Can only one domain in a tenant be on CloudFilter?
It depends.
If the Mailprotector Inbound Connector for Microsoft 365 or the Inbound Mail Route for Google Workspace is enabled, or other email delivery platforms are configured to restrict traffic to deliver only from Mailprotector inbound transports (right), then all domains must be added to CloudFilter for mail to send and receive successfully. Because transport rules cannot be applied to inbound connectors or mail routes, inbound messages will only deliver properly when every domain is included in CloudFilter. This may incur additional costs if each domain is separate in the Mailprotector Console and additional domains are not configured as aliases of the primary domain.
If the Mailprotector Inbound Connector or Mail Route is not enabled, domains can be excluded from the CloudFilter setup. However, doing so introduces a security risk since inbound mail will not be restricted to the Mailprotector inbound transport IP addresses.