Symantec Data Loss Prevention Cloud Service for Email Implementation Guide gives instructions on how to set up Cloud Service for Email with an Enforce Server administration console and either on-premises Microsoft Exchange, or Microsoft Office 365 Exchange Online, or Google G Suite Gmail.
Important: Adding Symantec IPs to SPF records to ensure email delivery for Office 365 reflecting mode
You must add IPs used by DLP Cloud Service for Email to SPF records to ensure email delivery for Office 365 reflecting mode. In reflecting mode, the email from Symantec Data Loss Prevention Cloud Service for Email reflecting back to Office 365 may fail SPF checks because you have not included the IPs used by Cloud Service for Email in your sending domain SPF record. Recipient MTAs may be configured to reject emails with SPF failures in the message headers.
To avoid email delivery failures, include one of the following regional domains in your sending domain SPF records, depending on the region you chose when you initially implemented DLP Cloud Service for Email.
For US-based deployments, include the following domain in your sending domain SPF record: spf-us.mail.dlp.protect.symantec.com
For EU-based deployments, include the following domain in your sending domain SPF record: spf-eu.mail.dlp.protect.symantec.com
The latest version of this guide, dated 22 July 2019, applies to using Cloud Service for Email with Symantec Data Loss Prevention version 15.x. It includes
Information about the new Cloud Management Portal (CMP) that replaces the provisioning form.
Notification that as of September 2019, the lowest supported of version of Symantec Data Loss Prevention for use with cloud service will be 15.x.
Minor edits to match the instructions to the current Exchange admin center UI.