Onboarding - Mail Flow Configuration

Overview

Mimecast’s Mail Flow Configuration process is designed to support a wide range of email environments—including Microsoft 365, Google Workspace, on-premises, and hybrid infrastructures—by providing flexible and secure delivery routing for both inbound and outbound email. 

The configuration wizard guides administrators through setting up delivery routes tailored to their specific environment, ensuring that emails are correctly routed to the appropriate mail servers using validated hostnames or IP addresses and standard SMTP ports. Critical steps include updating DNS records such as MX and SPF to authorize Mimecast as a trusted sender and receiver, configuring connectors or send connectors for outbound mail, and establishing policies for forwarding addresses and anti-spoofing bypasses to accommodate third-party services and external relays. 

The process also emphasizes the importance of validating all changes, such as SPF and MX records, to ensure reliable mail delivery and robust protection against spoofing and unauthorized email activity. By centralizing these configurations, Mimecast enables organizations to maintain consistent, secure, and compliant email flow across diverse and potentially complex environments, while also providing the flexibility to manage multiple domains and hybrid scenarios through the administration console.

Delivery Routing

Mimecast supports hybrid environments, allowing us to deliver emails for one or multiple domains to the following Exchanges:

• Microsoft 365

• Google Workspace

• On-Premises

• Hybrid

Microsoft 365

Mimecast delivery routes are configured to direct all inbound messages to a designated hostname, which aligns with the MX record for your Microsoft 365 account. To ensure successful message delivery from Mimecast to your Microsoft 365 service, it is essential to identify your hostname. Please follow these steps to obtain your Hostname in Microsoft 365:

1. Log in to the Microsoft 365 Admin Center.

2. Navigate to Settings | Domains.

3. Select the Domain you wish to configure for inbound delivery.

4. Take note of the MX value; this will be used as your hostname during delivery route validation.

To configure a delivery route in the Mail Flow Configuration Wizard, follow these steps:

• Enter the Hostname or IP Address of your environment in the Mail Flow Configuration Wizard.

• Specify a Port Number; typically, this is port 25 (SMTP), unless specific requirements dictate otherwise.

• Click Check.

• If the delivery route is invalid, verify that you have entered the correct information and that any firewalls are configured to allow traffic from Mimecast.

• If the delivery route is valid, click Next.

Google Workspace

1. Enter the Hostname or IP of your environment as "ASPMX.L.GOOGLE.COM".

   Refer to these Google Workspace MX record values.

2. Specify a Port number. Usually, this is port 25 (SMTP) unless there are other specific requirements.

3. Click Check.

4. If the delivery route is invalid, verify that you have entered the correct information and that any firewalls are configured to allow traffic from Mimecast.

5. If the delivery route is valid, click Next.

On-Premises

1. Enter the Hostname or IP of your environment. This IP address/hostname must be accessible from the internet for it to be used as a delivery route.

2. Specify a Port Number. Typically, this is port 25 (SMTP) unless there are other specific requirements.

3. Click Check Routing.

4. If the Delivery Route is invalid, ensure you have entered the correct information and that any firewalls are configured to allow traffic from Mimecast.

5. If the delivery route is valid, click Next.

Hybrid

Selecting Hybrid indicates that the organization utilizes a combination of On-Premises and hosted infrastructure. The Mail Flow Configuration Wizard allows for the configuration of only one delivery route. To set up the delivery route in the Wizard, follow the steps outlined above based on your chosen infrastructure.

You can configure multiple delivery routes within the Mimecast Administrator Console. This feature is beneficial for distributing email flow across single or multiple destination email servers. Configure a Delivery Routing Definitions and Policy to specify the details of the destination email servers.

SPF Record

To ensure that Mimecast can send emails from your domain, it is essential to update your SPF record. This action confirms Mimecast as an authorized sender for emails originating from your domain. We highly recommend this configuration if you currently do not have an SPF record in place.

You can utilize the provided Record value to either update or replace your existing SPF record. Please note that this update is performed outside of the onboarding Wizard. The specific steps to complete this process may vary depending on your DNS provider, but the following guidelines serve as a general reference:

1. Begin by logging into your Domain Registrar.

2. Next, update or replace the existing SPF record.

3. If all emails for your domain will be routed through Mimecast, remove any previous SPF records.

4. If you have other outbound sources for your domain, you will need to create a combined SPF record. In this case, we recommend placing Mimecast as the first entry in the SPF record.

5. After making the updates, return to the Mimecast Administration Console and navigate to Account | Onboarding | Mail Flow Configuration Wizard.

6. Proceed to the SPF Record step and click on Verify SPF Record.

7. A green checkmark will confirm that the SPF record is valid. If an error occurs, click Previous to return to the previous screen.

8. If all details are accurate, click Next.

9. If you are onboarding multiple domains, use the drop-down menu to select your other domains and repeat the steps above to verify the SPF Record for each domain.

Outbound Mail Routing

If you have validated all your domains with Mimecast, you can utilize a wildcard (*) to route all outbound mail through your Mimecast account. However, if you have only validated some domains, you must ensure that only outbound mail from those validated domains is routed via your Mimecast account. Please note that this functionality is exclusively available on Microsoft 365.

You will see one of the following based on your Mail Infrastructure options chosen.

Microsoft 365

The Microsoft 365 Account Hostnames are displayed and need to be used in a connector within your Microsoft account, by using the following steps:

1. Log on to the Microsoft 365 Administration Console.

2. Navigate to Mail Flow | Connectors.

3. Click Add a Connector.

4. Set the Connection From option to Office 365.

5. Set the Connection To option to Partner Organization.

6. Enter a Name and Description for the connector.

7. Leave the Turn it on option enabled.

8. Click Next.

9. Select Only when email messages are sent to these domains if you have validated all domains.

   If you have only validated some of your domains, you must create a Transport Rule and select Only when I have a transport rule set up that redirects messages to this connector option.

10. Enter a wildcard (*) and click the + button.

11. Click Next.

12. Select Route email through these Smart Hosts.

13. Individually enter both of the provided Smart Hosts and click the + button. 

14. Click Next.

15. Select the following options: 

• Always use Transport Layer Security (TLS) to secure the Connection.

• Issued by a trusted certificate authority (CA).

16. Click Next.

17. Enter an email inside your domain and click the + button. 

18. Click Validate.

19. Click Next.

20. Review the connector summary. 

21. Click Create connector.

22. Navigate back to the Email Security Setup Wizard and click Next.

Google Workspace

The Standard Account Hostnames are displayed and need to be used in a connector within your Google Workspace account, by using the following steps:

1. First, log on to the Google Workspace Administration Console.

2. Navigate to Apps | Google Workspace | Gmail | Hosts.

3. Click Add Route.

4. Complete the following fields:

6. Click Save.

7. Navigate back to the Email Security Setup Wizard and click Next.

   If you have only validated some domains, you must configure your routing to affect an address list containing the domains you have validated.

You can configure your routing, by using the following steps:

1. Navigate to Apps | Google Workspace | Gmail | Routing.

2. Click Configure / Add Another Rule next to the Routing section. 

3. Enter a name for the route.

4. Configure the Route as below: 

5. Scroll down and select Show Options.

6. Click Save.

7. Navigate back to the Email Security Setup Wizard application and click Next.

On-Premises

You can set up for On-Premises, by using the following steps:

1. In the Outbound IP Addresses text box, enter the IP addresses for your organization. These IP addresses must be:

• Unique and owned by your organization. 

  • Used for email. 

  • Entered on a separate line.

  • Written in CIDR notation (n.n.n.n/x).

2. Click Add Addresses.

3. Click Next.

Routing your outbound mail to Mimecast in Exchange is accomplished by creating a send connector. Again, this must be completed outside of the Mimecast Mail Flow Configuration Wizard. 

Use the hostnames provided in the Mail Flow Configuration Wizard to create a send connector.
For more information on how to configure SMTP connectors, see Setting up an SMTP Connector - Exchange.

Once complete, navigate back to the Mail Flow Configuration Wizard and click Next.

Hybrid

You can set up for Hybrid, by using the following steps:

1. In the Outbound IP Addresses text box, enter the IP addresses for your organization. These IP addresses must be:

• Unique and owned by your organization.

  • Used for email.

  • Entered on a separate line.

  • Written in CIDR notation (n.n.n.n/x).

2. Click Add Addresses.

3. Click Next.

Complete the outbound routing for Microsoft 365 or Google Workspace and On-Premises Exchange as detailed above. 

Once complete, navigate back to the Mail Flow Configuration Wizard and click Next.

Forwarding Addresses

To ensure the successful delivery of emails forwarded outside your company through a 'relay' (for instance, an email sent to user@yourdomain.com that forwards to user@freemail.com), it is essential to add these addresses as Forwarding Addresses. This includes external members of distribution lists.

You can configure your Mail Forwarding Addresses by following these steps:

1. Enter up to 50 addresses in the Forwarding Addresses text box.

   You can add additional addresses in the Mimecast Administration Console after completing the onboarding process.

2. Once configured, click Next.

Anti-Spoofing Bypass

Anti-spoofing is designed to block emails from external services that attempt to send messages on your behalf. If you utilize third-party services for email communication, establishing a bypass is essential to ensure these emails are delivered to internal end-users. You can add up to 50 IP addresses during this process. Should you need to include more IP addresses for a bypass, this can be accomplished through the Mimecast Administration Console once your account is set up.

If you prefer to skip this step for now, simply click Skip. After completing the onboarding process, you will also have the ability to create Anti-Spoofing Bypass policies in the Mimecast Administration Console.

To set up an anti-spoofing bypass, please follow these steps:

1. Please enter the required IP Addresses. Ensure that:

   • Each address is listed on a separate line.

   • They are formatted in CIDR notation (n.n.n.n/x).

2. If an error occurs, select Previous to return to the previous screen.

3. Once all details are verified as correct, click Next.

MX Records

To ensure that your organization's inbound email is routed through Mimecast, it is crucial to update your MX records. This step designates Mimecast as the mail server responsible for receiving emails on your behalf.

Utilize the provided Pref and Hostname specific to your region to update your MX record. This update must be performed outside of the Mail Flow Configuration Wizard. The following steps serve as a general guide, as the process may vary depending on your DNS provider:

1. Log in to your DNS provider account.

2. Navigate to the MX Record Management page. You may need to enable advanced settings to access this page, typically found under:

   • DNS Management

   • Mail Server Configuration

   • Name Server Management

3. Input the Pref and Hostnames displayed in the application into your MX records.

4. Save and Validate the changes.

5. After successfully verifying in your DNS provider account, return to the Mimecast Administration Console - Account | Onboarding | Mail Flow Configuration Wizard.

6. Click Verify MX Record.

7. If you are onboarding multiple domains, use the drop-down menu to select your other domains and repeat the above process to verify the MX record for each domain.

Please note that depending on your TTL, it may take up to 72 hours for DNS changes to take effect.

8. If verification fails, ensure that you have applied the correct MX records to the validated domain.

9. Once fully verified, click Next.

Summary

Please take a moment to review the summary outlining the steps and information pertaining to the Mail Flow Configuration Wizard. This summary provides essential insights regarding the configured steps. If you find that all the information presented is accurate and satisfactory, you may proceed by clicking on Continue Onboarding.