Attachment Protect - Bypass Policy Configuration

Updated September 01, 2025 06:27

This article contains information on configuring Attachment Protect Bypass policies to exclude specific senders or recipients from Attachment Protect, including setup steps, policy options, and customization for targeted exemptions.

An Attachment Protect Bypass policy allows you to exclude specific senders or recipients from an Attachment Protect policy. For example, when an Attachment Protect policy is enabled for messages sent from "Everyone" to "Internal Addresses," you want a specific team to be exempt.

It takes up to ten minutes for the bypass policy to be applied.

For detailed information on how to configure, optimize, integrate, and troubleshoot, see the Knowledge Hub.

Configuring Attachment Protect Bypass Policies

To configure an Attachment Protect Bypass policy:

Log in to the Mimecast Administration Console.
Navigate to Policies | Gateway Policies.
Click on Attachment Protection Bypass.
Either select the following:
- Policy to be changed.
- New Policy button to create a policy.
Complete the Options section as required:

Field / Option	Description
Policy Narrative	Describe the policy to allow you to identify it easily in the future.
Select Option	Select one of the following options from the drop-down: Take No Action - Disables the bypass policy. Disable Attachment Protection - Enables the bypass policy.

Complete the Emails From and Emails To sections as required:

Field / Option	Description
Addresses Based On	Specify the email address characteristics on which the policy is based. This option is only available in the "Emails From" section. The options are: The Return Address (Mail Envelope From): This default setting applies the policy to the SMTP address match based on the message's envelope or true address (i.e., the address used during SMTP transmission). The Message From Address (Message Header From): This policy applies based on the masked address used in the message's header. Both: Applies the policy based on the Mail Envelope From or the Message Header From, whichever matches. When both match, the specified value of the Message Header From will be used.
Applies From / To	Specify the Sender characteristics on which the policy is based. For multiple policies, apply them from the most specific to the least specific. The options are: Everyone: Includes all email users (i.e., internal and external). This option is only available in the "Emails From" section. Internal Address: Includes only internal organization addresses. External Address: Includes only external organization addresses. This option is only available in the "Emails From" section. Email Domain: This enables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field. Address Groups: This enables you to specify a directory or local group. If this option is selected, click the Lookup button to select a group from the Profile Group field. Once a group has been selected, click the Show Location field to display the group's path. Address Attributes: This enables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop-down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts. Individual Email Address: This enables you to specify an SMTP address. The email address is entered in the Specifically field.

Field / Option

Description

Addresses Based On

Specify the email address characteristics on which the policy is based. This option is only available in the "Emails From" section. The options are:

The Return Address (Mail Envelope From): This default setting applies the policy to the SMTP address match based on the message's envelope or true address (i.e., the address used during SMTP transmission).
The Message From Address (Message Header From): This policy applies based on the masked address used in the message's header.
Both: Applies the policy based on the Mail Envelope From or the Message Header From, whichever matches. When both match, the specified value of the Message Header From will be used.

Applies From / To

Specify the Sender characteristics on which the policy is based. For multiple policies, apply them from the most specific to the least specific. The options are:

Everyone: Includes all email users (i.e., internal and external). This option is only available in the "Emails From" section.
Internal Address: Includes only internal organization addresses.
External Address: Includes only external organization addresses. This option is only available in the "Emails From" section.
Email Domain: This enables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
Address Groups: This enables you to specify a directory or local group. If this option is selected, click the Lookup button to select a group from the Profile Group field. Once a group has been selected, click the Show Location field to display the group's path.
Address Attributes: This enables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop-down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
Individual Email Address: This enables you to specify an SMTP address. The email address is entered in the Specifically field.

Complete the Validity section as required:

Field / Option	Description
Enable / Disable	Use this to enable (default) or disable a policy. If a date range has been specified, the policy will automatically be disabled when the end of the configured date range is reached.
Date Range	Use this field to specify a start and/or end date for the policy. If the Eternal option is selected, no date is required.
Policy Override	This overrides the default order in which policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type are configured with an override.
Set Policy as Perpetual	If the policy's date range has no end date, this field displays "Always On," meaning the policy never expires.
Bi-Directional	If selected, the policy is applied when the policy's recipient is the sender and the sender is the recipient.
Source IP Ranges (n.n.n.n/x)	Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data falls within or matches the range(s) configured. IP ranges should be entered in CIDR notation.

Click on the Save and Exit button.

Related to

Comments

2 comments

Louis Reedijk
November 18, 2025 16:19

Unfortunately we have some cases where we need to exclude any and all attachments, Mimecast does not offer you to exclude zip files with content that would blow up their scanner :( take stp files or dwg files, they can be compressed down to 10 mb, but uncompress them, and they can grow above the 150mb that is allowed.
I know there are work-arrounds like large file attachment download, but those get deleted over time.
We would really like to have a system, that would allow us to granularly exclude only a few file type from being scanned all together. This how ever is not possible, it's all or nothing :(

0
Admin - VM
November 20, 2025 08:10

Thank you for the comment! In order to get you the best solution possible, would you please post it into our Community? Not only will it be addressed by Cybersecurity peers, but also by the Mimecast team as well. Once you receive a solution, it can be bookmarked for easy retrieval.
If your issue is more urgent and/or you wish to open a new Support case, please do so here.

0

Please sign in to leave a comment.