schedule 2-min read

DMARC and Mimecast: Best Practices for Authentication

Mimecast best practices for DMARC, SPF, and DKIM. Configure outbound signing, inbound enforcement, and avoid the common alignment failures.

01

Introduction

Mimecast is a secure email gateway widely used in enterprise. Like other SEGs, it integrates with DMARC but requires specific configuration to avoid alignment failures. This article covers the best practices.

02

Why this topic matters

Mimecast deployments without proper DMARC configuration produce SPF or DKIM alignment failures for outbound mail. Properly configured, Mimecast is fully DMARC-compatible.

03

The Mimecast SPF setup

Outbound mail through Mimecast requires Mimecast's IPs in SPF:

text v=spf1 include:_netblocks.mimecast.com include:_spf.google.com -all

(Replace Google with your primary platform.)

Mimecast publishes the include domain; check current docs.

04

The Mimecast DKIM setup

Configure Mimecast to sign with your domain:

  1. Generate DKIM key in Mimecast admin.
  2. Publish public key at the selector Mimecast provides.
  3. Enable signing for outbound flows.
  4. Verify alignment with your From domain.

Default Mimecast signing uses gateway domains; configure custom.

05

Inbound DMARC enforcement

Mimecast can enforce inbound DMARC:

  • Honor sender DMARC policy by default.
  • Configure exceptions carefully via allow-lists.
  • Quarantine vs. reject as tenant-configured.
06

Step-by-step approach

  1. Add Mimecast SPF includes to outbound SPF.
  2. Configure DKIM signing with your domain.
  3. Verify outbound alignment in DMARC reports.
  4. Configure inbound DMARC enforcement.
  5. Document the configuration.
07

Best practices

  • Watch SPF lookup budget when adding Mimecast.
  • Test DKIM signing with a sample message.
  • Audit allow-lists quarterly.
  • Pair with Mimecast support for complex setups.
  • Monitor aggregate reports for Mimecast-routed mail.
08

For Mimecast deployments, run a DMARC alignment check on outbound flows. Failures point to specific configuration items above.

09

FAQ

Does Mimecast support custom DKIM?

Yes — configure in admin console.

What about Mimecast policy bypass rules?

Available; use carefully. Each bypass weakens DMARC enforcement.

Does Mimecast support BIMI?

Inbound — yes, renders BIMI logos for compliant senders.

What's the SPF lookup cost for Mimecast?

Typically 2-3 lookups. Plan budget accordingly.

How does Mimecast handle DKIM key rotation?

Standard rotation flow; publish new selector, switch active.

10

Final thoughts

Mimecast and DMARC work cleanly with proper setup. SPF includes, custom DKIM, inbound enforcement configured deliberately — that's the formula.

Audit periodically; document changes; trust the data in your reports.

Ready to Implement?

Get authenticated mail moving in minutes — start free, book a guided demo, or talk to the team about your stack.

Start free arrow_forward event Book demo mail Contact us