Connect Application - Outbound Email

Updated

Customers currently using the Connect Application are advised to complete their onboarding setup as soon as possible, as the Connect Application is scheduled to be discontinued on the 31st of January, 2024.

This article contains information on setting up outbound email for Mimecast, including domain validation and SPF record updates.

Routing your organization's mail starts with the outbound email for your validated internal domains. This allows us to build a list of trusted senders by monitoring who you send emails to over several days.

Before setting up your outbound email, the following prerequisite steps should be completed:

  1. Validating Your Domains (compulsory).
  2. Setting Up Your Inbound Email (recommended).

    Depending on your Exchange type, visit the "Preparing for Inbound Email" page for either On-Premise / Hybrid or Connect Application: Preparing for Inbound Email for further information.

Applies To

  1. New clients are connecting with Mimecast using the Connect Application. If you're not using the Connect Application, see the Connect Process: Setting Up Your Inbound Email page.
  2. Administrators with account permissions to configure a mail flow connector in the relevant Exchange type.

Walkthrough

To set up your outbound email:

  1. Log on to the Connect Application.
  2. Click on the Platform | Set Up Your Outbound Email menu item.
  3. Click on the Start button.
  4. Confirm Your Outbound IP Addresses (applies to On Premise/Hybrid Exchange only).
  5. Update the SPF Records for your domain. This is an external task.
  6. Validate your SPF Record in the Connect Application. This is a recommended optional step.
  7. Create an Outbound Email Flow Connector to route your outbound mail through us. Follow the instructions below according to your Exchange type. This is an external task.

Confirming Your Outbound IP Addresses

For an On-Premise/Hybrid Exchange, you must confirm your outbound IP addresses. This ensures we only deliver legitimate emails from your organization:

  1. Check that the Outbound IP Ranges displayed in the application are correct.
  2. Click on the Confirm button to continue.

If the outbound IP addresses are incorrect, click the Notify Us link in the information box. This displays the "Contact Support" dialog, where you can let our implementation team know of any changes.

 

Updating Your SPF Records

To specify Mimecast as the authorized outbound mail service:

  1. Update the SPF records for your domains with the information displayed in the Connect application:
Connect Application Setting Up Your Outbound Email_7

Only use the SPF record displayed in the application for your domains, as there are regional differences (i.e., "eu" for Europe in the above example). If you're not responsible for this task, click the Share link to send an email containing the required details to someone who is.

  1. Log on to your Domain Registrar.
  2. Update/replace each domain's SPF Record to specify us as the authorized outbound service.
  3. Remove all previous SPF records if all emails for your domains will be routed via us.
  4. Other outbound sources for your domain may require a combined SPF record. Ensure you include the Mimecast "xx_netblocks.mimecast.com" entry before creating a mail flow connector. To determine what "xx" is, refer to step 1 above.

See the "Implementing SPF for Outbound Email Delivery" section in the Configuring DNS Authentication (Inbound / Outbound) Definitions page and the Implementing SPF for Outbound Email Delivery page for additional information.

Testing your SPF Records

To test your SPF record:

  1. Navigate to Platform | Set Up Your Outbound Email in the Connect Application.
  2. Select your domain from the Record to Validate drop-down menu.
  3. Click on the Validate button. One of the following messages will display:
      • A green tick confirms the SPF record is valid.
      • A red exclamation confirms the SPF record is invalid.
  1.  Click on the More or Less links to view further information about the SPF record and toggle the display.

    This step performs a TXT record lookup and validates the SPF record entry. You can have multiple mechanisms (IP/Host), but Mimecast must be listed first.

Creating an Outbound Email Flow Connector

To create an Outbound Email Flow Connector, follow the instructions below according to your Exchange type. Once these external tasks are configured, click the Confirm button in the Connect Application to verify the connector. If validation is successful, a summary page displays your outbound email flow.

Microsoft 365 / Hosted Exchange

  1. Log on to the Microsoft 365 Exchange Management Portal.
  2. Create a mail flow connector. Read the Connect Application: Creating an Outbound Email Flow Connector page for further details.
  3. Ensure all outbound emails are routed via the Mimecast Outbound Smart Hosts listed in Connect.

On-Premise / Hybrid Exchange

  1. Log on to your Exchange Management Console.
  2. Create a Mail Flow Connector. Read the Connect Application: Creating an Outbound Email Flow Connector page for further details.
  3. Ensure all outbound emails are routed via the Mimecast Outbound Smart Hosts listed in the application.

Google Workspace Environments

This section describes configuring outbound routing in Google Workspace when using Mimecast as your outbound gateway for mail flow. It covers how to:

  1. Internal Mail Routing
  2. Add Google Workspace IP Ranges as Authorized Outbounds
  3. Add Google Workspace Hosts for Outbound Mimecast Gateways
  4. Create the Google Workspace Routing Rule to send Outbound mail to Mimecast

Internal Mail Routing

Internal emails for Google Workspace are routed out of Google and then resolved by MX record to be delivered back to Google. However, once the MX records for the domain are transferred to point to Mimecast, internal emails will be received in the Mimecast account and then delivered to Google - breaking some DNS authentication checks and triggering Anti-Spoofing in Mimecast.

To avoid this, create and enforce a route using the steps below. This routing must be in place before configuring journaling or changing over the MX records.

To enforce internal mail delivery direct to Google and avoid these issues, you will have to create a route and then enforce it as detailed below:

Creating the Route

  1. Log in to your Google Admin console
  2. Navigate to Apps | Google Workspace
  3. Click on Gmail
  4. Click on Hosts
  5. Click on Add route
  6. Complete the Add mail route pop-up:
      • Name: Enter a name of  "Google Workspace Internal Mail" or a similar name that will identify the purpose of the route to your organization.
      • Click on the dropdown and select Multiple Hosts.
      • Add the routes below:
Route Hostname Port Load 
Primary aspmx.l.google.com 25 100
Secondary alt1.aspmx.l.google.com 25 50
Secondary alt2.aspmx.l.google.com 25 50
  1. Options: Select whether to use TLS.
  2. Click Save.
  3. On the main Hosts section, click Save

Enforcing the Route

  1. Navigate to AppsGoogle Workspace | Gmail
  2. Scroll down and click on Routing.
  3. Click Add Route. Complete the options below:
Field / Option Description
Routing  Enter a description of "Google Workspace Internal Mail," or enter a name that is easily identified later
Email Messages To Affect  Internal - Sending
For the above type of messages, do the following
  • Leave the drop-down as Modify Message.
  • Under the Route option:
    •  Select Change Route 
    • Select Also reroute spam.
    • Use the dropdown to select the "Google Workspace Internal Mail" route created above.
  • Scroll down and click Show Options.
    • Under Account types to affect, select Users and Groups.
    • Under the Envelope filter, select Only affect specific envelope senders. 
      • Use the dropdown to select Pattern Match. 
      • In the Regexp text box, enter yourdomain.com (where yourdomain.com is the domain you’d like to enforce internal delivery for.)
Also Deliver To
  • Select Add more recipients.
  • Click on the Add button.
  • Use the drop-down to select Advanced.
  • Under the Route section, select Change Route.
  • Use the drop-down and select your Journal to Mimecast Route
  • Under the Envelope Recipient section, select Change envelope recipient.
  • Select Replace recipient and enter your journal email address into the text box.
  • Specify whether or not you wish to use TLS.
  • Click Save.
  • Click Save at the bottom of the browser.
  1. Click Save.

Email another internal recipient with the same domain to test internal routing mail. Confirm successful delivery in the Mimecast Administration Console under Message Centre | Accepted Messages.

Adding Google Workspace in Authorized Outbounds

Ensure that the Google Workspace IP Ranges are added as authorized outbounds on your Mimecast account by following these steps.

Authorized outbound IPs can only be added by Mimecast support. An Administrator cannot add authorized outbound IPs on any Mimecast account. If you request authorized outbounds to be added, this request must be raised through a support case.

  1. Log in to the Mimecast Administration Console..
  2. Navigate to the Email Delivery | Authorized Outbounds menu item. A list of all configured IP addresses is displayed.
  3. If you send an email from a shared hosting provider (i.e., Google Workspace), a message will show at the top of the Authorized Outbounds page: 'Your account is configured to process traffic from Microsoft G Suite.' If you use another 3rd party hosting service, these IPs will not be listed on your account. You must contact Mimecast Support to ensure your account is provisioned appropriately for this traffic.

This section assumes you already have your primary email domain registered in your Mimecast account as an internal domain. If you still need to register the email domain through which you intend to route mail outbound through Mimecast, see the Configuring Internal Domain / Subdomains page for more information.

Google Workspace Hosts for Outbound Mimecast Gateways

  1. Log on to the Google Workspace Administration Console.
  2. Navigate to the Apps Google Workspace | Gmail menu item.
  3. Select Hosts.
  4. Click Add Route.
  5. Complete the following fields:
Field / Option Description
Name Specify an appropriate name (e.g., Mimecast Outbound Gateway).
Specify Email Server

Select the Multiple Hosts option and enter the hostnames for your region:

  • au-smtp-outbound-1.mimecast.com
  • au-smtp-outbound-2.mimecast.com

    Use the Outbound routing gateways relative to your region where your Mimecast account is hosted. For example, if you have a Mimecast account in the UK, you would use your UK Outbound gateway of “eu-smtp-outbound-1.mimecast.com” & “eu-smtp-outbound-2.mimecast.com. For further information, see the Mimecast Gateway page.

  • Set the Ports at 25
  • Each Host set should be set to 50%
TLS Specify whether or not you wish to use TLS.
  1. Click on the Save button.

Google Workspace Routing Rules for Outbound Mail to Mimecast

This final step should only be completed when prepared to begin routing mail outbound through Mimecast, as it will change how mail is sent outbound as soon as you save the routing policy. It is best practice to schedule this during a maintenance window or when mail flow is not in its normal peak or production hours.


To configure the Gmail Routing rules:

  1. Log on to the Google Workspace Administration Console.
  2. Navigate to the Apps | Google Workspace | Gmail menu item.
  3. Select the Routing Section.
  4. On the Routing Policy, click on Configure.
  5. Enter a name or description for your routing setting (e.g., Outbound Routing to Mimecast).
  6. Tick the Outbound option in the Messages to affect section.
  7. Click on Show Options, then Tick the Only affect specific envelope senders option in the Envelope Filter section.
      • Use the drop-down to select Pattern Match.
      • In the Regexp field, enter “@yourdomain.com.” 
  1.  Under "2. For the above types of messages, do the following" section, tick the Change Route option in the Route section.
  2. Select the Route Name (Mimecast Outbound Gateway) from the drop-down menu.
  3. Click on the Save button.

Once this routing rule is saved, it becomes active, mail flow will be sent to our outbound gateway, and the mail will be routed outbound through Mimecast successfully. You can verify this by sending test messages outbound to external domains and confirming if they appear in message tracking.

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.