(no title)

In our case, the domain was registered 15 years ago and email is only sent using Google Workspace. SPF, DKIM, DMARC (strict) all set up as they should be. The customers using proofpoint who suddenly stopped getting our emails had previously had no issues for 10+ years. In some cases (not all), those customers couldn't email us either - emails both directions got silently dropped, so even the employees of some customers didn't know their emails were not going through until we got angry calls asking why we weren't responding to them anymore.

Ultimately, I discovered the trigger was a compromised WordPress plugin quietly injecting SEO spam... running on wpengine. That WordPress site was fully owned/managed by our marketing team and in no way connected to our corporate infrastructure, other than by a CNAME of the same domain email is sent from. I had the marketing team revert to a backup that wasn't compromised, update all the plugins, and used quttera's scanner (which found it initially) to confirm the issue was gone, and within a few weeks it appeared we were no longer blocked. I say appeared because long before that point we had contacted all customers who had MX records indicating proofpoint was used, requesting manual whitelisting.

As much as I'd love to ban WordPress use at the company, we had to settle for using an internal-only WP instance and a plugin that generates a static site export to eliminate any chances of this happening again.