The correct answer is A. To transfer email messages from one mail server to another during delivery . Proofpoint’s SMTP relay reference explains that SMTP is the protocol used for outbound email transmission and for forwarding messages between different mail servers, especially when sending to external domains. That is the clearest match to the role being tested in this question. SMTP is fundamentally a sending and transfer protocol , not a storage protocol.

While SMTP is also involved when a client submits outgoing mail to a mail server, the best and most primary role in overall email delivery is server-to-server message transfer. The alternative answers are therefore incorrect: SMTP does not store attachments, does not inherently provide automatic message encryption on its own, and is not best defined here as a mailbox-management protocol between end users and servers. Storage and retrieval functions are handled by other protocols and applications, such as IMAP or POP for inbox access, while TLS can add transport encryption to SMTP sessions when configured. In the Threat Protection Administrator course under Mail Flow, SMTP is treated as the delivery protocol that moves email onward through the message path. Therefore, the correct answer is to transfer email messages from one mail server to another during delivery .

The correct answer is B. Add the partner’s domain to the TLS Domains list with a setting of “Always.” Proofpoint’s TLS guidance explains that opportunistic TLS is the default behavior for SMTP unless stricter policy is configured for specific destinations. To require secure transport to a specific partner domain, the administrator must explicitly enforce TLS for that domain rather than merely allowing it when available. Proofpoint describes TLS as a mechanism to encrypt messages in transit between sending and receiving mail servers, and that requirement becomes mandatory only when policy is configured to insist on TLS for the target domain.

Option A is incorrect because “If Available” still allows mail to be delivered without TLS if the remote server does not negotiate it, which does not satisfy the requirement to ensure secure delivery. Option C changes general protocol posture but does not by itself force TLS for one specific partner domain. Option D is also not the normal administrative control used for outbound partner enforcement in Proofpoint’s course context. In the Threat Protection Administrator course, secure partner delivery is handled through domain-specific TLS enforcement settings, and the tested answer is to require TLS by setting the domain entry to Always . That ensures the Proofpoint system attempts secure SMTP and does not simply fall back to unencrypted transport for that external partner.

The correct answer is D. When delivering mail to example.com the protection server tries to connect to the Destination MTAs starting at the top one and working down the list .

The exhibit shows that the inbound mail route for example.com is configured with three destination hosts:

m1.example.com

m2.example.com

m3.example.com

It also shows that the Delivery Type is set to Ordered . In Proofpoint route configuration, Ordered means the system uses the listed destinations in sequence, following the order in which they appear in the route. That means the first connection attempt is made to the top entry , then if needed it proceeds downward through the remaining hosts.

Why the other choices are incorrect:

A is incorrect because ordered delivery does not start from the bottom of the list.

B is incorrect because multiple destination hostnames can be listed in an ordered route; they do not have to be IP addresses only.

C is incorrect because there is no requirement shown here for a minimum of five MTAs for ordered delivery.

This is a Mail Flow question focused on route behavior. The main concept being tested is how Proofpoint uses the destination list when Ordered delivery is selected. The configured order matters, and the Protection Server follows that order from top to bottom .

So the complete interpretation of the exhibit is that the Protection Server attempts delivery starting with m1.example.com , then m2.example.com , then m3.example.com , which makes Answer D the verified course-aligned choice.

Directory harvest attacks try to discover valid recipient addresses by sending large numbers of SMTP recipient attempts and observing which addresses are accepted or rejected. In Proofpoint’s layered connection-level defenses, Recipient Verification and SMTP Rate Control are the two features that work together most directly against this problem. Recipient Verification checks whether the addressed mailbox is valid, while SMTP Rate Control helps detect and automatically block or throttle abusive SMTP connection behavior. Proofpoint’s published spam detection material describes connection-level analysis that includes recipient verification and Dynamic Reputation, and then states that based on this analysis, SMTP rate control is used to automatically block or throttle malicious connections, providing strong protection against directory harvest and denial-of-service attacks. That pairing is exactly what makes these two options the correct answer. Outbound Throttle is aimed at controlling excessive outbound mail from accounts, not inbound recipient enumeration. Dictionaries are content and pattern controls, not recipient-existence validation controls. Bounce Management deals with BATV-style handling of backscatter, which is a different problem space. The Threat Protection Administrator course topic list also places SMTP Rate Control and Recipient Verification together under the same operational area, reinforcing that they are complementary controls for this class of attack. For a directory harvest scenario, these are the right two protections to deploy together.

The correct answer is C. The email was rejected due to its excessive size .

From the filter-log exhibit, the key indicator is the rejection entry that shows a Message Size Violation response. That tells you the Protection Server accepted enough of the SMTP transaction to evaluate the message, but then rejected it because it exceeded the configured size threshold. In other words, this is not a transport drop, not a normal successful delivery, and not a timeout caused by lengthy processing. The decisive clue is the size-related rejection text in the log.

This kind of event belongs to the Mail Flow topic because it reflects SMTP-time handling and message acceptance controls. Proofpoint applies a series of processing steps as mail is received, including connection checks, MIME inspection, attachment evaluation, and policy enforcement. When the message exceeds the allowed size, the server returns a rejection tied to that violation instead of continuing with normal acceptance and delivery.

Why the other choices are incorrect:

A is wrong because the log does not indicate that the sender disconnected before the transaction could complete.

B is wrong because the message was not delivered successfully; it was explicitly rejected.

D is wrong because the evidence points to a size violation, not a processing-time threshold breach.

So the complete interpretation of the exhibit is that the inbound message was rejected because it was too large , which makes Answer C the verified course-aligned choice.

The correct answers are B. SMTP verification , C. LDAP verification , and D. User Repository verification . In the Threat Protection Administrator course, Recipient Verification is presented as a feature used to validate whether recipient mailboxes exist before accepting mail for them. The public course guide excerpt confirms that Proofpoint supports using an imported user repository in place of repeatedly querying LDAP, which directly supports User Repository verification as one of the built-in methods. It also places Recipient Verification alongside LDAP-based identity workflows, which supports LDAP verification as a default verification method.

SMTP verification is the remaining standard mailbox-existence check in this feature set and fits Proofpoint’s connection-level validation approach. By contrast, Email the recipient is not a real-time verification method used for SMTP-time recipient validation, CSV file verification is not presented as one of the default Recipient Verification methods in the Proofpoint course materials, and DNS verification checks domain routing information rather than whether a mailbox for a specific recipient exists. In administrator practice, these three methods cover live directory validation, local imported identity validation, and SMTP recipient validation against the destination system. Therefore, the correct three default methods are SMTP verification, LDAP verification, and User Repository verification .

The correct answers are Destination / Error Message for the routed mail , Email domain to be routed , and Mailer type that is utilized for the route . In Proofpoint route configuration, the essential elements of a mail route are the domain or host the route applies to, the mailer method used for handling the route, and the destination host or error behavior associated with that route. Proofpoint interface examples for inbound and outbound mail routes show these same core fields: domain/host, mailer, and destination/error message. These are the pieces that define how mail should be routed operationally.

The other options are not required route-definition elements. DKIM records and general email authentication data are important for overall mail security, but they are not the required fields used to create the outbound route itself. Similarly, a domain administrator email address is not a routing parameter. The route configuration needs to know what mail the rule applies to, how it should be sent, and where it should go. That maps directly to the three correct choices in this question. In the Proofpoint Threat Protection Administrator course, Mail Flow focuses on route construction and message delivery logic, and those route objects are built from exactly these operational fields rather than policy-side authentication details. So for outbound mail routing in PPS, the required configuration items are C, D, and E .

The correct answer is C. The inbound_protected and default policy will be applied to the message in that order .

From the exhibit, the message is inbound and matches two policy routes:

legal

default_inbound

The inbound_protected virus policy is configured with Allow: legal , so that policy applies to this message first. The default virus policy is configured with Allow: default_inbound , so it also applies to the same message. Since the message matches both routes, both policies are applied in policy order, with the more specific matching inbound policy applying before the default policy.

Why the other choices are incorrect:

A is incorrect because the message is inbound, not outbound, so the outbound policy is not the first applicable policy here.

B is incorrect because the exhibit logic indicates the specific matched inbound policy applies before the default policy, not the reverse.

D is incorrect because the exhibit shows the message belongs to both legal and default_inbound , so the default policy is not ignored.

This is a Virus Protection policy-order question. The important concept is that Proofpoint can apply multiple matching virus policies based on route membership, and in this scenario the message is processed by inbound_protected first , followed by default .

So the complete interpretation of the exhibit is that the inbound_protected and default policies are both applied, in that order , which makes Answer C the verified course-aligned choice.

The correct answer is A. To automate the containment and remediation of email threats . Proofpoint’s Threat Response product description says that it removes manual labor and guesswork from incident response and helps organizations resolve threats faster and more efficiently. It provides actionable context and enables teams to quarantine and contain threats automatically or with minimal manual action. That aligns directly with automation of containment and remediation.

This is distinct from basic pre-delivery spam filtering or universal message encryption. CTR is not intended to manually inspect every email before delivery, and it is not just another spam engine. Instead, it is a response platform used after or alongside detection to orchestrate investigation, quarantine, and follow-up remediation actions for dangerous messages and associated affected users. In the Threat Protection Administrator course, Threat Response is positioned as the operational bridge between detection and action: once a threat is identified, CTR helps administrators and analysts contain it efficiently, especially at scale. That is why the product’s primary function is best summarized as automating the containment and remediation of email threats . Therefore, the verified answer is A

The correct answer is C. A setting that defines email routing policies . In Proofpoint administration, SMTP-related profiles are used as configuration objects that shape how mail is handled in transport, including route behavior and SMTP service characteristics. The course question’s correct answer aligns with the operational role of SMTP profiles in governing routing and transport behavior, not quarantine personalization or encryption-key generation. Proofpoint’s general SMTP and relay documentation frames SMTP configuration around how messages are relayed, routed, and delivered between systems, which supports this answer. ( proofpoint.com )

The incorrect options do not fit the function of an SMTP Profile. A block list of email addresses would be part of filtering or policy controls, not SMTP profile definition. A Proofpoint-generated encryption key belongs to cryptographic or secure message workflows, not to SMTP profile configuration. A user-defined quarantine setting is part of end-user or administrative quarantine handling and is unrelated to transport profile architecture. In the Threat Protection Administrator course, Mail Flow focuses heavily on routing, relay behavior, and delivery path control, and this question sits squarely in that domain. So when the course asks what an SMTP Profile is in Proofpoint, the best verified answer is that it is a setting that defines email routing policies . ( proofpoint.com )