Proofpoint TSA separation is the work of standing up a Newco tenant, rebuilding email protection and the targeted attack defenses, deciding the disposition of the archive, and cutting Newco's mail flow through Newco's own filtering before the seller's tenant still scans or holds Newco mail. The work sits inside the broader carve-out advisory program and is sequenced with the email domain migration, because mail routing is a Day One dependency for every user.
Proofpoint separation starts with an inventory of the seller tenant. The buyer needs the subscription scope across email protection, Targeted Attack Protection, Threat Response, email data loss prevention and encryption, the archive if the seller runs Proofpoint archiving, the routing configuration that places Proofpoint in the mail flow, and the policy set for spam, malware, URL defense, and impersonation.
The archive is the decision that shapes the whole separation. Where the seller uses Proofpoint archiving, it holds years of historical email that may include Newco records under legal hold and regulatory retention. The buyer decides whether Newco's historical mail is exported and migrated to a Newco archive, retained by the seller under defined access, or split. This drives effort, cost, and timeline more than the filtering cutover does.
The clean end state is a dedicated Newco tenant with its own email protection, its own policy, and a defined disposition of the historical archive. A shared seller tenant keeps Newco mail under seller scanning and seller visibility, which is unacceptable beyond a short bridge. The filtering sits in the mail flow, so the routing change is a coordinated cutover rather than a quiet background move.
Target strategy ties Proofpoint to the email domain migration. Because Proofpoint filters mail for the domain, the tenant and routing cutover are sequenced with the domain and the underlying mailbox platform so the mail flow lands cleanly. The archive disposition runs in parallel on its own track because of its volume and legal sensitivity.
Proofpoint is sold per user across module bundles, with archiving priced on retained volume and retention period. The seller agreement does not transfer in a carve-out. Newco signs a direct subscription sized to its real user count and the modules it needs, rather than inheriting a bundle and an archive scope built for the combined organization.
A carve-out reads to the vendor as a buyer with a Day One deadline, which is real leverage on the sell side. The buyer offsets that by opening the commercial conversation early and by separating the Day One routing need from the archive migration, which can run on a longer track. Where Newco is reconsidering its email security architecture, a credible alternative strengthens the position, though Day One mail flow usually argues for continuity first.
Where the seller provides email security and archive access through a TSA window, the pricing is cost-plus or fixed-fee with a defined exit ramp, and the TSA states how Newco users and archive access are metered. The archive deserves explicit treatment because the seller may hold Newco's historical mail, and the TSA must define export rights, format, and the access window.
Where a partner is engaged for the archive export and migration, the contract is fixed fee for defined deliverables with disciplined change control. The subscription and archive audit runs through the broader TSA license consolidation work so Newco right sizes its email spend at exit.
The protection policy is rebuilt rather than copied wholesale. Spam and malware classification, URL Defense rewriting, attachment defense, impersonation and business email compromise protection, data loss prevention, and the safe and block sender lists are reconstructed in the Newco tenant to match Newco's risk posture. The seller policy is a useful reference, but it carries seller specific senders and exceptions that Newco reviews rather than inherits.
Routing is the heart of the cutover. Proofpoint sits in the mail path through the inbound and outbound connectors and the published mail exchange records. Newco's inbound routing is pointed at the Newco tenant, the outbound connectors from the mailbox platform are repointed, and the mail exchange records for the domain are updated so mail flows through Newco's filtering. This is coordinated tightly with the domain and mailbox migration so the flow is never broken.
URL Defense and attachment defense deserve attention because they rewrite links and sandbox attachments, and a cutover that leaves some mail rewritten by the seller's service creates confusion and dead links. The buyer confirms that after cutover, rewriting and sandboxing run through Newco's tenant and that previously rewritten links remain resolvable during the transition.
Safe and block lists and impersonation protection are validated against Newco's real sender estate so that legitimate mail is not quarantined when the flow moves to the Newco tenant. The discipline mirrors the broader email domain migration sequence so the protection and the routing land together.
Threat Response and the automated remediation workflows are rebuilt for Newco so that, going forward, Newco's security operations triage and remediate threats in Newco's tenant rather than the seller's. The abuse mailbox and the automated pull of malicious mail are reconfigured to act on Newco mailboxes through Newco identity.
Where the seller uses Proofpoint archiving, the archive workstream is where the separation succeeds or stalls. Newco's historical mail is identified, exported in a defensible format, and ingested into the Newco archive, with chain of custody preserved for anything under legal hold. Journaling is repointed so that, going forward, Newco's mail is captured into the Newco archive at the same time the routing cuts over, so there is no gap in capture for compliance.
Identity integration binds the tenant to Newco's directory. Proofpoint authenticates administrators and provisions users against the identity provider, and directory synchronization is pointed at Newco's directory so that user accounts, groups, and policy assignment resolve against Newco identity. User provisioning and single sign on are gated on the identity boundary being live.
Retention and legal hold settings are reconstructed in the Newco tenant so Newco's compliance obligations carry forward. The buyer confirms that no Newco hold lapses during the migration and that the retention clock on Newco records is preserved rather than reset.
Cutover moves the mail flow and the journal to the Newco tenant. The runbook covers the inbound routing change, the outbound connector repoint, the mail exchange record update, the journal redirection, and the validation gate, sequenced with the domain and mailbox migration so mail is never lost in transit. The cutover is timed to a low volume window where the business allows it.
Validation confirms continuity. Inbound mail is tested through Newco filtering, outbound mail is confirmed to route through Newco, URL Defense and attachment defense are confirmed to act through the Newco tenant, journaling is confirmed to capture into the Newco archive, and impersonation protection is tested. Because mail flow is a Day One dependency, the routing is validated on a pilot group before the broad cutover.
Stabilization runs thirty to sixty days. Misrouted mail, quarantined legitimate senders, and policy false positives are triaged within agreed service-level commitments. The archive migration continues on its track and is reconciled so the count and the date range of migrated records match the source.
Decommissioning is explicit. Once Newco operates on its own tenant with its mail flowing and its archive migrated, the seller removes Newco users and routing from its tenant, stops journaling Newco mail, and confirms that Newco mail no longer flows through or is held by the seller's Proofpoint account, subject to any agreed retention window.
Proofpoint separation cost is driven by user count, the modules Newco subscribes to, and above all the archive volume and migration effort where archiving is in scope. The discipline is to right size users and modules and to scope the archive migration precisely to Newco's records rather than moving the whole shared archive. An archive scope built for the combined organization is both a migration cost and a recurring storage cost the separation should correct.
The common failure mode is treating the archive as an afterthought. The filtering cutover is a defined event, but the archive holds years of records under legal hold and retention, and a migration scoped late or executed without chain of custody puts Newco's compliance position at risk. Buyers that start the archive disposition early, in parallel with the routing work, avoid a stalled exit.
The second failure mode is breaking the mail flow or the URL rewriting at cutover. Because Proofpoint sits in the mail path and rewrites links, a routing change made out of step with the domain and mailbox migration drops mail or leaves dead rewritten links. The fix is to sequence the routing, the journal, and the mail exchange records as one coordinated cutover. A PMO maintains the dependency map across Proofpoint, the domain, the mailbox platform, and identity, escalating blocks inside forty eight hours.
A clean Proofpoint separation produces a Newco that owns its own tenant, its own mail flow and protection, and its own archive of record, with its compliance obligations intact. The discipline runs through the TSA exit acceleration program under a Fixed Fee plus Portfolio Retainer engagement model.
Yes. The clean end state is a dedicated Newco tenant with its own email protection, policy, and a defined disposition of any historical archive. A shared seller tenant keeps Newco mail under seller scanning and seller visibility, which is unacceptable beyond a short bridge.
URL Defense rewrites inbound links, so a cutover is sequenced to keep previously rewritten links resolvable during the transition while new mail is rewritten through the Newco tenant. The buyer confirms rewriting and attachment sandboxing run through Newco after cutover rather than the seller's service.
Proofpoint filters mail for the domain through the connectors and the mail exchange records, so the routing cutover has to be sequenced with the domain and mailbox migration. A routing change made out of step with the domain drops mail, so the two are coordinated as one event.
The Newco tenant and routing cutover can be ready in weeks once the domain plan is set, but where archiving is in scope the export, migration, and reconciliation usually extend the full separation to two to five months depending on archive volume and legal hold scope.
Tenant split, gateway and routing cutover, archive ownership, and the journal redirection.
Read the article →The domain and mailbox split that the email security cutover is sequenced against.
Read the article →Endpoint security tenant split, sensor migration, and the Day One detection boundary.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Exit the seller's security stack first. Every week of shared security is a week of shared blast radius on a business they no longer own.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →