Mimecast is an international company specializing in cloud-based email management.

This article covers the SPF and DKIM authentication processes for Mimecast and how to manage this configuration in Valimail Enforce. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.

In order to setup DKIM for Mimecast, you will have to Setup an Outbound Signing Definition and Setup an Outbound Policy to apply DKIM to your outbound emails.


Setup an Outbound Signing Definition

1. Once logged in, click the Administration dropdown, select Gateway and click Policies.

a screenshot of a computer

2. Click the Definitions dropdown and select DNS Authentication - Outbound.

a screenshot of a computer

3. Click “New DNS Authentication – Outbound Signing” to create a new DKIM policy.

a screenshot of a browser window

4. Fill in a description and select Sign outbound mail with DKIM. A domain needs to be selected and so click Lookup next to Domain.

a screenshot of a browser

5. Select your domain by clicking Select in front of your chosen domain.

a screenshot of a computer

6. Select either 1024 bits or 2048 bits as your DKIM Key Length. We recommend choosing 2048 bits for more secure encryption.

Do not change the Selector. Click Generate.

a screenshot of a browser

7. Your new DKIM key has been generated successfully.

a screenshot of a computer

8. The newly created DKIM key will need to be published in Valimail Enforce.

Add a Mimecast DKIM key in Enforce

1. Go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM key.

    a. Scroll down and add the two DKIM keys in your configuration, by clicking on Add a DKIM key

    b. Enter the selector name, the DKIM TXT value (the actual value is the entire string after the p= tag), associate the key with Mimecast and then click Add.

a screenshot of a computer

a white background with black dots

You can find more detailed information on how to add a DKIM key in Valimail Enforce here.

Setup an Outbound policy

1. Once done with your outbound signing definition, next you need to create your outbound policy.

    Under Policies select DNS Authentication – Outbound.

a screenshot of a computer

2. Add a new Policy for Outbound Signing and use the following values:

a screenshot of a computer

3. Go back into Mimecast and click Check DNS to verify that the Mimecast DKIM key was properly published in Valimail Enforce.

a screenshot of a browser

4. After the validation of the DKIM key was done successfully in Mimecast, you can now send DKIM authenticated email for your domain using Mimecast.

Configuring SPF authentication for your Mimecast emails

Once you establish that Mimecast is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.

1. Please go to your domain's Configuration page in Enforce.

2. Click on the + sign from the Enabled Senders section:

a screenshot of a email

3. Choose Mimecast from the list of configurable senders and then click Enable:

a screenshot of a computer

We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.

Enable SPF alignment in Mimecast for your domain

You may notice that Mimecast emails are not authenticated via SPF, even after you have added Mimecast to your domain's configuration. This is likely caused by Mimecast not sending SPF aligned-mail and can be corrected by making sure SPF alignment is turn on in Mimecast for your domain.

You can find more information on how to set up SPF and SPF alignment for Mimecast here.

As always, if you have any questions, please don't hesitate to submit a ticket.