What Is Mimecast and How Does It Protect Your Email?
Mimecast is a cloud-based email security platform that sits between the internet and your mail server, filtering inbound and outbound messages for threats, enforcing policies, and providing archiving and continuity services. It is widely deployed in enterprise environments where email is both a primary communication channel and a primary attack vector.
How Mimecast Works
Mimecast functions as a Secure Email Gateway (SEG). When deployed, your domain's MX records point to Mimecast's servers instead of directly to your mail server (Exchange, Microsoft 365, Google Workspace, or otherwise). This means all inbound email flows through Mimecast before reaching your users.
The typical mail flow:
- External sender transmits an email to
[email protected]. - DNS resolves the MX records to Mimecast's infrastructure.
- Mimecast inspects the message: scans attachments, checks URLs, validates sender authentication, applies policies.
- If the message passes all checks, Mimecast forwards it to your actual mail server.
- If the message is malicious or policy-violating, Mimecast quarantines or rejects it.
Outbound email can also be routed through Mimecast for DLP (Data Loss Prevention) scanning and policy enforcement.
Core Capabilities
Threat Protection
Mimecast's primary value proposition is stopping email-borne threats before they reach the inbox:
- Anti-malware and anti-spam: Multi-engine scanning of message content and attachments.
- URL protection: Rewrites URLs in emails to route clicks through Mimecast's inspection proxy. At click time, Mimecast scans the destination for malicious content -- even if the site was safe when the email was delivered but weaponized later.
- Attachment sandboxing: Suspicious attachments are detonated in a sandbox environment to detect zero-day malware that signature-based scanners miss.
- Impersonation protection: Detects Business Email Compromise (BEC) attempts by analyzing sender display names, header anomalies, and domain similarity against known contacts.
- Internal email protection: Scans email sent between users within the organization to prevent lateral threat movement from compromised accounts.
Email Continuity
If your primary mail server goes down (Exchange outage, Microsoft 365 service disruption), Mimecast provides a failover mailbox. Users can continue to send and receive email through Mimecast's webmail interface or Outlook plugin until the primary server recovers. This is particularly valuable for organizations where email downtime has direct revenue impact.
Archiving and Compliance
Mimecast can archive every inbound, outbound, and internal email in a tamper-proof cloud archive. Features include:
- Retention policies configurable to meet regulatory requirements (HIPAA, GDPR, SEC 17a-4).
- E-discovery search across the full archive.
- Litigation hold capabilities.
- Users can access their own archive to recover deleted messages without IT involvement.
Data Loss Prevention
Outbound messages are scanned for sensitive content (credit card numbers, social security numbers, confidential documents) based on configurable DLP policies. Matches can trigger blocking, quarantining, encryption, or alerts.
DNS and Authentication Impact
Deploying Mimecast changes your domain's email infrastructure in ways that affect authentication records.
MX Records
Your MX records must point to Mimecast's regional servers instead of your mail provider. For example:
@ MX 10 us-smtp-inbound-1.mimecast.com.
@ MX 10 us-smtp-inbound-2.mimecast.com.
The specific hostnames depend on your Mimecast region and configuration.
SPF
Your SPF record must include Mimecast's sending infrastructure so that outbound email routed through Mimecast passes SPF checks:
@ TXT "v=spf1 include:_netblocks.mimecast.com include:spf.protection.outlook.com ~all"
Note that both Mimecast and your underlying mail provider need to be included. Validate your SPF record with the InboxTooling SPF Check to ensure it parses correctly and stays within the 10 DNS lookup limit.
DKIM
Mimecast can sign outbound messages with your domain's DKIM key. You generate a key pair within the Mimecast admin console and publish the public key in your DNS as a TXT record under the appropriate selector. This ensures messages routed through Mimecast carry a valid DKIM signature aligned with your domain.
Verify your DKIM records are published correctly with the InboxTooling DKIM Verify.
DMARC
With Mimecast handling both inbound and outbound mail flow, DMARC alignment becomes critical. Your DMARC policy should be configured to require alignment from both your mail provider and Mimecast:
_dmarc TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
Mimecast provides DMARC reporting and analysis tools within its platform. You can also validate your DMARC record independently using the InboxTooling DMARC Analyzer.
When Mimecast Makes Sense
Mimecast is an enterprise product with enterprise pricing. It is most relevant for organizations that:
- Have hundreds or thousands of mailboxes to protect.
- Face elevated phishing and BEC risk (financial services, healthcare, legal).
- Need regulatory-compliant email archiving.
- Require email continuity SLAs beyond what their mail provider offers.
- Want centralized policy control over email security across multiple domains or business units.
Smaller organizations may find that the built-in security features of Google Workspace or Microsoft 365 Defender, combined with proper SPF, DKIM, and DMARC configuration, provide sufficient protection.
Verifying Your Configuration
Whether you use Mimecast or not, proper email authentication is the foundation of email security. Use InboxTooling's free tools to verify your setup:
- SPF Check -- ensure all legitimate sending sources are authorized.
- DKIM Verify -- confirm DKIM public keys are published for all signing selectors.
- DMARC Analyzer -- validate your DMARC policy and reporting configuration.
Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.