Customers currently using the Connect Application are advised to complete their onboarding setup as soon as possible, as the Connect Application is scheduled to be discontinued on the 31st of January, 2024.
This article contains information on configuring Mimecast for outbound email routing in various environments, including Microsoft 365, On-Premises, Hosted Exchange, and Google Workspace, detailing setup steps and considerations for successful integration.
Once your Mimecast account has been created, your Technical Point of Contact (TPOC) should log onto the account to confirm they can access it. If this is successful, your email server can route outbound emails through Mimecast. This requires that your:
- Public IP addresses are added to Mimecast's authorized outbounds. The Connect Team will configure these based on the information received in the Connect Process: Request For Information (RFI)
- A firewall is configured to allow access to Mimecast Data Center IP Ranges for SMTP port 25. See the Mimecast Data Centers and URLs page for more information.
This step may not apply to Hosted Exchange (HEX) and Microsoft 365 implementations. See the relevant section below for further details.
- An email server or cloud service must be configured to deliver emails to Mimecast. See the relevant section below to display the configuration steps.
If you currently use SPF records for your domains, ensure you include a comprehensive list of Mimecast outbound IP addresses in your DNS SPF record. For more information, see the "Implementing SPF for Outbound Email Delivery" section of the Configuring DNS Authentication (Inbound / Outbound) Definitions and Configuring DNS Authentication (Inbound / Outbound) Policies
Microsoft 365 Environments
For detailed instructions, see Microsoft 365: Configuring Outbound Delivery Routing.
On-Premises Environments
Routing your outbound mail to Mimecast in Exchange is accomplished by creating a send connector. We provide two unique smart hosts per region to ensure 100% availability. We will email these to your Technical Point of Contact as part of the Connect Process. The Mimecast Gateway also provides this information. Both hostnames should be used to ensure round-robin traffic and provide failover.
For more information on how to configure SMTP connectors, view the relevant article below:
If you utilize non-static public IP addresses, refer to the Configuring SMTP Authentication on Exchange page.
You can monitor your live outbound traffic being logged by clicking the Administration | Message Center | Accepted Messages menu item in the Administration Console. This displays all emails being processed by Mimecast.
Hosted Exchange (HEX) Environments
To set up your outbound email, forward our outbound routing instructions to your HEX provider to make the required changes. Ensure they consider the following when setting up your outbound email:
- In a multi-tenanted HEX environment, there are normally several customers on one server sending email outbound via a single Exchange send connector. If one of the customers on the HEX platform implements Mimecast, their outbound email must be separated from the other clients on that HEX platform. All outbound emails should then be sent to Mimecast for delivery instead of being sent to the internet using the standard Exchange send connector. This is called Sender Address Based Routing, which is not a standard Exchange function. To implement Sender Address Based Routing, either a third-party tool or additional hardware is required to send outbound emails directly to Mimecast.
Google Workspace Environments
This section describes configuring outbound routing in Google Workspace when using Mimecast as your outbound gateway for mail flow. It covers how to:
- Internal Mail Routing
- Add Google Workspace IP Ranges as Authorized Outbounds
- Add Google Workspace Hosts for Outbound Mimecast Gateways
- Create the Google Workspace Routing Rule to send Outbound mail to Mimecast
Internal Mail Routing
Internal mails for Google Workspace are routed out of Google and then resolved by MX record to be delivered back to Google. However, once the MX records for the domain are transferred to point to Mimecast, internal mails will begin to be received in the Mimecast account and then delivered to Google - breaking a number of DNS authentication checks, and also triggering Anti-Spoofing in Mimecast.
To avoid this, create a route and enforce it using the steps below. This routing must be in place before configuring journaling or changing over the MX records.
To enforce internal mail delivery direct to Google and avoid these issues, you will have to create a route and then enforce it as detailed below:
- Log in to your Google Admin console.
- Navigate to Apps | Google Workspace.
- Click on Gmail.
- Click on Hosts.
- Click on Add route.
- Complete the Add mail route pop-up:
- Name: Enter a name of "Google Workspace Internal Mail", or a similar name that will identify the purpose of the route to your organization.
- Click on the dropdown and select Multiple hosts.
- Add the routes as below:
| Route | Hostname | Port | Load |
|---|---|---|---|
| Primary | smtp.google.com | 25 | 100 |
| Secondary | smtp.google.com | 25 | 50 |
| Secondary | smtp.google.com | 25 | 50 |
- Options: Select whether to use TLS.
- Click Save.
- On the main Hosts section, click Save.
To enforce the route:
- Navigate to Apps | Google Workspace | Gmail.
- Scroll down and click on Routing.
- Click Add Route. Complete the options as below:
| Field / Option | Description |
|---|---|
| Routing | Enter a description of "Google Workspace Internal Mail", or enter a name that is easily identified later |
| Email messages to affect | Internal - Sending |
| For the above type of messages, do the following |
|
| Also deliver to |
Internal routing is not required for journaling only. If the customer is configuring an internal route for journaling purposes, they do not need to add additional recipients.
|
- Click Save.
To test internal routing mail send an email to another internal recipient with the same domain. Confirm successful delivery in the Mimecast Administration Console under Message Center | Accepted Messages.
Add Google Workspace IP Ranges as Authorized Outbounds
Ensure that the Google Workspace IP Ranges are added as authorized outbounds on your Mimecast account.
Authorized outbound IPs can only be added by Mimecast support. An Administrator cannot add authorized outbound IPs on any Mimecast account. If you request authorized outbounds to be added, this request must be raised through a support case.
To view your authorized outbounds:
- Log in to the Mimecast Administration Console.
- Navigate to Email Delivery | Authorized Outbounds. A list of all configured IP addresses is displayed.
- If you send an email from a shared hosting provider (i.e., Google Workspace), a message will show at the top of the Authorized Outbounds page as follows: 'Your account is configured to process traffic from Microsoft G Suite.' If you use another 3rd party hosting service, these IPs will not be listed on your account. You'll need to contact Mimecast Support to ensure your account is provisioned appropriately for this traffic.
This section assumes you already have your primary email domain registered in your Mimecast account as an internal domain. If you have not already registered the email domain through which you intend to route mail outbound through Mimecast, see the Configuring Internal Domain / Subdomains page for more information.
Add Google Workspace Hosts for Outbound Mimecast Gateways
To add Google Workspace hosts for Outbound Mimecast Gateways:
- Log in to the Google Workspace Administration Console.
- Navigate to Apps | Google Workspace | Gmail.
- Select Hosts.
- Click Add Route.
- Complete the following fields:
| Field / Option | Description |
| Name | Specify an appropriate name (e.g. Mimecast Outbound Gateway). |
| Specify Email Server |
Use the dropdown to select the Multiple Hosts option and enter the hostnames for your region:
Replace 'xx' within the hostname with your region code. For a full list of regional hostnames, see the Mimecast Gateway page.
|
| TLS | Specify whether or not you wish to use TLS. |
- Click Save.
Create the Google Workspace Routing Rule to send Outbound mail to Mimecast
This final step should only be completed when prepared to begin routing mail outbound through Mimecast, as it will change how mail is sent outbound as soon as you save the routing policy. It is best practice to schedule this during a maintenance window when mail flow is not at its normal peak or during production hours.
To configure the Gmail Routing rules:
- Navigate to Apps | Google Workspace | Gmail | Routing.
- Click Configure | Add Another Rule next to the Routing section.
- Enter a name for the route.
- Configure the Route as below:
| Field / Option | Description |
|---|---|
| Email messages to affect | Select Outbound. |
| For the above types of messages, do the following. |
|
- Scroll down and select Show Options.
| Field / Option | Description |
|---|---|
| Envelope filter |
Select Only affect specific envelope senders:
|
- Click Save.
Once this routing rule is saved, it becomes active, mail flow will be sent to our outbound gateway, and the mail will be routed outbound through Mimecast successfully. You can verify this by sending test messages outbound to external domains and confirming if they appear in message tracking.
Comments
Please sign in to leave a comment.