This is Proofpoint's sender perspective

Most customers will want to utilize TLS for outbound, to ensure secure mail transport.

• By default, the Proofpoint Essentials outbound relay will use opportunistic TLS for initial sending.
• If the recipient server is not accepting our TLS session, we will fall back to standard transport and deliver anyway.

If an outbound filter is created then the condition should be based on the recipient domain (not the Proofpoint customer). The action should be Nothing, and the secondary action can be either of the following options:

Enforce Completely Secure SMTP Delivery

• The sender must have a valid certificate in place.
• The domain name used to send must match the exact same domain on the certificate, unless it is a wild card certificate.
• If there is no certificate, we will not deliver the email.

 Enforce Only TLS on SMTP Delivery

• No certificate is required. The downstream server simply needs to accept the traffic over TLS.
• If the downstream server does not accept TLS, we will not deliver the email.

Example of how TLS on SMTP Delivery looks in Proofpoint setup