trigger according to the threshold settings. This issue is resolved.
In rare circumstances, adding or removing a domain on System > Inbound
PPS-84616 Mail could cause all domain references to appear as “ARRAY”. This issue has
been resolved.
Previously, in some cases a rule in Information Protection > Regulatory
Compliance with Type selected as Match Condition Per MIME Part making
PPS-84672
use of the MIME Type condition would fail to trigger as expected. This issue is
fixed.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 8 of 14
Reference Description

Performance improvements to making changes to the SMTP Settings and

PPS-84750 Inbound Mail mailertables for particularly large deployments that include
many agent systems.
In rare cases, a password-protected file would incorrectly be deemed corrupt
PPS-84786 by the filtering engines and cause certain rules not to trigger as expected for
the message.
This issue applies to deployments that use a local PPS Quarantine. Calls
PPS-84799 made to the Quarantine API to delete messages were not consistently
behaving as expected. This issue is resolved.
This issue applies to the email Digest. Previously, if a user clicked the Subject
for a message in the email Digest and then released the same message using
PPS-84845
the End User Web Application, the user would get an error message. This
issue is fixed.

PPS-84911 Improvements to firewall settings connectivity diagnostics information.

This fix applies to the Regulatory Compliance Module and Smart Identifiers.
When rules triggered for attachments that had multipart/alternative parts that
PPS-84977 were containers and not simple text or HTML, incorrect counts for the number
of occurrences of the Smart Identifier (for example, a Social Security Number)
were reported. This issue is resolved.
This issue applies only to PoD deployments. Previously, changes to Remote
PPS-85043 Log Options on the Logs and Reports > Log Settings page were not being
propagated to all agents in the cluster as expected. This issue is resolved.
The daemon for the McAfee Anti-Virus engine would occasionally exit
PPS-85087 incorrectly, causing delays in message processing until it was manually re-
started. This issue is resolved.
This fix applies to the System > SMTP Encryption > Settings feature. If you
change the cypher strength for TLS Domains and enable TLS Fallback, the
PPS-85092
new cipher strength would not be propagated to the tlsfallback SMTP Profile.
This issue is resolved.
Users may have received a “Bad Request" error when trying to read an
PPS-85237 encrypted message that contained an attachment in Secure Reader. This
issue has been resolved.

PPS-85242 Release 8.22.0 addresses CVE-2024-3676.

This fix applies to editing rules in the Targeted Attack Protection > Message
PPS-85329 Defense module. In certain cases, the “discard” action would be removed after
saving the edited rule. This issue has been resolved.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 9 of 14
Reference Description

In some cases, messages that were re-injected for filtering could have their
PPS-85471 route direction improperly calculated, potentially affecting delivery depending
on configuration. This issue is resolved.
Improvements have been made to reduce memory usage and improve system
PPS-85475 stability when saving changes to a large virtuser table or making very
frequent smaller configuration changes.
Duplicate domain entries in System > SMTP Encryption > TLS Domains
PPS-85532 could prevent the TLS configuration applying as expected. This issue is
resolved.
This issue applies to the End User Services > Filters > Users page. When
Include Users with Messages in the Quarantine was enabled, and a Digest
PPS-85553
was sent to a user who was not included in the User Repository, the user
could not release his or her message. This issue is resolved.

Logging improvements when a message has been held for scanning by

PPS-85641
Message Defense.

Improvements to the upgrade process to prevent a rare condition that could

PPS-85661
result in Spam and Virus definitions not updating after the upgrade.

URL Rewrite would fail to rewrite URLs in messages that resembled PGP
PPS-85741
messages by the appearance of a PGP header string. This issue is resolved.

In Outlook for Windows, the message preview would show

PPS-85758 “ZjQcmQRYFpfptBannerStart" or a part of that for some messages with a
warning tag inserted. This issue is resolved.

An issue with the McAfee virus detection module failing to process

PPS-85887
attachments after a virus definition update is fixed.

This fix applies to deployments that include Unified Alert Manager for
Proofpoint Cloud Services. Previously, if a message was split for several
PPS-85891 recipients and triggered a DLP violation that included both encryption and
quarantine actions, the DLP event was not available in the Unified Alert
Manager for the message. This issue is resolved.
This fix applies to the delivery option Change Message Headers. Using certain
PPS-85970 template variables as the value would produce an error message and the rule
could not be saved. This issue is fixed.
In some situations, Proofpoint-generated non-delivery reports would include
PPS-85988 an additional To: header which could result in them not being accepted for
delivery by some mailbox providers. This issue is resolved.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 10 of 14
Reference Description

This issue was found when a deployment had multiple Sub-Orgs with an
administrator for each one. In some cases, an administrator from one Sub-Org
PPS-86036
was able to search for users belonging to another Sub-Org. This issue is
resolved.
This fix applies to the Information Protection > DLP Incidents > Incidents
page. Previously, if there were Comments for the Status of the message, and
PPS-86049
you exported the incident details to a CSV file, the Comments would not be
included in the export. This issue is fixed.
In rare cases, deployments using IPv6 for sendmail would not correctly use
127.0.0.1 when TLS Fallback to Proofpoint Encryption was enabled. The
PPS-86096
tlsfallback SMTP profile would use ::1 instead of 127.0.0.1. This issue is
resolved.
Two DLP folder access control issues have been fixed:
1. The administrator was unable to view the content of the messages in the all
folders view (DLP Incidents > Incidents > all folders from the drop-down list.)
The messages appeared in the list but clicking them did not return message
PPS-86399
content.
2. With certain access control permissions, if the role had access to anything
less than all of the Quarantine folders, then the Add and Delete folder options
were missing from the DLP Incidents > Folders view.

An issue where quarantined messages were delayed from appearing in the

PPS-86412
End User Web portal has been resolved.

This issue applies to customers who migrated to Cloud Quarantine Services.

PPS-86543 Messages that trigger encryption prior to being sent to the quarantine will
automatically be encrypted upon release.
An issue with URL Rewrite and Email Warning Tags could cause certain
messages in the ISO-2022-JP character set encoding with non-standard
PPS-86550
character extensions to appear with corrupted text in some email clients. This
issue is resolved.

Improvements in memory usage by the software update process to address

PPS-86634
performance issues.

This fix applies to the Proofpoint Cloud Quarantine Service. Previously, a

PPS-86664 change to a Quarantine folder could be mistakenly attributed to the wrong
user. This issue is fixed.
If a user in the repository had No set for the Use From/Sender Header For
Safelist parameter for the Filtering attribute, the sender of the message
PPS-86666
would not be added to the user’s Safe Senders list when using the Release
and Allow Sender command from the email Digest . This issue is resolved.

Legitimate messages that were re-injected could cause the M365 Relay Abuse
PPS-86755
protection rules to incorrectly trigger. This issue has been resolved.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 11 of 14
Reference Description

sendmail has been updated to use LDAPv3 by default. In the event that an
PPS-86959 older protocol is needed, Proofpoint Support can assist in modifying the LDAP
configuration.
This issue was observed when the Filter email (Opt In/Out) parameter was
set to No for an internal recipient. If a message was addressed to an external
PPS-86963 recipient and also to the internal recipient (in that order), the message was
delivered to the external recipient but not the internal recipient. This issue is
resolved.
Performance improvements to the process for generating and viewing reports
PPS-86991 from the Logs and Reports > Report Viewer page, particularly for the Spam -
Quarantined reports.
Previously, if an encrypted message contained an image, and the recipient
PPS-87070 replied to the message using Secure Reader, the image could disappear. This
issue is fixed.

During Email Warning tag insertion, some messages would trigger a complex
PPS-87121
regular subexpression alert. This issue is fixed.

An issue where a rule in the Email Firewall Module was failing to detect and
PPS-87177
trigger on a password-protected .rar file has been resolved.

Several improvements to the Secure Reader password create and reset user
PPS-87266
experience.

This issue applies to customers that have been migrated to Cloud Quarantine
Service. Previously, if a message to a recipient with an email address that
started with the special characters * or + landed in a quarantine folder, an error
PPS-87267
message would display when navigating to the folder in the classic PPS Admin
UI (navigating to the folder in the Cloud Admin Portal was not impacted). This
issue is fixed.
This fix applies to Smart Send. Previously, it was possible for the same
message to have more than one command applied to it - for example, “block”
and also later “release”. This issue is resolved, and once a command is
PPS-87274
applied to a message no further actions can be applied to it, and the user is
notified that the message is no longer available. Quarantine message details
reflect the true status for the message.
Email warning tag removal on outbound does not work when a reply or
forward is composed in Outlook on the web or New Outlook for Windows and
PPS-87289 the user edits the quoted copy of the original message. A fix is now available.
The fix must be enabled manually. Contact Support for more information and
reference PPS-87289.

Some messages with multiple recipients would fail DKIM verification when the
PPS-87338
recipients matched different Policy Routes. This issue is fixed.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 12 of 14
Reference Description

Policy Routes that contained certain combinations of multiple Message

PPS-87428 Header conditions could cause messages to not be processed by filtering
modules. This issue has been resolved.
This issue was observed when a rule was created with the Delivery Method of
Re-route, and an SMTP profile was selected. Messages to recipients who had
PPS-87437
mixed-case characters in their addresses were duplicated by the PPS filtering
engines. This issue is resolved.
This fix applies to on-premise deployments. Previously, if agents in the cluster
used unresolvable TLDs (such as .local or .localdomain) in their hostnames, it
PPS-87486
would prevent you from making edits to the Appliance > Host Firewall page
in the management interface (Admin GUI). This issue is resolved.

Performance improvements to Secure Reader. Quicker response times when

PPS-87588
users decrypt and read their secure messages.

This issue applies to the Regulatory Compliance Module. For certain

messages, when administrators viewed details for the message on the DLP
PPS-87636 Incidents > Incidents page, they would occasionally see a “no information
available” message. This process has been improved upon so that it happens
less frequently.
Improvements to the Logs and Reports module, so that duplicate events are
PPS-87737 not processed by the Config Master when a dedicated Log Node is part of the
cluster.

PPS-87688 Correction/update to the New Hampshire Driver’s License Smart Identifier.

MaxQueueAge was not being honored by the MTA. This issue has been
PPS-88302
resolved.

This fix applies to Information Protection > DLP Incidents > Settings >
Templates. Previously, when making changes to a template, there could be a
PPS-88502
delay prior to the updated template being used by triggered DLP rules. This
issue is fixed.

Known Limitations
Re-ordering Rules

To change the order in which rules are applied in a module, use the arrow keys to move a rule up or
down in the order. The scroll bar to the left of the Enabled column (drag-and-drop) will be fixed in a future
release.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 13 of 14
Reference Description

For security reasons, the management interface (Admin GUI) is not supported
on older browser versions. To view a list of currently-supported browsers,
PPS-81195
please refer to the Proofpoint Community article Proofpoint Protection Server
Version Support Matrix – Release 8.X.
This limitation applies to the Information Protection > DLP Incidents >
PPS-85658 Incidents page. When viewing the Email DLP details, DLP violations in a zip
archive inside another zip archive cannot be highlighted.

Proprietary and Confidential © 2025 – Proofpoint, Inc. March 2025 Rev A - Page 14 of 14