Secure Email Gateway:

Warrior – Level 1
Student Guide
 TABLE OF CONTENTS

SETUP AND ADMINISTRATION 5

HOW MIMECAST WORKS 5

LOGGING IN 5
LESSON 1: THE DASHBOARD 6
LESSON 2: ACCOUNT SETTINGS 10
LESSON 3: AUDIT LOGS 13
LESSON 4: ROLES 15
LESSON 5: CONNECTIVITY 19
LESSON 6: USER AND GROUP MANAGEMENT 24
LESSON 7: ATTRIBUTES 34
LESSON 8: APPLICATION SETTINGS 35
LESSON 9: REPORTING 38
LESSON 10: SERVICE MONITOR 43
LESSON 11: MESSAGE CENTER 51

EMAIL CONTINUITY FUNDAMENTALS 60

LESSON 1: CONTINUITY OVERVIEW 60

LESSON 2: CONTINUITY EVENTS 60
LESSON 3: CONTINUITY EVENT MONITOR 64
LESSON 4: SMS CONTINUITY SERVICES 68
RESOURCES 70

SECURITY POLICIES FUNDAMENTALS 71

MIMECAST EMAIL INSPECTION FUNNEL 71

LESSON 1: POLICY BASICS 71
LESSON 2: GATEWAY SECURITY POLICIES 74
LESSON 3: DATA LEAK PREVENTION POLICIES 90
LESSON 4: ATTACHMENT POLICIES 98
LESSON 5: END USER NOTIFICATIONS OVERVIEW 100

TARGETED THREAT PROTECTION FUNDAMENTALS 104

TARGETED THREAT PROTECTION OVERVIEW 104

LESSON 1: IMPERSONATION PROTECT 104
LESSON 2: URL PROTECT 107
LESSON 3: ATTACHMENT PROTECT 112

©2022 Mimecast. All Rights Reserved |2

Prerequisites
• N/A

Course Objectives
Following the course, you should be able to:
Setup and Administration
• Navigate and understand the functionality the Administration Console
• Explain the relevancy of the Mimecast Services status page.
• Explain the Account Settings menu item and its subsections
• Create and manage Mimecast administrators
• Understand Connectivity
• Manage your users and groups
• Explain what Attributes and how they are used
• Control user access to End User Applications and the limits within
• Schedule delivery and read the reports Mimecast provides.
• Explain the service monitor features and create alert notifications.
• Locate and act on emails within Mimecast in the Message Center
Continuity
• Create and Cloning Continuity Events
• Understand what happens during and after an event
• Know what you need to create a Continuity Monitor
• Understand how to manage a Continuity Event
• Respond to a continuity monitor alert
• Build an SMS response to continuity events
Security Policies
• Understand the Mimecast Email Inspection funnel
• Explain how policies work
• Identify the policies that are set up by default
• Understand basic spam and virus protection concepts
• Explain what each of the policies do and where to find them
Targeted Threat Protection
• Identify Targeted Threat Protection policies that are set up by default
• Optimize a new or existing Targeted Threat Protection policy to suit your organization’s
needs
• Understand how Browser Isolation (BI) service works and how to enable BI for email
• Understand user awareness and how to configure

©2022 Mimecast. All Rights Reserved |3

How this Guide Works
This guide has been designed to follow the structure of the instructor-led training session. Here you
will find the use cases, walkthroughs and scenarios discussed during the session, as well as useful
configuration and troubleshooting tips. In addition, where we can provide you will find some
frequently asked questions.

Scenario
These will highlight real-life use cases that will be covered with students in class.
Those targets without a green background are for students to have as added take-
aways from the session.

Troubleshooting / Knowledge Tips

These are intended to provide important points or facts that you should be aware of,
as well as helpful troubleshooting tip.

Discussion
There may be times in the course where the instructor asks participants to take part
in a discussion about a particular topic (e.g., to discuss something where there may be
more than one solution to a problem).

Warning or Alert
This is meant to provide you with a warning about something.

Disclaimer: During an instructor-led class, an instructor will demonstrate configuring certain policies,
profiles, etc., in the Administration Console. This is being done in an environment that is safe for
demonstration purposes.
If you wish to follow along in your own environment, we advise as follows:
1. Follow along with the configuration steps and cancel instead of saving.
2. In an instance where you follow along configuring a policy, we advise you to set the “To” and
“From” address fields to reference pilot profile groups that have been configured
beforehand. Navigate to Directories | Profile Groups in the Administration Console and add
the email addresses you want in the pilot groups. This will ensure you are testing policies on
a small subset of your user population and not your whole organization.
Please Note: Instructors will use Prefixes for some profile groups, definitions and policies. This is for
training purposes only. As an administrator, you would choose the naming conventions that work for
you in your environment.

©2022 Mimecast. All Rights Reserved |4

Setup and Administration
Welcome to Mimecast Services. This session will introduce you to the basic functionalities of using
the Mimecast Administration Console. As someone with administration permissions, you will be
given control over some or all parts of your organization’s Mimecast account. With certain
permissions, you can manage users, create policies, review logs, track user activity, troubleshoot
email delivery, and much more.

How Mimecast Works

Mimecast’s focus is Security, Archiving and Continuity. When it comes to Security, we are essentially
the middle person between you and your clients and your clients and you. What this means is that
your email will go through the Mimecast cloud for inspection when you are sending mail to external
parties ensuring your employees are not sending sensitive information out. And when clients are
sending emails to you, those emails are inspected for malicious links, attachments and more.
Mimecast uses policies to do this which will be discussed in our Security Policies course.
In addition, Mimecast archives email data and metadata based on your defined retention period.
This data is captured through several input mechanisms including gateway-level capture, journal
feeds, LAN and cloud information syncs and bulk ingestion of historical data. All major mail
platforms are supported, including Exchange, Office 365 and Google Workspace.
The archive allows employees to search from anywhere, and on most devices. It is always accessible,
even when primary mail systems are down. Administrators and legal staff can run comprehensive e-
discovery searches, manage cases and data exports. Data can also be recovered from the archive to
the primary mail system if needed.
These are just some of the things Mimecast can do for you.

Logging In
You can login using the Login button on mimecast.com. The options are Access my email - My Apps
- Partner Portal. To open the Administration Console, you will click the My Apps option. Here you
will also see the other applications you have purchased from Mimecast (e.g., Awareness Training,
Case Review, DMARC Analyzer)

Your login credentials will either be a Mimecast cloud account controlled by Mimecast or your
domain directory account password controlled by your organization’s directory.

©2022 Mimecast. All Rights Reserved |5

Lesson 1: The Dashboard
The first time you log on to the administration console you will be greeted with a Virtual Tour
popup. This can be revisited at any time. The dashboard provides multiple status updates and
notifications. Graphs will show your email traffic during certain time periods.

Navigation

The top bar will be the main means of navigating the Administration Console.
Selecting Administration will reveal the menu of items you have permissions to see. Depending on
your role you may be limited to what you have access to.
The Mimecaster Central Search Bar allows you to search Mimecaster Central, our knowledge base
of page breakdowns and best practices.

The icons to the right will allow you to:

History - A list of the last 10 dialogs you opened (Clear History to delete)
Favorites - You can mark up to ten dialogs as favorites, using the stars next to each sub-menu
item in the Administration drop-down (use the X next to each to remove).
Mimecast Apps - List of all the applications you have purchased from Mimecast as well as
things automatically given to you (e.g., Mimecaster Central, Threat Dashboard)
What’s New, Guides, Product Overview, Events and Feature Requests

User Account Profile

Your Mimecast user account profile details are displayed on the
right-hand side of the Administration Console header. It displays
your:
• Mimecast account name
• Mimecast logon
• Role
• Avatar
Clicking anywhere on your account profile details displays a popup
dialog with access to:
• Account and support details (see below).
• Preferences (early access toggle)
• Contact Support
• Ask a Question
• Share an Idea (This has been moved to the bull horn “Feature Requests”)
• Send Technical Information (This option has been deprecated with change in support
systems and instead information should be shared through Mimecaster Central)
• Log Out

©2022 Mimecast. All Rights Reserved |6

Note: The Account and Support details menu item displays your "Mimecast ID". This is a numeric
code that you will need when raising telephone support cases with us.

Mimecast Status Page

Mimecast provides a status page of all services in all serviced regions at: status.mimecast.com
You can also access it from the Administrative Console Dashboard in the upper right corner of the
Notification Feed.

This page is separate from Mimecast infrastructure to provide an accurate and independent status.
Use this page when troubleshooting any Mimecast related problems to keep yourself informed

Status
A general status indicator at the top provides immediate overview of Mimecast’s services. Selecting
any of the regions provides the breakdown of the services Mimecast provides.

History
Here you can view any previous incidents as well as the timeline of actions Mimecast has taken to
investigate and resolve the situation.

Notification Feed
The Notification Feed displays notifications sent by Mimecast to you about your account. The
notifications are displayed in a list with the latest at the top. You can filter the notification feed by
either Product which displays only notifications about things like new releases or by Service which
will display only notifications about your Mimecast service.
In situations where we want to draw your
attention to a notification, for example a service
outage, this will be the only filter type available.
Service notifications will have a color-coded title
and icon that have the following statuses.

©2022 Mimecast. All Rights Reserved |7

Email Queues
The Email Queues are a graphical display of the volume of your incoming and outgoing messages
over the last 48 hours. You can hover over a graph’s data point to display the number of the emails
per category at a given point in time. The See More link in the upper right will allow you to navigate
directly to the Delivery Queue which you can also navigate to under Administration | Monitoring |
Delivery. The Delivery Queue displays all inbound and outbound messages waiting to be delivered
and therefore, is often empty as long is there nothing wrong with inbound and outbound mail flow.

Directory Connectors, Journal Connectors and Exchange

Service
The Directory Connectors, Journal Connectors, and Exchange Services sections show you your
Service status indicators.
• Green = good service
• Amber = partial disruption or errors/warnings
• Red = the service has been disrupted
Each section has a “See more” link to bring you directly to the relevant area in the Administration
Console.
• Directory Connectors: Directory Connectors are added to allow Mimecast to Synchronize
with an organization’s Active Directory so that the users can be managed on the Mimecast
platform and assigned to certain policies and applications.
There are different types of directory connectors, depending upon the infrastructure you
have - Active Directory (LDAP) - Domino Directory (LDAP) - Office 365 / Windows Azure
Active Directory - Google Directory
• Journal Connectors – Journal Connectors are created to capture internal email between
users. In this way, internal email communications are added to your organization's Mimecast
Archive.
• Exchange Service– This replicates your Outlook folders into your archive, so you have
consistency in your views. This is for customers with an On-Premises environment who use
the Mimecast Synchronization Engine.

Activity over 24 Hours

The Activity over 24 hours section displays the total number of messages in each of the categories
displayed over the previous 24 hours.

Use the path next to each item to navigate to the areas identified below and act.
• Attachments Blocked - Monitoring | Attachments
• Rejected Messages - Message Center | Rejected and Deferred Messages
• Bounced Messages - Message Center | Bounced Messages
• Policy Edits - Gateway | Policies
• Held Messages - Message Center | Held Messages
• Attachments Linked - Monitoring | Attachments

©2022 Mimecast. All Rights Reserved |8

Total Email Traffic
The Total Email Traffic section displays an hourly breakdown of your total internal, inbound, and
outbound email traffic over the previous seven days. You can hover over a graph's data point to
display the number of the emails per category at a given point in time.

Note: You can zoom in on the graph’s data to display the hourly breakdown by dragging over the
date range and releasing the mouse.

Rejections
Displays the top five rejection types for your account, in no specific order, over a 24-hour period.
You can hover over a graph's data point to display the date, time, and the number of rejections at a
given point in time.

Account Summary
This summary provides you with information about your account.
• Your account name
• Mimecast ID
• Your account code
• Your security passphrase (if one has been configured with us)
• Your support code. This must be quoted when calling Mimecast Support to log a call.
• Your account's maximum retention period for messages

Accessing Other Dashboards

To access the main dashboard if you have closed it, you will click the Mimecast logo in the upper left
corner of the Administration Console. However, to access other administrative dashboards:

1. Click the icon in the top left-hand corner of the Administration Dashboard.
2. Select either the:
• Attachment Protect menu item to display the Targeted Threat Protection - Attachment
Protect dashboard.
• URL Protect menu item to display the Targeted Threat Protection - URL Protect
dashboard.
• Large File Send menu item to display the Large File Send dashboard.
Note: You will only see the dashboards for the services you have purchased.

©2022 Mimecast. All Rights Reserved |9

Lesson 2: Account Settings
Your account's settings contain information about your account (e.g., your archive retention period,
the number of licensed users, the Mimecast Service you have purchased). There are also some
configurable settings. Some of these can only be amended by Mimecast Support and are typically
configured when your account is initially created.
To access Account Settings, navigate to Administration | Account | Account Settings.
The menu groups are as follows:
• Account Settings: License and retention details regarding your Mimecast account. The menu
is displayed by default.
• Directory Options: Options to link or clear alias addresses.
• User Access and Permissions: Configure global access for users and timeout for Ad-
ministration Console sessions.
• System Notification Options: Specifies certain notification addresses.
• Account Contact: Account contact details.
• Cloud Password Complexity and Expiration: Controls password complexity, expiration and
account lockout for Mimecast Cloud passwords.
• Enhanced Logging: For use with APIs

Account Settings
The Account Settings sub-group provides license and retention details regarding your Mimecast
account. Much of what you see here cannot be edited even as a super administrator.

Account Settings
Account Name The name for your Mimecast account. This is usually your organization's
name.
Mimecast ID The ID of your Mimecast account. This is to be used for interactions with
Mimecast Service Delivery.
Account Code A unique identifier for your Mimecast account to log a support ticket.
Database Code A reference for the database instances of your Mimecast account.
Account Status Enabled by default. This is only disabled if your account has been
terminated.
DNS Authorization Used to verify permissions for sending through the Mimecast SPF IP
Code Addresses. Added during account implementation.
Maximum Retention Added during account implementation, this specifies the maximum
(Days) number of days messages will be retained in the archive. This setting
cannot be increased by administrators, but it can be reduced for retention
of specific messages.
Maximum Retention Specifies that the Maximum Retention (Days) value has been approved by
Validated a user with Super Administrator, Full Administrator, or Partner
Administrator permissions. Occasionally requested to verify account
retention setting is still accurate.
Number of Users The number of users licensed within this Mimecast account.
Pause Inbound If your email system is temporarily unable to accept messages, enabling
Deliveries this option will globally halt Mimecast from sending emails to that email
environment.

©2022 Mimecast. All Rights Reserved |10

 Warning Message Mimecast will send a warning notification to users in your organisation
After (Attempts) notifying them that Mimecast has an issue delivering mail to them. By
default, these notifications are delivered to senders after 60 minutes or
six retry attempts, whichever comes first.
Bounce Message Mimecast will send a bounce notification to users in your organisation
After (Attempts) notifying them that Mimecast has an issue delivering mail to them.
By default, these soft bounce notifications are delivered to senders after
96 hours (four days) or 30 retry attempts, whichever comes first.
Ingestion Partner Certified Ingestion Partner to perform end-to-end migrations using
Mimecast Simply Migrate client via the Ingestion API.
Ingestion Size Limit Specify the maximum amount of data the account can ingest in Terabytes
(TB), e.g., 10 for 10 TB, 0.1 for 100 GB, 0.01 for 10 GB.
API Export (Case Enables ‘API Exports’ section in Case Review. Which will allow to
Review) download export data through Simply Migrate.
Awareness Training The value displayed here reflects the total number of Modules allowed
Modules within the Awareness Training platform. This value is automatically set
when an Administration Console is created during the implementation
phase and/or is updated automatically upon the Mimecast subscription
renewal date. This is a read-only field that can only be set by Mimecast
Support.
Awareness Training The value displayed here reflects the total number of Custom Modules
Custom Modules allowed within the Awareness Training platform This value is
automatically set when an Administration Console is created during the
implementation phase and/or is updated automatically upon the
Mimecast subscription renewal date. This is a read-only field that can only
be set by Mimecast Support.

Directory Options
This grouping deals with either linking or not, the Aliases within your environment.
Automatically Link Uses the mailbox information from Active Directory to link alias addresses
Aliases to primary mailbox addresses in Mimecast. This allows users to login using
their primary address, and access emails for the aliases.
Clear All Aliases Removes the alias links to the primary addresses in Mimecast Directory.

User Access and Permissions

There are various settings here to control user access and permissions for your Mimecast account.
Administration If an administrator is inactive for the selected time the session will expire
Console Timeout and they will have to log back in.
Send BCC to Mail When sending mail using Mimecast for Outlook or Mimecast Personal
Server Portal during a Continuity Event, or the Mobile application, the platform
automatically adds the sender’s email address in the BCC field. This
ensures that a copy of the message is routed back to your infrastructure
by default.
SMTP Submission SMTP Submission Override allows all Internal users to use the Mimecast
Override Platform as an alternative outgoing mail server using SMTP
Authentication. This option should only be used with care and therefore
only Mimecast Service Delivery can enable/disable it for you.

©2022 Mimecast. All Rights Reserved |11

 Display Sender If you use Directory Synchronization, Mimecast can retrieve images
Avatar to External associated with the user's email address. With this option enabled, these
Users images can be displayed as user avatars in Mimecast solutions (e.g.
Secure Messaging).
Admin IP Ranges You can restrict those who can log on to the Administration Console to
(CIDR n.n.n.n/x specific IP addresses and / or ranges.
Content When set to "Content" an administrator with content permissions will by
Administrators default be presented with the content of the items they open after which
Default View they can toggle to the metadata. When set to "Metadata" an
administrator with content permissions will by default be presented with
the metadata of the items they open after which they can toggle to the
content.
Targeted Threat A user’s device cannot be authenticated perpetually. Set a period after
Protection which a user's device must be reauthenticated, if there has been no user
Authentication interaction with Targeted Threat Protection.
Authentication Enter the number of days that need to pass before a user will have to re-
Duration (Days) authenticate.

System Notification
Systems notifications control who gets notified by SMS, the postmaster address, and who is alerted
for specific events such as archive searches or when export blocks are finished.
SMS Attribute Specifies the Active Directory or Mimecast attribute that identifies the
mobile phone number of users. When sending an SMS to a user, we use
the number associated with this attribute.
Notification Specifies the email address from which all user notifications are sent. A
Postmaster Address postmaster address is created by default in the internal domains and is
selected by default. The address cannot be deleted but a different email
address can be used by clicking the "Lookup" button.
Privileged Access This email address will be notified when an archive search is performed
Notifications by an administrator.
Enforce Archive When selected, Administrators will be required to provide a reason when
Search Reason searching for emails under Administration | Archive | Archive Search or
Administration | Message Center | Message Tracking. The reason
provided will be reflected within Administration | Archive | Search Logs
under the “Reason” column as well as within the Privileged Access
Notifications email that is sent to the email address listed within the
“Privileged Access Notifications” field under Administration | Account |
Account Settings | System Notification Options.
Send Notification This option enables automatic email notifications when exports are
When Export Block is requested.
Complete

Account Contact
The contact information here provides Mimecast the point of contact to alert regarding Mimecast
services. Keep this information up to date as frequently as possible.

©2022 Mimecast. All Rights Reserved |12

 Contact Name This is the contact that Mimecast Support uses to contact customers
regarding your Mimecast Account. When updating these fields, please do
so by contacting Support via phone or by opening a Support ticket via
Mimecaster Central.
Telephone Number for the Contact.
Emergency SMS The contact’s mobile phone number.
Number
CC Email Addresses Alternate email addresses. Multiple email addresses can be added
separated by a comma. Ensures that notifications can be communicated
to a wider group.

Password Complexity and Expiration

As a Mimecast customer you can login to the Administration Console either by a Domain Password
or a Cloud password. The settings in this section only effect cloud passwords. Active Directory
accounts and passwords are not controlled by this.
Mimecast provides options for administrators to enforce user account password complexity and
expiration settings. This feature enhances Mimecast cloud account security by reducing the risk of a
security breach through end users setting weak passwords and brute force attacks. These settings
include defining the password length and complexity (e.g., enforcing numeric, non-alphanumeric
characters and uppercase letters), the expiration period, and the account lockout policy. More info
here.
Minimum Password 8
Length
Include at least one Select the complexity, must have at least 3 of the items selected that
lowercase alpha make up complexity.
character (a-z)
Include at least one Select the complexity, must have at least 3 of the items selected that
lowercase numeric make up complexity.
character
Password Expiry The account lockout setting cannot be disabled. Administrator can
configure custom settings, or the Mimecast default system settings will be
applied (e.g., after five consecutive unsuccessful log on attempts, the
account is locked for 15 minutes.)

More detail can be found here.

Enhanced Logging
If you are using a SIEM or any other data analytics platform, you can enable additional logging of
email transactions on your account. These logs are available using the SIEM Logs API.
For more information, see the Mimecast Documentation site and SIEM Logs API here.
These additional settings do not impact the current Reporting features available in the
Administration Console and are only available using an API integration.

©2022 Mimecast. All Rights Reserved |13

Lesson 3: Audit Logs
Audit Logs are system related logs that help administrators monitor changes
and events in their Mimecast platform. They act as a security measure and a
troubleshooting tool. The logs monitor the activity of both admins and users,
whether they were performed manually or automatically. Some events
captured are:
• Account changes
• User account changes
• Policies and definition altering
• Directory syncs
• Journal failures
• Folders created, updated
• Login attempts, failures

Working with the Audit Logs

To access Account Settings, navigate to Administration | Account | Audit Logs.
Filter and Search
You can filter on the types of logs you wish to see using the filter in the top right, as well as search
using the tools available in the top left to enter specific criteria and choose a date range.

Common Examples
Some common examples of logs are as follows:
Event Description Information Provided
Logon A user attempted to log on to • User’s login
Authentication the Administration Console, but • Date and time
Failed their authentication failed • IP address
• Application used to access Mimecast
New Policy A policy was created • Administrator
• Date and time
• Policy type
• Full policy details

On the Audit Logs page, select a log to display its information. The log displays details about each
event.
• User: Email address of who triggered the event
• Category: Category of the event that generated the log file (e.g., Policy Logs, Account Logs)

©2022 Mimecast. All Rights Reserved |14

 • Type: Displays the type of event (e.g., New Policy, Completed Directory Sync)
• Details: Displays brief details about the event or changes made. The details displayed
depends on the type of event.
• Date / Time

Exporting
When exporting, you can select which columns of the log you want
included. Click the Export button in the top left corner to see the panel
shown here.

©2022 Mimecast. All Rights Reserved |15

Lesson 4: Roles
The Mimecast administrator roles are a collection of permissions that control access to
Administration Console functionality and certain Mimecast Applications (e.g., Awareness Training,
Case Review, DMARC Analyzer, Brand Exploit Protect, CyberGraph, etc.). Each role determines the
depth of access and can be used to control the tasks performed.

Default Roles
Protected Roles have a padlock next to them (see items 1-5 below).
1. Super Administrator: Can manage application roles and has full privileges to all account
options, including the content view of all email, delegate mailbox access, and the
assignment of protected permissions (for example, the assignment of content view).
2. Full Administrator: Can manage application roles and has high-level administrator
privileges, including the content view of all messages, delegate mailbox access, message
exports, and the creation and approval of retention adjustments.
3. Partner Administrator: Can manage application roles and has full privileges for Partner
Administrators, including delegate mailbox access, but excludes protected permissions.
4. Discovery Officer: Cannot manage roles but has access to common eDiscovery features
such as archive search with content view, messages exports, and the creation or
approval of retention adjustments.
5. Reviewer: Cannot manage roles but has access to the Case Review application as a
reviewer, where discovery cases can be reviewed for relevance and privilege.
6. Gateway Administrator: Has read access to common gateway functionality (e.g., policy
management, message tracking, service connections, and user settings) and rights to
create other administrator accounts without protected permissions.
7. Basic Administrator: A primary administrator account with rights to create other Basic
Administrator accounts, but with no access to protected permissions. You can do basic
things such as create policies, but you cannot read email for example.
8. Help Desk Administrator: Has access to common help desk tasks (e.g., message tracking,
read-only access to policy management, service connections, and user settings).
Read Administrator Role Permissions for a detailed list of permissions.

Security Permissions
Your account comes with a list of default roles. Each role has a security permission assigned. The
security permissions are as follows:
• Cannot Manage Roles: Access to the Roles tab is disabled.
• Manage Application Roles: The Application Role also allows Administrators the ability to
control the Administration Console menu items that other administrators can access. The
exception is if the application areas are marked as protected with the "Protected Roles"
permission.
• Manage Protected Roles: A Protected Role is one that allows an Administrator to control
the Administration Console menu items that other administrators can access, including
functionality with protected content (e.g., viewing email content, archiving email content,
exporting messages, managing retention and smart tag assignment). Protected roles have a
padlock icon located to the left of the "View Role" button.

©2022 Mimecast. All Rights Reserved |16

The default roles, their respective security permissions, and the types of permissions they have are
listed in the table below.
Default Role Security Permission

Super Administrator Manage Application & Protected Roles

Partner Administrator Manage Application Roles

Full Administrator Manage Application Roles

Discovery Officer Cannot Manage Roles

Reviewer Cannot Manage Roles
Basic Administrator Manage Application Roles
Help Desk Cannot Manage Roles
Gateway Administrator Manage Application Roles
Synchronization Engine Administrator Cannot Manage Roles

Synchronization Engine Administrator

This is a unique role in that it cannot be used to login/manage Mimecast Administration
console rather it’s only used for MSE Site binding purpose.

Role Editor
Administrator roles are managed using the Role Editor. This allows administrators to:
• Control the users assigned to roles
• Create custom roles in addition to the default roles provided
To access the Role Editor, the administrator must have the correct Security Permissions. Without
these permissions, the Roles tab is not displayed in the Administration Console.
To display the Role Editor:
1. Navigate to Administration | Account | Roles
Within the Role Editor, you will see the following.
• Default Roles: Default roles are listed and indicated by a View Role button next to them.
These can only be viewed and not edited.
• View Role and Edit Role Buttons: In the list of roles you will notice, some have a View Role
button and others have an Edit Role button. Those with the ability to edit are Custom Roles
(names and description displayed in italics. These are a copy of an existing role. The roles
with the View Role button are roles that you cannot edit.
• Right-Click options: Right-clicking on a role will allow you to do things such as Add Users to a
Role, Manage Users for a Role, Copy a Role, and Remove a Role for those Administrators
with the proper permissions.
• Padlock: Roles with a Padlock have access to the Role Editor and have Protected
Permissions, meaning they can modify access to protected application areas (e.g., archive
email content, exporting messages, managing message retention).
• Custom Roles: Custom roles can be changed / deleted and are displayed in italics.
• Members Column: This column shows the number of members added to a particular role.

©2022 Mimecast. All Rights Reserved |17

 • Description Column: This column provides detail on what each Administrator has
permissions to do.

Default Roles can

only be viewed

Right-click a role to
display a pop-up
menu

Roles with the padlock Number of users

icon have access to assigned to a Description of the
the Roles Editor and particular role level of permissions
also have protected for a particular role
permissions
Custom Roles can be
changed / deleted
and are displayed in
italics

View a Role
To view what permissions a particular role has in detail:
1. Click View Role next to any of the roles
2. Once opened, you will see Properties and Security
Permissions sections.
3. Under Security Permissions you will see what
type of security permissions that role has.
4. Under the Application Permissions area you will
see all the menus in the Administration Console
that role has access to and what type of access
[e.g., Read, Edit, etc.]

Elevate Basic Administrator Role

The first Administrative Role assigned is Basic Administrator during your implementation. Since you
may want more permissions within the console, you will need to upgrade to a Super Administrator
or another protected role. To do this, you must contact Mimecast Support.

Mimecast Support Case

If a user requires a Super Administrator, Full Administrator, or Discovery Officer role, the following
steps must be followed:
1. Create a Mimecast Support Case. This request must:
• Be written on your company letterhead.
• Be signed & dated by a director or higher in your organization.

©2022 Mimecast. All Rights Reserved |18

 Note: The signatory and assigned person cannot be the one and the same person. If a
director is the designated superuser, another director of the company needs to sign
accordingly.
• Specify their name and position.
• Clearly state the email address that needs to be added / removed, and / or the password
to be reset.
Note: Click here and under the Managing Administrators section, you’ll see a clink to
download a template that can be used for this purpose.
2. Once the request has been received, we perform a series of checks to confirm the request.
3. When successfully confirm, a change request is issued to the Mimecast Security Team.
4. Once the new email address has been assigned to the role and / or the password has been
reset, a Mimecast Support representative will contact the Director to verify this request.

Custom Roles
You can only create a role with the permission level up to or lesser than the logged in administrator.
Depending on administrative permissions, you can only create an administrator with the same or
lesser permissions.
When creating a role, we suggest copying a role instead of creating new. The best practice is to
assign permissions less than what the user needs and then add permissions. Another
recommendation is to keep part of the name of the original role as part of the description.

Create Custom Roles

To create a custom role:
1. Inside the Role Editor right-click on an existing
role close to the permissions of the role you
wish to create and choose Copy Role.
2. A role is created and placed at the end of the list
and italicized. Click the Edit Role button next to
it.
3. Complete the Properties section with a name
and description
Note: When creating a custom role, be sure to be very specific with the name and description
so that you and any other administrators know what the custom role entails when assigning it
to others.
4. Select the desired Security Permission
5. Select / Deselect Application Permissions for the role
[Read, Edit, Protected Areas]
6. Save and Exit
Note: Use the Edit Role button next to the copy you just made and add / remove permissions.

©2022 Mimecast. All Rights Reserved |19

Custom Role Actions
Action Steps
Changing Click Edit Role, make changes, Save and Exit
Copying Right-click on a role and choose Copy Role
Adding Users Right-click on a role and Add Selected Users
Removing Users Right-click and select Manage Users for Role, right-click on the user and
choose Remove User from Role
Deleting a Role Remove all users from the role then right-click and choose Remove Role

Partner (External) Administrator Roles

At the top of the Roles Editor, you will see a button labeled Manage External Administrators.

• As a Customer, this is the area where you will see any 3rd party administrators that have
access to your Administration Console.
• As a Managed Service Provider (MSP), this is the area where you will see who you have at
your partner organization set up to manage that customer’s account.

MSPs should be encouraged as a part of best practice to link their External Address to
any Customer they are supporting, ensuring they have both access to the
Administration Console and can Raise Support tickets for that account.

Customer Use

• As a customer, if you are logged on as a Super or Full Administrator, you can see the
Manage External Administrator button.
• When you click the button, you can see a list of the 3rd party administrators that have access
to your Administration Console.

©2022 Mimecast. All Rights Reserved |20

Partner Use
Managed Service Providers (MSPs) are added to this area by the original MSP that Mimecast
connected to this customer account. Mimecast does this so that MSPs can have SSO access to
customers through the Partner Portal. Mimecast will have given them special credentials for
accessing the customer account through the Partner Portal (e.g.,
msp_clientname@clientdomain.com)

If you are an MSP, you should know that when you log into the Partner Portal, there is a place where
you can see all the customers whose Administration Console you have access to. It is here where you
will click an Administration Console button next to their company name and be logged in with SSO.

Adding External Administrators

After logging into the customer Administration Console, MSPs will navigate to Administration |
Account | Roles if they wish to add any other partners from their organization to manage their
customer account. Note: They can also do this through the Portal.

1. To do this in the Administration Console, click the Manage External Administrators button
2. Click the Add External Admin button
3. Enter the External Admin Email Address of the partner you want to manage this account
and use the Select Role drop-down menu to assign them the Partner Administrator role
4. Click Save and Exit.

Things to be aware of:

• If you click on the Partner Admin Role at the home page of the Role Editor, you
will see the external admin you added is located here and listed as a member.
• If you click on any of the users listed as an External Administrator, you will notice
an External Admin Account Code. This is auto generated when you create a new
External Admin and Save.
• If adding multiple email addresses, you will add them one by one here or they
can be added via the MSP Portal. See article below.

More information on delegating access here. See also the Managed Service Providers (MSPs) Portal.

©2022 Mimecast. All Rights Reserved |21

Lesson 5: Connectivity
Connectivity is all about how your organization is connecting to Mimecast. Your basic connections
should be set up during your implementation process (e.g., Authorized Outbound IPs, Directory
Connectors, Server Connectors etc.).

Pre-requisites (External Tasks)

Depending on your environment, you will need to take certain steps outside of the Administration
Console before connecting to Mimecast. For example, if you have Microsoft 365 you will have to
create an Azure Active Directory Application and Directory Connector. If you have On-Premises it is
recommended you have an SSL certificate installed, as well your firewall configured. Refer to the
Directory Synchronization article for further detail.

Directory Connectors
Before users can authenticate against any Mimecast applications, they need a user account. There
are several methods you can use to get your users into the platform: Active Directory Sync,
Mimecast Synchronization Engine (MSE), Domino, Google and manually adding via spreadsheet –
just to name a few.
This tells us where we are connecting and gives us the authority to read your directory. It creates a
record of your user accounts that we can reference in many ways in the Mimecast Suite of services.
It is also important to note that it is a live lookup. We do not cache passwords. It is in the cloud and
can be configured to work with whatever environment you have whether it be Microsoft 365, LDAP,
Google, or Domino.
To access your Directory Connectors, you can either click the See more link next to Directory
Connectors on the home page of the Dashboard or you can access as follows:
1. Navigate to Administration | Services | Directory Synchronization
2. To create a new connector, click New Directory Connector, fill in the details and click Test
Connection before saving.
3. To edit existing, click on an existing connector to view the details
There are different types of connectors, depending on the environment you have. If you have been
through implementation, you will have one listed here. The different types are as follows:
• Active Directory (LDAP)
• Domino Directory (LDAP)
• Office 365 / Windows Azure Active Directory
• Google Directory

Synchronization with your Directory

Upon creating the connector, Directory Synchronization occurs, and user accounts are created.
Directory Synchronization allows you to securely automate the management of Mimecast users and
groups using your company directory, whether that be hosted on-premises or in the cloud.
Once the service is activated, synchronization between Mimecast and your directory will happen
automatically at 8am, 1pm, and 11pm daily. You can also synchronize your directory manually
when you need to which will be described later.

Synchronization Issues
There are certain instances where the synchronization process fails resulting in potential end user
logons failing and permission issues.
©2022 Mimecast. All Rights Reserved |22
The first place you would see an indication of an issue would be the
dashboard. Here you would see either an amber color which is an
indicator of Partial disruption or red which indicates there is a
Service disruption.
The first place you will begin to troubleshoot a directory connection issue is the point of entry,
where Mimecast connects, to obtain your directory information. Read Troubleshooting LDAP
Directory Synchronization for further detail.

Manually Synchronize your Directory

A common reason for manually synchronizing your directory data is when you have just added new
users to your environment, and you wish to sync them with Mimecast before the next
synchronization to ensure appropriate security and policies are applied. To do this:
1. Navigate to Administration | Services | Directory Synchronization
2. Click the Sync Directory Data button.
3. You can ensure your connection is operable by the green icon in the far right.

Outbound Traffic
Once your Mimecast account has been created, your Technical Point of Contact (TPOC) should log
onto the account to confirm they can access it. If this is successful, your email server can be
configured to route outbound emails through Mimecast.
This requires that your:
• Public IP addresses are added to Mimecast's authorized outbounds. The Connect Team or
Mimecast Support will configure these. If utilizing a Cloud service (e.g., Office 365, GSuite),
the Connect Team or Support can add these.
• Firewall is configured to allow access to Mimecast Data Center IP Ranges for SMTP port 25.
See the Mimecast Data Centers and URLs page for more information. You will need to be
logged into Mimecaster Central to access this page.
Note: This step may not be applicable on Hosted Exchange (HEX) and Microsoft 365
implementations.
• Email server or cloud service is configured to deliver emails to Mimecast
See Connect Process: Setting up Your Outbound Email for further detail.

Authorized Outbounds
The goal is to configure your environment to ensure Mimecast is accepting email on behalf of your
company only over the IP ranges that your Technical Point of Contact tells us are authorized for your
company. If you are on-premises, you need to have a connection created. This is called an
Authorized Outbound.
We add at least one IP address to your authorized outbounds, based on the information you
provided when your Mimecast account was created. These IP addresses are the only ones that

©2022 Mimecast. All Rights Reserved |23

Mimecast will accept outbound email from. You can have multiple authorized outbounds, but
networks cannot be added.
To check your Authorized Outbounds:
1. Navigate to Administration | Gateway | Authorized Outbounds
Note: The information here cannot be changed without the assistance of Mimecast.
On-Premises
If you have on-premises you would see the name of the connection, the IP address range and Mask.
Microsoft 365 or Google Display
If you send email from a shared hosting provider (e.g., Microsoft 365 or Google Workspace) a
message will show at the top of the Authorized Outbounds page as follows: 'Your account is
configured to process traffic from Office 365’.
Other 3rd Party Hosting Service
If you are using another 3rd party hosting service, these IPs will not be listed on your account. You'll
need to contact Mimecast Support to ensure your account is provisioned appropriately for this
traffic.
If using Microsoft 365 and you do not see messages shortly after they are sent in
Message Center, this could indicate a configuration problem on your Microsoft
365 send connector. Double check your configuration using the Microsoft 365
Message Trace Tool in the Mail Flow | Message Trace menu of the Exchange
Admin Center to help identify the issue.

Journaling
The external email communications (inbound or outbound) for a business are automatically Archived
based on an organization’s compliance and global retention values, however some organizations
wish for internal email communication to also be retained. This can be achieved using a Journal
connector.

How Does Journaling Work?

Journal messages older than 30 days will not be processed and archived automatically. If you require
older messages to be part of your archive, contact your customer success manager for ingestion.
Journaling requires configuration in the customer environment and in the Mimecast platform. When
Journaling is enabled, it allows the internal mail server to send a copy of all emails to a journal
mailbox which is stored in a single Archive.
Once Journaling is configured, all emails will periodically be delivered/retrieved using either SMTP or
POP3 (or POP3S). These emails will then be archived in the customer's Mimecast account so that
ultimately a full archive of all internal and external emails is available.
See Journaling for more detail.

Inbound Email
Having previously set up your outbound email, messages should be successfully being routing
outbound. You are now ready to set up inbound email to be routed through Mimecast.
External messages destined for your organization must be directed to Mimecast, not left directed to
your email server or hosted email service. Once the messages reach Mimecast, they are processed

©2022 Mimecast. All Rights Reserved |24

by Recipient Validation and other Mimecast security systems. Only once we are satisfied it is safe to
do so, is the message delivered to your organization's infrastructure or hosted service.
The first step you need to take to set up your inbound mail is to create a delivery route. This will
ensure you are connecting properly.
Our delivery routes are configured to deliver all inbound messages to a specified hostname. Take the
steps below to set up Delivery Routing.

Delivery Routing - Microsoft 365, On-Premises or Hosted Exchange

Configure Delivery Routing Definition
1. Navigate to Administration | Gateway | Policies | Definitions | Delivery Routes
2. Click on New Route Definition button
3. Description: Enter a description to help you identify this delivery route
4. Hostname: Enter a public host name or IP address for the email server.
5. Port: Specify a Port Number (e.g., Port 25)
6. Pause: This will pause Inbound Mail Delivery for this delivery route
Start Date: This is only used if you are pausing inbound delivery
Expiry Date: This is only used if you are pausing inbound delivery
7. Alternate Routes (this is an automatic failover route if the primary route is unavailable)
Note: If are creating On-Premises routes we recommend you have multiple created and an
alternate route specified.
8. Optional SMTP Authentication Settings (select this option and configure if this is something
you need to enable)
9. Save and Exit
10. Click the Go Back button

A default delivery policy tied to a default definition will have been set during
implementation. For more information, read the Configuring Delivery Routing
Definitions and Policies article.

Test Delivery Routing Connectivity

Once you have everything configured, you will test your connection either with Strict TLS or Relaxed.
• Strict TLS means you have a Trusted CA SSL signed certificate installed on your internet
facing server that is accepting this connection from Mimecast.
• Relaxed TLS means you have a self-signed certificate created on your certificate server in
Windows.
Inbound SMTP Delivery Test
To perform an inbound SMTP delivery test:
1. Navigate to Administration | Gateway | Policies | Definitions | Delivery Routes
2. Click on the Delivery Route to be tested.
Either click on:
• Test Connection - Strict TLS
• Test Connection - Relaxed TLS
The task will run through a series of tests and generate a summary of results.
©2022 Mimecast. All Rights Reserved |25
 If the test is successful, you will take certain steps in your environment. Examples are
re-directing your MX Record and locking down your firewall or your server or hosted
email service to permit those inbound SMTP traffic connections coming from
Mimecast into your organization. Refer to the Knowledgebase for further instruction.

See the Testing Delivery Routing Connectivity article for full details.

Managing Connectors
This section covers how to configure a connector from Mimecast to your Cloud Service Provider.
These connections are required by certain Mimecast services, including:
• Threat Remediation
• Continuity
• Exchange Sync & Recover
Note: For information on how to do this with Exchange Web Services (EWS) for on-premises
Exchange refer to the article at the end of this section.

Configuring a connector to a cloud service provider

Mimecast connectors use OAuth 2.0 for authentication, providing greater security and allowing
administrators to apply the cybersecurity Principle of Least Privilege (PoLP) to their service accounts.
A separate connector is required for each Mimecast product, replacing the previous practice of
sharing a single connector across all Mimecast services. Each connector takes approximately five
minutes to create.
You will need:
• The appropriate permissions to connect to your third-party provider
• An Administration Console role that provides access to the Administration | Services |
Connectors page
To configure a cloud connector:
1. Navigate to Administration | Services | Connectors
2. Click the Cloud Connectors tab
3. Click Create New Connector
4. Select the Mimecast product (e.g., Continuity) you want to connect to a third-party provider
5. Click Next
6. Select the third-party provider (e.g., Microsoft 0365) from the list
7. Click Next
8. Click Log In to begin the OAuth 2.0 authorization process with the third-party provider
9. Review and grant the requested permissions
10. Once the permissions have been successfully granted, click Next
11. Enter a connector Name and an optional Description and click Next
12. Review the connector summary and click Create Connector
Refer to the Managing Connectors article for more detail.

©2022 Mimecast. All Rights Reserved |26

Lesson 6: User and Group Management
Mimecast users are identified by their email address. Their addresses need to be added to your
organization’s Mimecast service before they can send, receive, and archive email with Mimecast.
Email addresses are then organized in groups.

Internal Directories
An internal domain is a domain that your organization has registered with Mimecast to send,
receive, and / or archive email for. This section details the domains you have under your Mimecast
account and are owned by your organization. You should have at least one domain already
populated here from your implementation process.

Add a New Domain or Sub-Domain

To add a domain, you must have already registered a domain name and have the sign-in credentials
needed for your domain registrar.
You will also need to validate that you own each of the domains you wish to connect, starting with
your primary domain. Once this has been validated, you can validate any others.
At least one internal domain was added when your Mimecast account was set up. You can add other
internal domains you own or add a subdomain (e.g., for journaling) if needed. Subdomains do not
require any additional verification.
To add a domain:
Navigate to Administration | Directories | Internal
Directories
1. Register a New Domain
1
• Click Register New Domain 2
• Type in the domain in the Domain Name field
• Click Get Verification Code
• Copy the Verification Code to your clipboard
(to be entered into one of the records below)
2. Add a DNS Record
• Select either Configure TXT or Configure
CNAME (depending on which you are creating)
• Log onto your DNS Domain registrar’s website or portal
• Create either a DNS TXT Record or CNAME record (details on the information to enter in
those records can be found here)
• Return to step 2 of the Register New Domain wizard and click on Validate
3. Validated Domains
• Select the Automatically Create Anti-Spoofing Policy for this Domain option

Note: This isn’t compulsory but is recommended to prevent spoofing messages from the
domain.

• Click Finish.

For further instruction on Adding a Domain through the Administration Console, read Configuring
Internal Domain / Subdomains. Read Connect Application: Validating Your Domains for detailed
instructions on how to do this with the Connect Application.

©2022 Mimecast. All Rights Reserved |27

Internal Domains
To access the domains, you have registered with us:
1. Navigate to Administration | Directories | Internal Directories
The domains that you have registered whether through the implementation process or manually
after implementation are listed.

Working With Domains

Actions
Export Data The export data button will allow you to export in CSV or XLS.
Register a A domain registration wizard guides you through verifying the domain's
New Domain ownership and requires you to enter the domain, add a DNS record, validating the
domain.
Add Once an internal domain has been validated, you can add one or more
Subdomain subdomains.
Advanced Allows an export of your domains and their addresses
Address
Export
View • Internal Domains: Allows you to see only your Internal Domains.
• External Domains: Allows you to see only your External Domains.
• Local Domains: Allows you to see only your Local Domains.
• Pending Domains: Allows you to see only your Pending Domains.
• All Domains: Allows you to see All Domains.
• Registered Applications: Allows you to see only your Registered Applications.
• Address Purge List: This will show a list of addresses that you have set to
purge.
• Delegate Mailbox Access: This will show you a list of who has delegate
Mailbox Access

Recipient Validation
Recipient Validation is the process of checking the recipients(s) of an inbound email to one of your
Internal Domains from an external sender.
For us to accept your inbound email, recipient validation must be configured. To do this, we must
have a complete list of all internal users.

©2022 Mimecast. All Rights Reserved |28

This will have been set during your implementation when the domains you are authoritative for
were registered. This is something that can be changed. If you need to add domains in the future,
you will need to consider the type of validation method you wish apply.
To view what type of validity check is set for either an existing domain or sub-domain, right-click and
choose Edit Domain.
1. Navigate to Administration | Directories
| Internal Directories
2. Right click the Domain
3. Click Edit Domain
4. Under Domain Options view the Inbound
Checks drop-down
5. Choose Accept Recipients for known
recipients only
6. Save and Exit

Note: Click here for more information on directory

synchronization and click here for more
information on Recipient Validation.

How do Directories get populated?

Email Addresses / Aliases
If you click on a domain, you will see a list of the email addresses associated with that domain.
The color indicators in the Alias column show if an email address is an alias for another address. If
the "Alias" column shows a green indicator, the address is an alias. This means it inherits its
permissions from the primary address. If you click on one of these it will show you the primary and
the alias address.

Address Types
When viewing the email addresses associated with one of your internal domains, you will notice to
the left of each email address is an icon indicating how the user was created in the directory. See
explanations for each below.

©2022 Mimecast. All Rights Reserved |29

 Address Types
Manually Imported These are address created by a spreadsheet import.

These are addresses that are synchronized SMTP objects from

Extracted from Directory the domain controller. You will have added these from a
Mimecast Directory Synchronization.
These are addresses that have been added manually using
Manually Created
the New Address button at the top of Internal Directories.
These are addresses that form part of a synchronized
Distribution List distribution list (DL) or security group with SMTP addresses
from the domain controller.
These are addresses that can be created because:
• A new Mimecast user sends an outbound message, and
their sending address has not been synchronized with the
customer’s directory.
Created by message in • A synchronized address has been deleted from the
transit customer’s directory. This changes the address type from
"Extracted From Directory" to “Created by message in
transit’ to help administrators identify that users are
being synchronized with the customer’s directory.
• An internal domain's recipient validation is set to "Accept
all Inbounds for this Domain".
Working with Email Addresses
Actions
At the top of the list of email addresses are buttons with actions you can take that provide additional
functionality:

Actions
New Address Allows you to create an email address.
Purge Selected Addresses Deletes the selected email addresses including linked aliases. This
can be performed by any administrator who has the ability to read
and edit Internal Directories. A warning will be displayed to
confirm the removal of the address and all list entries. Addresses
will not be purged while emails are still being processed for the
address (e.g., if related emails are held). Administrators can
prevent the purge from taking place by removing the address from
the purge list under View | Address Purge list in your domain view
with a right-click Remove Item. This has to be done before
housekeeping runs (which generally occurs overnight).
Import Delegate Mailboxes Allows you to import delegated mailboxes. Note: This button is
only available when logged on as an Administrator with protected
permissions.
Export Data Export a list of email addresses to a .XLS, or CSV file.
View Filters the list of email addresses displayed by:

©2022 Mimecast. All Rights Reserved |30

 • Show Message Generated – this shows email addresses
that came in via message in transit
• Show Directory Generated – this shows email addresses
that came in via directory synchronization
• Show All

Email Address Properties

To view individual email properties:
1. Navigate to Administration | Directories |
Internal Directories
2. Click the appropriate Domain
3. Right-click the desired user and choose Edit
Address
4. Take note of the various fields in the
following table.
5. Make your changes and choose Save and
Exit when finished.

Email Address Properties

Email Address Unique identifier for a user and their associated email
archive. The address cannot be modified once it has been
created.
Global Name The full name (display name) of the email address user.
This is normally displayed in the recipient's FROM field in
their mail client.
Internal Address Shows whether the email address is internal or external.
Administration Console Role Displays the administrator role the user is assigned to or
"None" if the user account does not belong to a role. Click
on the Role Edit button to change the user's role.
Address Alias For A primary email address can have any number of alias
addresses
Password / Confirm Password Creates a cloud password for the email address. This
password can only be authenticated in Mimecast, and
does not affect the network password in the organization's
infrastructure
Force Change at Logon This option forces the cloud password to expire. This is
helpful if setting similar cloud passwords for end users,
that they are required to change when they first log in.
Password Never Expires Prevents the expiration of the user account’s cloud
password. This is useful for administrator or system
accounts.
Maximum Reset Attempts Made Should a user request their cloud password to be reset, a
password reset code is sent to them. If they fail to enter
this code successfully ten times, the password reset
functionality is locked for their account. This option shows
as selected in this scenario. Click on the Reset Count
button to unlock the password reset functionality on their
account.

©2022 Mimecast. All Rights Reserved |31

 Account Locked Indicates if the user account is locked and users will not be
able to log in to Mimecast. Click on the Unlock Account
button to unlock an account.
Account Disabled If selected, users are prevented from logging in to
Mimecast applications using cloud passwords. This does
not affect email delivery to the address.
Archive Start Date Ensures that Mimecast end-user applications will only
display items to the end user from the selected date
onwards. This can specifically be used when a new end
user starts but has the same email address as a previous
employee.
Allow STMP Email Submission Allows users to submit emails directly to Mimecast. This is
generally useful for remote users and applies to TCP/IP
port 25 and 587.
Allow POP Access This option permits a user to retrieve email from a
Mimecast mailbox directly, as opposed to retrieving emails
from a mail server.
Force Registration This option allows reregistering a device with TOTP
functionality by removing the previous TOTP code and
creating a new one to be added upon the next successful
web authentication by the user.
Effective Group Application Settings This option permits a user to retrieve email from a
Mimecast mailbox directly, as opposed to retrieving emails
from a mail server.
Delegate Mailbox Permissions
There are a few reasons why you would need to set up Delegate Mailbox permissions:
Example 1: If a user needs to look at another user’s archive, manage their on-hold messages or their
permitted senders list.
Example 2: Another example would be if a user gets married and their email address changes when
their name changes. Once a delegate mailbox has been configured, the end user would be able to
search for all the messages associated with their new and old account.
How to Add a Delegate Mailbox
Within the email address properties there is an Add Delegate Mailboxes option at the top. This can
be used to give delegate rights to a mailbox.
In the example of an Executive Assistant needing to review their manager’s held messages. Steps are
as follows:
1. Open the email address properties of the Executive Assistant
2. Click Add Delegate Mailboxes button at the top
3. Click Add Delegate Mailbox
4. Click Lookup to find the Manager
5. Select the email address from this list
6. Save and Exit
To see delegates, navigate to the domain listing and choose View | Delegate Mailbox Access. The
person who is the delegate is listed on the left and the mailbox they have access to is on the right.
Refer to the End User Applications: Configuring Delegate Mailbox Access article for more detail.
More detail on Managing User Email Addresses can also be found here.

©2022 Mimecast. All Rights Reserved |32

External Directories
A domain is considered external if it is not one of your Mimecast registered Internal Domains. These
are automatically added to your service as email is sent or received by an internal user.
To list your external domains:
1. Navigate to Administration | Directories | External Directories
2. Select the relevant external domains
3. Select a user to see options for purging the address, creating new or exporting

If your subscription includes Secure Messaging and an external sender needs to reset
their Secure Messaging Portal password, you will come here.

For more information on Directories, read Mimecast Domain Types.

Groups
Groups are internal Mimecast folders containing email addresses and/or email domains. It is
important to use good naming conventions and be organized in the way that your structure your
groups to ensure proper policy application.
There are two types of Groups: Profile and Directory.
• Profile Groups – These groups are local to Mimecast and are manually created and
maintained within the Administration Console by your Administrators.
• Default Groups – Please be aware that some groups are created by default during your
initial implementation and will be attached to “out-of-the-box” policies and services,
also created during your implementation. For example, Administrator Alerts, Blocked
Senders and Permitted Senders are some of the default groups you’ll find under your
Profile groups.
• Directory Groups – These groups are visible in
Mimecast after syncing with your organization’s
directory environment (e.g., Active Directory,
Azure, etc.) These groups are read-only and can
only be added, removed, renamed or have their
contents altered by first making those changes in
your directory service and then running a directory
synchronization (Administration | Services |
Directory Synchronization.) To view the Directory
groups that have been synchronized with
Mimecast, navigate to Administration | Directories | Directory Groups, while also being
aware of any folder with a + sign next to it, which will allow you to delve deeper into the
synchronized directory structure.

Groups are used primarily to be referenced in policies or end user applications to control mail flow
for specific user groups. This has the following benefits:
• Mail routing can be specified for users in different regional locations with different mail
servers.
• Used in Permitted Senders / Blocked Sender policies
©2022 Mimecast. All Rights Reserved |33
 • Any address changes are automatically applied to policies.
• Collecting email addresses (e.g., click actions in Stationery Layouts).
Read the Out of the Box Settings for Mimecast Email Security for detail on our out of the box policies
that you would configure to apply to these groups.

Creating a Group
All groups are displayed in a hierarchy, linked to a root group. This allows changes made to one
group, to also apply to all other sub-groups in that group.
Note: You cannot create a group inside the Root folder. A sub-folder must be created inside it to
enable a group to be created.
1. Navigate to Administration | Directories | Profile Groups
2. Either:
• Select the Folder into which the group is to be created.
• Create a Sub-Folder as follows:
a) Click on the + Icon in the bottom right-hand corner of the folder where you want the
group created. A folder called "New Folder" is created in the group's hierarchy in a
collapsed state.
b) Rename the group:
o Expand the Group's Hierarchy
o Click on the "New Folder" Group
o Type the Group Name in the Edit Group field at the top of the hierarchy
o Press the Enter key
3. See the "Adding Group Entities" section below for details of how to add email addresses or
domains to the group.
Adding Group Entities
You can add email addresses or domain names to a group using one of the following methods:
• Add Email Addresses
• Add Email Domains
• Group List Imports (email addresses only)

Wildcard characters are not supported for groups. See the Using Wildcards in Policies
page for full details.

To add one or more email addresses or domains to a group:

1. Select the required Group in the hierarchy
2. Hover over Build
3. Click one of the following menu items:
• Add Email Addresses to add email addresses
• Add Email Domains to add domains
• Group List Imports to use an import file to add multiple email addresses
4. If using the Add Email Addresses or Add Email Domains option:
• Each email address must be entered in standard address format (e.g.,
user@company.com).
• Each domain must be entered in standard domain format omitting the @ symbol (e.g.,
domain.com).

©2022 Mimecast. All Rights Reserved |34

 •Add each Email Address / Domain on a separate line.
•Enter a Note up to 100 characters. If entering multiple email addresses or domains, this
note is associated with all of them.
5. Save and Exit

After the group is made you will see a number next to the folder in the hierarchy. This
is an indicator of how many entries are in that group.

For more information on Group List Imports, click here.

Delete a Group’s Entries

Clear Selected Links will delete the selected entries or right-clicking on entries allows you delete
(unlink) individual entries. Once the group folder is empty, select the red X to delete the folder.

WARNING: Prior to deleting a group’s entities, you should consider using the Export
Data option, as unlinking cannot be undone, and the export would be the only record
of the entities in this group.

Deleting a Group
When deleting a group, the following must be considered:
• A default group located in the Root folder cannot be deleted.
• Only empty groups or sub-groups can be deleted. If a group contains an empty sub-group,
this must be deleted before the other group or sub-group can be deleted.
• Only groups or sub-groups not used in any policy can be deleted.
• The number displayed in brackets to the right of a folder shows how many email addresses
or domain names are in the group.
To delete a group:
1. Navigate to Administration | Directories | Profile Groups
2. Select the Group to be deleted
3. Click on the Red Cross Icon to the left of the folder

Moving a Group
You can either move the group or all its entries, as well as copy any entry into another group of your
choosing. In any group or subgroup, you can add domains or email addresses.
Note: A default profile group located in the Root folder cannot be moved.
To move a group to a new location in the hierarchy:
1. Navigate to Administration | Directories | Profile Groups
2. Select the Group to be moved in the hierarchy.
3. Click on the Move Group button.
4. Select the Group in the hierarchy into which the group being moved is to be placed. The
group is moved to the chosen location.

©2022 Mimecast. All Rights Reserved |35

Moving Group Entities
To move email addresses or domains to another group:
1. Navigate to Administration | Directories | Profile Groups
2. Click on the Group in the hierarchy
3. Select the Entries to be moved using the check boxes
4. Click on the Move Selected Links button
5. Select the Group in the hierarchy that you would like to move the entries to. The group
name is displayed in bold signifying that the entries have been moved.
Copying Group Entities
To copy an entity to one or more group:
1. Navigate to Administration | Directories | Profile Groups
2. Click on the Group in the hierarchy to display the entities
3. Right-click on the Entity to be copied.
4. Select the Group Allocations menu item.
5. Click on the Group that you would like to add the entity to. The group name is bolded
signifying that the entity has been added.
6. Repeat Step 5-7 for other groups.

Exporting Group Data

Exporting a group will collect the addresses and details of the group into a .xls or .cvs format file for
download.
You can export group address entries into a spreadsheet. It is currently not possible to export
domains. You can select the data that is exported and choose how the exported file is delivered.
To export a group's data:
1. Navigate to Administration | Directories | Profile Groups
2. Click on the Group in the hierarchy
3. Click the Export button
4. Select the Columns that will be added to the spreadsheet [Address, Domain, Details, Int.]
5. Select the file format you wish the exported file to be in [.CSV or .XLS]
6. Select how you want the exported file to be delivered [Send Email, Download]

©2022 Mimecast. All Rights Reserved |36

Lesson 7: Attributes
Directory attributes correlate to named fields within your directory which are linked to user
accounts. (e.g., names, titles, email addresses, and telephone numbers). When they are created,
they are applied to internal email domain users.
They can be used in many ways, for example populating a business card component in a stationery
layout by allowing administrators to select which attributes are assigned to the email signature.

Active Directory Synced Attributes

There are several attributes that can be synced with Mimecast from your Active Directory. For a
complete list, review the Managing Directory Attributes Knowledge Base article. Below are just a few
examples.
• Name
• Title
• Department
• Telephone Number

Create a Directory Attribute

1. Navigate to Administration | Directory | Attributes
2. Click Add Attribute
3. Enter a Name [e.g., For a manual attribute, enter a name that best describes the attribute
you are creating. For LDAP directory linked attributes, enter the defined attribute name in
the directory. For this example, enter Department.
4. Group: This is the group the Attribute belongs to. Keep this General Attribute unless you are
creating a Manual Attribute not linked to your Active Directory.
5. Type: This defines both the type and appearance of the attribute field.
Choose Directory Linked. This creates a directory linked attribute which synchronizes the
data from your directory to Mimecast.
6. Order. This determines the order. If no order is entered, the attributes are listed in
alphabetic order. No order for this example.
7. Options: This determines the values displayed in the Simple Selection and Complex Selection
fields under type. We did not choose this type above, so skip this field.
8. Click Save when finished.
For more information, read the Managing Directory Attributes article.

©2022 Mimecast. All Rights Reserved |37

Lesson 8: Application Settings
Application Settings allows you to control End User Application behavior and the levels of access
your end users have to Mimecast Services.

Components of an Application Setting

The three different components of an application setting are as follows:
• Authentication Profile
• Application Settings Definition
• Group

Authentication Profile Application Settings Authentication

Because all users must authenticate their logons when they Profile
use our applications, we must create an Authentication
Profile. This needs to be done before creating an
application settings definition.
An Authentication Profile, which is referenced within an
Application Setting, allows you to define the methods users
in your organization can use to authenticate with our
applications (e.g., Cloud Authentication).

Application Settings Definition

An Application Settings Definition allows you to give Application Settings
access to Mimecast applications for all internal users.
Applying the authentication profile to the application
settings definition will apply it to the group you select in
the definition.

Group
Each definition is specific to a group of users, including
any sub-groups. This requires a group to be created that
can consist of individual users or entire domains.

Propagation
It may take up to 15 minutes for application settings definition to propagate. For example, if you
made a change relating to Mimecast for Outlook, it will take about 15 minutes to apply. Users will
have to exit Outlook and go back in to see the change.

Default Authentication Profile and By default, all Administrators are

assigned the
Application Settings Definition Account_Administrators_Authentication
Every Mimecast account contains a default authentication _Profile, which is the default profile,
profile, referenced by a default application setting. featuring 2-step authentication enforced
and cannot be disabled for security
The default definition is applied to all end users when a user purposes. This does not impact non-
connects to us and is not part of a group referenced by a specific admin users.
application setting. The defaults can be used to apply the same
settings to all users in your organization.

©2022 Mimecast. All Rights Reserved |38

 The default definition cannot be changed, but administrators can create new
definitions to accommodate customized application settings.

Customizing Application Settings

If you need to provide different levels of access to applications and / or specific application features,
you can configure different application settings. It is also possible to reference the same
authentication profile in different application settings.

Customizing Authentication Profiles

Authentication profiles can be customized and determine whether the users will have access to
resetting their password, domain authentication mechanisms, SAML authentication for Mimecast
Apps, and Permitted IP ranges.
Configuring an Authentication Profile
1. Navigate to Administration | Services | Applications
2. Click Authentication Profiles | New Authentication Profile Specify the authentication provider we
3. Complete the dialog according to your needs: will use to verify a user’s credentials
• Description: Provide a good description [e.g., Microsoft 365]
If you don’t use
2-Step • Allow Cloud Authentication: Always allow
Authentication, • Password Reset Options 2-Step Authentication is highly
you can use
• Domain Authentication Mechanisms recommended
Authentication
TTL • 2-Step Authentication
• Authentication TTL
• Enforce SAML Authentication for Administration Console
Administrators / • Enforce SAML Authentication for Mimecast Personal
Users must log Portal
on using an Mimecast for Outlook will use the currently
Identity Provider • Enforce SAML for End User Applications logged in users’ credentials to authenticate
that offers 2- • Allow Integrated Windows Authentication (Mimecast the connection
Factor Auth or for Outlook Only)
SSO
• Enable JSON Web Token Authentication (Mimecast
Essentials for Outlook only)
• Permitted Application Login IP Ranges Enabling JSON Web Token Authentication
• Permitted Gateway IP Ranges within the Authentication Profile allows us
to verify your identity using a one-time
4. Save and Exit verification and accept the token as an
authorization for future requests
Refer to Configuring an Authentication Profile article for further
detail on the settings above.
Creating a Custom Group
After creating the Authentication Profile to decide how your users will authenticate, you need to
make sure you have a group created that consists of the individual users or an entire domain that
you wish to have access to Mimecast applications.
1. Navigate to Administration | Directories | Profile Groups
2. Click the + at the Root and name the New Folder the name of the Group you wish to create
(e.g., Finance Group)
3. Add the email addresses (or domain) of the desired users

©2022 Mimecast. All Rights Reserved |39

Note: Our suggestion is to use a pilot group when first testing this. After, you would roll this out to
one of your Active Directory Groups.

Customizing Application Settings Definitions

When creating an Application Settings definition, you can alter an existing definition or create a new
one. We will clone an existing definition for this example. This definition will reference the custom
group and authentication profiles you just created.
Start by focusing on the settings in the Common Application Settings section of the definitions page,
then continue to Outlook, Web, Mobile, Mac OS X, and LFS Settings.
1. Navigate to Administration | Services | Applications
2. Right-click on an existing Application Settings Definition and choose Clone Configuration
3. Configure the definition's settings as required:
Note: Cloning is useful if you need to provide a user group with access that is very similar
to, but not the same as, an existing definition.

Application Settings Groupings

The application settings are separated into groups, displayed in a collapsible / expandable menu. As
you click on one of the groups, it expands and collapses the others. The groups are:
• Common Application Settings: Settings that apply across all Mimecast application
settings (General, Archive, Gateway, Continuity, Turbo)
o Note: Under the Archive Settings grouping, enabling Full View allows viewing of
total history of archive folders, even if message deleted. Live View allows viewing of
current archive folders.
• Outlook: A group of settings that apply to Mimecast for Outlook
• Web: A group of settings that apply to the Mimecast Personal Portal
• Mobile: A group of settings that apply to the various Mimecast Mobile operating systems
(e.g., Blackberry, iOS, Android and Windows Phone)
• Mac OS X: A group of settings that apply to the Mac operating system
• LFS: A group of settings that apply to Mimecast’s Large File Send
4. Save and Exit
It can take up to 15 minutes for changes to a definition to propagate between all the
Mimecast applications. When an application (e.g., Mimecast for Outlook) is opened
for the first time, all functionality is disabled. You are required to authenticate with
Mimecast to retrieve the user's settings and capabilities and enable the appropriate
options.

Details for every option can be found under Configuring Application Settings.
For information about which Application Settings a particular user is assigned, administrators can
review what is assigned in the Effective Group Application Settings field of the Application Settings
section of the user profile

©2022 Mimecast. All Rights Reserved |40

Registered Applications
For troubleshooting purposes, the Registered Applications view displays filterable information
related to active users and applications.
1. Navigate to Administration | Services | Applications and select the Registered Applications
button.
See the Registered Applications View Knowledge Base article for additional information.

©2022 Mimecast. All Rights Reserved |41

Lesson 9: Reporting
Mimecast Reporting provides Administrators with a view of what is happening in their email
environment. This includes detailed statistics on:
• How many messages are being sent or rejected
• The data volumes being transmitted
• These reports can assist with infrastructure planning through data load analysis, show spam,
virus trends, and supply usage reports on a per user basis
• Administrators can also schedule reports to be emailed out or download the reports from
the Administration Console. These reports can then be analyzed, and any necessary changes
made.

Access Reporting
To access the reporting functionality, navigate to Administration | Reporting:
The following menu items are displayed:
• Account Assessment: A report created for your account by Mimecast at the end of each
reporting period. The report is available for one week from Monday to Sunday, and over
each calendar month. See the Account Assessment Report Overview page for more details.
• PDF Reports: Schedule weekly or monthly reports to be emailed to specific recipients or
made available for download. See the Reporting: PDF Reports page for more details.
• CSV Data: Download and view the daily CSV data for certain account logs, including
rejections. See the Reporting: CSV Data page for more details.
• Overview: Provides graphs that show email volumes, bandwidth, and statistics for your
account. This includes outbound, inbound, and internal emails, and rejected email traffic.
See the Reporting Overview page for more details.

Account Assessment Report

The Account Assessment Report is created for your account by Mimecast at the end of each
reporting period. The report is available for one week from Monday to Sunday, and over each
calendar month. It provides a full report of every facet of your Mimecast services.

Download the Report

To download the Account Assessment Report:
1. Navigate to Administration | Reporting | Account Assessment
2. Click Download Account Assessment PDF Reports
3. Download the required report (e.g., weekly or monthly)
The report includes data on the following if you use the service:
• Secure Email Gateway
• Large File Send
• Secure Messaging
• Attachment Protect
• URL Protect
• Impersonation Protect
• User Activity
• Web Security

©2022 Mimecast. All Rights Reserved |42

For more information, review the Accessing the Mimecast Account Assessment article in our
knowledgebase. You will find articles at the bottom that pertain to all the items above.
Scheduling a Report
If you wish certain individuals to have
weekly or monthly reports delivered to
their mailbox, follow the steps below.
1. Navigate to Administration |
Reporting | Account Assessment
2. Select the Weekly Report or
Monthly Report heading
3. Expand the Email Schedule
Section: Choose Send Report.
When you select Send Report,
the ‘Report Recipients’ section
displays (send up to 5 recipients).
4. Use the Lookup buttons to look up the recipients you wish to receive the weekly report
5. Click Save.

PDF Reports
The PDF Reports function allows you to schedule reports to be run on either a weekly or monthly
schedule and save the output to a PDF file. You can also download reports directly.
Administrators with read only access to the Reporting module will not have access to edit Reporting
Schedules.
You can select:
• Whether the report should be emailed or saved locally on Mimecast.
• Whether you want a PDF of a standard report or a custom report of your choice of data
• Which graphs should be saved / sent
• How often these graphs should be run (weekly or monthly).
• The email addresses where the PDFs should be sent (up to 5 individuals)

Administrators with read only access to the Reporting module will not have access to
edit Reporting Schedules.

Scheduling the PDF Reports

1. Navigate to Administration | Reporting | PDF Reports
2. Select Weekly Report or Monthly Report
3. Select Report Type:

Standard: If Standard is chosen the graphs selected under the

Select Graphs area will be greyed out and those items checked
by default will be in your report.

Custom: If you select Custom Selection of Graphs, the Select

Graphs area is open for changing what you will see in the
exported report.

©2022 Mimecast. All Rights Reserved |43

 4. Expand the Email Schedule Sections:
Options here are Do Not Send Report
and Send Report. When you select Send
Report, the ‘Report Recipients’ section
displays (send up to 5 recipients).
5. Use the Lookup buttons to look up the
recipients you wish to get the weekly
report
6. Click Save.

The PDF and Overview reports are focused on email traffic data, while the Account
Assessment provides a full report of every facet of your Mimecast services.

Download PDF Reports

If you wish to download a report, click the Download PDF
Reports button at the top.
Choose View PDF Reports and select either Show Weekly or
Show Monthly at the top, depending on what you are looking for and then click the Download PDF
button next to the desired report.

CSV Data
The CSV reports consist of daily rejection data. Administrators can download the report data in a
comma separated (.CSV) format. This has many uses, including sharing it with colleagues who do not
have access to the Mimecast Administration Console.
For data that is not retained on Mimecast eternally (e.g., Rejection Viewer logs) Administrators can
access this data, even after it is no longer visible in the Administration Console.
More information on this here.

Accessing and Downloading CSV Data

To access the CSV Data:
1. Navigate to Administration |Reporting | CSV Data
Note: Information regarding the report start/end dates, generation date, and report interval
is displayed. By default, a month's worth of reports is available for download, however, you
can click on the calendar control to amend this.
2. Click Download CSV next to the date range desired
3. Specify a Location for the download [change the name of the file as desired]
4. Click Save

©2022 Mimecast. All Rights Reserved |44

For more information, read the Reporting: CSV Data article.

Overview Reports
These reports provide a graphical representation of email volumes and flows. These default reports
give Administrators a quick view of their environment, showing different aspects of their email data
volumes and bandwidth usage. Administrators can also determine which users in the company are
sending large volumes of emails and analyze what is causing inbound emails to be rejected.
To access, navigate to Administration | Reporting | Overview:
Reporting Overview shows groups of graphs as follows:
• Summary Graphs - display the volumes of email split into Outbound, Inbound, and Internal
messages, as well as Rejected volumes
• Outbound Email - displays email communication from internal users to external users and
domains
• Inbound Email - displays email communication from external users to internal users and
domains
• Internal Email - displays email communication between internal users
• Custom Reports - displays any Custom Report Definitions that have been configured

View the Reporting Definitions page for a detailed breakdown of what each of the
different graph data types represent. Reporting data is available for a year, although
scheduled reports can be stored in PDF for a longer period.

Custom Report Definitions

Although Mimecast provides a default set of graphs and reports, Administrators may also be
interested in viewing the company's email usage with different filters. Custom Report Definitions
allow Administrators to specify the following:
• Report type
• Report filters such as domain, email address or groups
• How the data is displayed
• Number of results returned
Reports can also be downloaded for review in CSV format or emailed out in PDF format. Custom
Report Definitions allow control over the report filters and how the data is displayed. By creating
customized reports, Administrators can view data relevant to the email environment quickly and
easily.
Similar to other groups of graphs, Administrators are also able to schedule custom reports to be
emailed out or downloaded.

Using Custom Report Definitions

To create a custom report:
1. Navigate to Administration | Reporting | Overview
2. Select Custom Report Definitions
3. Select New Custom Report
4. Enter a Report Title and Description

©2022 Mimecast. All Rights Reserved |45

 5. Select a Report Type (Email Volume, Email Bandwidth, Rejection, Email Statistics)
6. Group Totals By: Select how you want the data grouped (domain, email address, date,
rejection type for rejection reports only)
7. Limit results To (top 10, top 20, top 30 (default), top 40, top 50, show all)
8. Filter Results on (domains, profile / AD groups, email addresses, none)
9. Domain Name (select an internal domain, group, or email address – dependent on filter
selected above)
10. Save and Exit

View Custom Reports

To view the Custom Reports, find them listed in the menu group called Custom Reports on the
Reporting Overview page.
Click on the report and the updated results will be displayed in the right-hand pane. The results are
displayed in a table format and can be downloaded by clicking on the Download as csv button.

Delete a Custom Report

To delete a custom report, click on the Custom Report Definitions button in the upper left corner of
the Overview page shown in image above, select the report definition you wish to delete and click
the Remove Definition button.

©2022 Mimecast. All Rights Reserved |46

Lesson 10: Service Monitor
As an administrator, it is important for you to be able to monitor the Mimecast services for which
you are responsible. Doing so allows you to proactively solve problems with your service as they
arise (e.g., breached queue thresholds, synchronization service failures).
The Service Monitor takes a snapshot of your services every 15 minutes, allowing you to monitor the
status of your:
• Outbound, Inbound and Journaled (Inbound) email delivery
• Journaling and Active Directory Services
Additionally, the monitor allows you to:
• Configure alerts sent to subscribers by email and / or SMS when a problem exists.
• Manage the list of subscribers set to receive early notification of potential issues.
• List recent alerts up to 90 days in the past.

Access and Navigation

You can access the service monitor two ways:
1. My Apps
2. Administration Console
Via My Apps:
• Use this link and log in using the same credentials you
use to log into the Administration Console.
Via Administration Console:
• Login into the Administration Console, navigate to the
Application Switcher and choose Service Monitor

Functionality
The Service Monitor displays information in one of the
following tabs:
• Dashboard: The dashboard displays a graphical representation of your outbound delivery,
inbound delivery, and journaling queues. Access to the status of your Journaling and Active
Directory (AD) services is also available.
• Alerts: Enables you to set the thresholds for each alert type.
• Subscribers: Enables you to set up users to receive alert messages for Mimecast services.
• Notifications: Displays a list of any recent alerts issued to subscribers.

Dashboard
Queue and Service Meters
The meters on the dashboard display the number of messages in each respective queue (outbound,
inbound, journal) as well as the recommended threshold for the queue at the max level of the
meter.

©2022 Mimecast. All Rights Reserved |47

Current Level – Inbound and Outbound
For the Outbound Queue, the Current Level displays the number of messages on the Mimecast
platform that we are currently trying to deliver outbound.
For the Inbound Queue, the Current Level is the number of messages in the delivery queue on retry
to be delivered to your environment.

Recommended Thresholds – Inbound and Outbound

The Recommended Thresholds displays the value set in the Configure Alerts page which will be
discussed in another section. This is an auto generated threshold based on the recent history of your
account. It is intended as a starting point, based on the account's profile.

Queue History Data

Selecting the History links under the meters will expand the information on the queues and services.
History links will show you the previous queue numbers, which is helpful for viewing trends and
forecasting your email traffic.

1. Click the History link underneath

the queue's meter display to
access a queue's history data.
The data is displayed in a graphical format
in the following time frames:
• 15 Minutes
• Hourly
• Daily
The queue history graphical information
and data displays.
• Graph: Displays a visual of the average message count versus the alert threshold, in selected
time intervals. The "15 Minute" interval tab displays by default.
• Data Columns: Displays the:
o Date and time when the data was collected.
o Number of messages in the queue at the time the data was collected.
o Threshold for the queue as configured in the Configure Alerts page.

©2022 Mimecast. All Rights Reserved |48

 • Show / Entries: Click the drop-down arrow and select to display 10, 25, 50, or 100 entries
per page.
• Search: Use the Search field to show certain data and updates the queue’s graphical display.
• Time Zone: Select a time zone to apply to the data from the drop-down menu.
• Next / Previous: Use these buttons to switch between the pages displayed.

Service Status Meters

The service status indicators display the status of the Active Directory and Journal synchronization
services connected to your account. The meter allows you to quickly monitor the connection of your
services by displaying the following:
• The total number of service connections
• The current number of active services
• The current number of inactive services

View Service Detail

1. Click the View Services
link click on the tab of
the desired service. For
example:
• AD Services tab
• Journal Services tab

The service detail display differs depending on the service type. The status of each service can be
viewed as follows:

• Indicates that the service is connected and running OK.

• Indicates there is an issue with the service. See the "Last Error" message for further
information.

Service History
From the Services page, you can access a view of all the configured service's history. This allows you
to analyze the service to determine if there are any ongoing issues. The history is displayed in a
graphical format in the following time frames:
• 15 minutes with history up to 2 days
• Hourly with history up to 7 days
• Daily with history up to 60 days

©2022 Mimecast. All Rights Reserved |49

 1. Click the History link in the top right corner of the service to get to the history of that
service. The service's graphical information and data displays as outlined below:

• Graph: Displays an interactive graph of the average number of "OK" service connections
versus the average number of "Error" connections, in selected time intervals. The "15
Minute" tab displays by default. Optionally click on the "Hourly" or "Daily" tab to update the
graph's data on display.

Note: Hover your mouse over the graph to display the number of "OK" or "Error" service statuses
during the selected interval.
• Date / Time: Displays the date and time when the data was collected.
• Status: Displays an icon of the service's status when the data was collected. This can be
either:
• The service's status was OK at the time of the data entry.
• The service's status has an error at the time of entry, and an alert has been sent to
subscribers (if configured).
• Show / Entries: Click on the drop-down arrow and select to display 10, 25, 50, or 100 entries
per page. This will also update the graph.
• Time Zone: Select a specific time zone to apply to the data from the drop-down menu.
• Next / Previous: Use the buttons to switch between the pages displayed. This will also
update the queues graphical display.

©2022 Mimecast. All Rights Reserved |50

Alerts
Alerts can be set up to send notifications to designated users when problems occur in email queues
or services that they are responsible for.
After clicking Alerts in the upper right corner, you
have the following information presented to you for
configuration:

Queues
1. Escalation Level – Specifies the number of sequential alerts that must be sent to subscribers
before the escalation point is reached. Once reached, subscribers configured to receive
escalation notifications receive notifications in addition to regular subscribers. This is
defaulted to 5.
2. Alert Level – How many problems (service disruptions/items in queue) have to occur before
an alert is sent. Once the number of items in a queue goes beyond this threshold an alert is
generated. A minimum value of 50 should be specified. If a value less than 50 is specified, it
is ignored and a value of 50 is used instead.
3. Recommended Threshold - This is an auto generated threshold based on the recent history
of your account. It is intended as a starting point, based on the account's profile.
4. Acknowledge the alerts – Once this option is checked, no further notifications for this alert
are sent until another threshold is reached. Once the queue is no longer in alert this flag is
re-set.

5. Click Save Queues

Journal Services

1. Escalation Level - How many alerts are reached before escalation notifications are sent out.
This is defaulted to 5.

©2022 Mimecast. All Rights Reserved |51

 2. Acknowledge - Once this option is checked, no further notifications for this alert are sent
until another threshold is reached. Once the queue is no longer in alert this flag is re-set.
3. Enabled – enable or disable this
4. Click Save Journal Services
AD Services Tab

1. Escalation Level - How many alerts are reached before escalation notifications are sent out.
This is defaulted to 5.
2. Acknowledge - Once this option is checked, no further notifications for this alert are sent
until another threshold is reached. Once the queue is no longer in alert this flag is re-set.
3. Enabled – enable or disable this
4. Click Save AD Services

Refer to the Service Monitor: Managing Alert Notifications article for more detail.

Subscribers
The Subscribers page will allow you to set up who will
receive notifications on alerts and escalations via
email or SMS. These users are typically administrators responsible for the efficient running of the
Mimecast account and internal email systems.
Click Subscribers in the upper right corner to get to the Subscribers page.
The Subscribers page will allow you to set up who will receive notifications on alerts and escalations.
1. Enter in a user’s credentials
Note: The password is a local password which should be used to login to Service Monitor if
your Directory server is unavailable. The password will only be accepted when used with the
configured email address.

©2022 Mimecast. All Rights Reserved |52

 2. Select the alerts you want the user to receive.
Note: “Only After Escalation” in each of the queues sends the user a notification once the
escalation threshold has been reached for the specified queue or service. This determines
who is primary and who is secondary on call. Not checking it means you are the primary and
want to receive all alerts and checking it means you want to be the secondary person
notified – meaning you want to be notified only after escalation.

Alert notifications can be sent out as emails, SMS messages, or both. The distribution schedule for
delivery of email and SMS alerts differs.
Note: All specific service details regarding the IP address and email address, are automatically
populated based on your journal / directory connection configuration in the Administration Console.
• Email alerts are sent to subscribers every 15 minutes when a queue / service reaches its
threshold
• One SMS message per alert type is sent to each subscriber when a queue / service reaches
its threshold. When the alert reaches the escalation point, all subscribers to that alert type
get one further SMS message.
Note: It is highly recommended to create two or more subscribers.

Notifications
Notifications are a record of all alerts sent out up to the past 90 days.
1. Click Notifications in the upper right corner to
get to the Notifications page.
You can display alert notifications for up to three months in the past in the Service Monitor. These
can be used to determine:
• What triggered an alert
• Who the alert was sent to
• The date and time the alert was sent
You can filter the alert notifications by selecting / deselecting:

©2022 Mimecast. All Rights Reserved |53

 • Queues and / or services
• All subscribers, or a specific subscriber
• A time frame of 7, 14, 30, 60, or 90 days
2. Click the Update button when finished with setting the filter.

©2022 Mimecast. All Rights Reserved |54

Lesson 11: Message Center
The Message Center is collection of monitoring tools for all your email traffic, from accepted emails
to full rejected emails. Using these tools, you can search for emails and diagnose traffic issues if
emails are being held, bounced, delayed, deferred, or rejected.

Message Center Status Queues

Navigate to Administration | Message Center to find the following message status queues:
• Message Tracking
• Accepted Messages
• Held Messages
• Rejected and Deferred messages
• Bounced Messages
• Message Delivery
• Processing

Queue Retention Periods

Queue Retention Period
Message Tracking 30 days
Accepted Messages 2-6 hours
Message Delivery Up to a maximum of 30 attempts (four days). After 6 attempts (one
hour) a delivery warning notification is issued. After 30 attempts the
message is bounced and a delivery failure notification is issued.
Bounced Messages 30 days
Held Messages 14 days (30 days for customers provisioned before October 2014).
Note: If a message is bounced or rejected from the Held queue and is
within the maximum retention, it is still present in the archive and
available for eDiscovery searches but won't be accessible to the original
recipient.
Rejected and Deferred 7 days

For more information on Queue Retention Periods, read this article.

Message Tracking
Message tracking allows you to search across all email queues to find specific messages that may
have been delayed in delivery (inbound or outbound) or that were never delivered.
You can search by any of the following:
• Data or Message ID
• Partial email address or domain name (minimum of 3 characters)
Note: Wildcards are not supported and may return unpredictable results
Using Search by Data allows you to search using content that could be in the To and From fields, the
subject, or IP address.

©2022 Mimecast. All Rights Reserved |55

Search by Data
1. Enter a From Address: This can be an email address or domain
2. Enter a To Address: This can be email address or domain
3. Enter Date Range: Drop-down will give you between 24 hours and 30 days
Note: After 30 days, you need to search the archive
4. Show More will allow you to do a search via subject or IP address to help you narrow down
the search

Search by ID
This allows you to search for a Message ID so you find the specific message in case the same sender
has sent 100 messages for example. The Message ID is a unique ID for that message and can be
found in the header.

Viewing Message Details

The Message Center allows administrators to access the metadata and transmission information of
recently sent and received messages via the Message Details panel. This is useful for analyzing
message information in depth to troubleshoot delivery issues.
The Message Details panel allows administrators to:
• Access metadata and SMTP transmission information
• Compare sender and recipient message views side by side
• Report messages as spam, malware, or phishing
• Forward or Print
• Release held messages upon investigation
• Permit or block message delivery for the recipient (only in the Held Queue)
• Show Message Content if you have an Administrator role with these permissions and the
message is in a queue that has this capability

The actions you are able to perform have to do with the Queue that the message is
sitting in.

More information on your possible actions here.

Accepted Messages
The Accepted messages queue is where you would go to troubleshoot mail flow after configuration.
These messages can be found by navigating to Administration | Message Center | Accepted
Messages.
Administrators come here to review recently sent and received messages that are awaiting indexing.
Once indexing is complete, messages are moved to the Mimecast Archive.
Before being archived, administrators can access the metadata and SMTP transmission information,
which is useful for troubleshooting message delivery.
Click here for more information on Accepted Messages.

©2022 Mimecast. All Rights Reserved |56

Held Messages
Messages are held when policies are triggered: such as content examination, spam scanning,
attachment management, and attachment protection. Messages are held for 14 days until moving
to the archive, unless it has been released, permitted, or blocked.
These messages can be found by navigating to Administration | Message Center | Held Messages.
On the page, you will see three tabs: Overview, Held Queue, and Release Logs.

Overview Tab
The Overview tab provides an overview of all held messages split into the following sections:
• Held Reason: Lists all held reasons and the number of messages held for each one.
Note: Use the Search box to filter the list by entering a held reason.
• Top Ten Held Reasons: Lists the top ten reasons why a message is held.
• Messages Held by Group: Displays a graphical pie chart of the held messages.

Held Queue Tab

The Held Queue displays a list of held messages, and allows you to release, reject, or report
messages to the Mimecast Security Team for investigation. You can also export results.

Message Details
Click on a message to see the message details panel. These details will help you in investigating why
a message was held.
• Details: Displays the message's transmission details
(e.g., held reason, the sending server's IP address, DKIM
signature, and sender / recipient details).
• Message: Displays details of the message's body.
• Analysis: This is where you will see spam scanning
details, processing details such as graymail, managed
senders, permitted senders, SPF result, DKIM, DMARC
and RBL.
• Header: Displays details of the message's header.
• Transmission Data: Displays details of the message's
envelope and transmission components.
• Policies: Displays the policies that were considered to
be applied to the message.
Note: Policies here will only be applied if it matches the
definition, so if it warrants greylisting, for example, that policy will be applied.

©2022 Mimecast. All Rights Reserved |57

Release Logs Tab
In this tab, this groups all held messages by their held reason. When organized in this fashion, you
can gauge whether a specific policy may be causing a series of held messages.
Displays a list of the messages that have been released, rejected, or reported to the Mimecast
Security Team for investigation.

Rejected and Deferred Messages

If a message is rejected by Mimecast, its data cannot be retrieved. Mimecast will log the rejection
reason and send a rejection code to the sender’s email server, which should send a non-delivery
report to the sender.
If a message is deferred by Mimecast, the data can be read and an administrator or the intended
recipient, depending on permissions provided, can release or reject the message.
These messages can be found by navigating to Administration | Message Center | Rejected and
Deferred Messages. On the page, you will see two tabs: Rejected and Deferred. Here you can search
using standard parameters.

Common Rejection Reasons

Common rejection reasons are Anti-Spoofing Lockout or Anti-Spoofing Header Lockout, both which
can be resolved by configuring Anti-Spoofing policies to exclude the sender’s address. Other
common rejection reasons include IP and Spam Signature Detected, which can be resolved by
setting up a permitted sender policy. IP Found in RBL (Real Time Block List) is also a common
rejection that is resolved by adding the sender to a Permitted Senders list.

Common Deferred Reason

The most common reason for a deferred message would be Greylisting and should be resolved if the
sending server retries the connection. Greylisting occurs when Mimecast does not recognize the
triplet which consists of the envelope from address, the to: address and the source IP address. We
will discuss greylisting in more detail in another course.

Bounced Messages
You can view messages that have been accepted by the Mimecast Gateway but could not be
delivered to their recipients. These messages are displayed in the Bounced Messages viewer.
Messages are bounced for a number of reasons. When a bounce occurs, we send a Non-Delivery
Report (NDR) to the message's originator informing them that the delivery failed.

Bounced messages (both inbound and outbound) are still available in the archive, as
the message was originally accepted by Mimecast before being bounced.

These messages can be found by navigating to Administration | Message Center | Bounced

Messages.
The Bounced Messages page will display the message data, route, bounce info and bounce type.
The bounce type will either be a soft bounce or a hard bounce.

©2022 Mimecast. All Rights Reserved |58

 • Soft Bounce – Message could not be delivered within Mimecast’s retry schedule (30
attempts over 4 days)
• Hard Bounce – Receiving email server rejected the connection.
Messages added to the end user’s block list will also be logged in Bounced Messages. Bounce
reasons and further actions can be found here.

Message Details
To troubleshoot failed delivery, you can view information about the message through the details
panel. Here you will see the Bounce Properties and much more.

Message Delivery
The Message Delivery page shows you the delivery and bulk queues of messages that passed the
processing queue. The Bulk Queue tab includes messages that are subject to the bulk sender's
policy. These messages can be found by navigating to Administration | Message Center | Message
Delivery.
We attempt to deliver messages to the recipient for up to four days (96 hours) or 30 retry attempts
by default, with the Delivery Queue displaying all inbound and outbound messages waiting to be
delivered. The time between the retry attempts increase incrementally. The longer the message is in
the queue, the longer the interval between retries.
The delivery queue is used to troubleshoot or investigate delayed email delivery. You can also:
• Force an immediate retry
• Reject the message for delivery
• Perform an early (hard) bounce

Processing Queue
Before Mimecast can deliver emails, certain checks are performed, and the applicable policies need
to be applied. While these activities are being performed, emails are temporarily queued in the
Processing Queue. Once completed, emails are moved into the Delivery Queue awaiting delivery.
Typically, an Administrator will not need to monitor the Processing Queue. Emails should only be
displayed in the queue for a short time as they are processed immediately on receipt, and then
moved to the Delivery Queue. Sometimes, if larger mailshots are being sent out, emails can be
queued in the Processing Queue due to the increased processing required.
Note: Mimecast will not process more than 10 identical emails coming from the same sender
going outbound to different recipients at one time, as this would resemble a mailshot, and the
priority of these emails is automatically lowered.
These messages can be found by navigating to Administration | Message Center | Processing
Queue.
With the messages listed, you can take action on one or more message to:
• Retry delivery
• Reject delivery
• Bounce delivery

©2022 Mimecast. All Rights Reserved |59

Email Continuity Fundamentals
Lesson 1: Continuity Overview
Downtime is a reality all organizations must face, whether email is on-premises or in a cloud service
such as Office 365. Mimecast Continuity lets you keep email flowing no matter what type of outage
occurs, whether that be service disruption, natural disaster, or planned maintenance/migration. And
equally as important, it ensures that email and content controls are continuously applied throughout
the outage, so operations not only keep running but keep running safely.
Mimecast Continuity allows your users to have continuous email access, even when your
organization’s mail system is experiencing an outage. During a service outage, Mimecast Continuity
enables the administrator to control email continuity, even during normal business hours, or to plan
for 24X7 access to email during off-hours if required.
Email is available to your end users by way of Mimecast for Outlook, Mimecast Personal Portal,
Mimecast Mobile and Mimecast for the Mac.
Not only will inbound and outbound email communication be available during Continuity, but your
Mimecast Security Policies will still be in force, and you and your users will still have access to their
Archived messages during the Mimecast Continuity event.

What you will Need

For continuity to work, you will have:
• Purchased Continuity as part of your service
• Created a Continuity Connector (if you plan to use the Continuity Monitor). See the
Managing Connectors page for full details.
• Enabled “Use Cached Exchange Mode” in Outlook Exchange Account Settings

Events and Monitors

Event
• Scheduled in advance
• Built ahead of connection issues
• Proactive
Monitor
• Oversees connections
• Alerts administrators of a disruption
• Reactive

©2022 Mimecast. All Rights Reserved |60

Lesson 2: Continuity Events
Continuity events allow you to control the start and end time of an event. Once scheduled, it
communicates with the registered continuity devices or applications in the associated group, and if
configured, forces them into Continuity mode. This results in all outbound and inbound emails being
sent directly via your Mimecast service.
If you use Mimecast for Outlook, be sure to check the following box under Application Settings:
• Enable Administrator Failover: Ensures that Administrator Continuity Events apply to Mimecast
for Outlook and Mimecast for BlackBerry.

Enabling Continuity
There are three ways to enable continuity:
• A planned event: wherein an administrator plans for continuity to start and end at specific
times and is seen as a proactive approach.
• An unplanned event: wherein a continuity monitor detects a mail flow error and alerts an
administrator to start a continuity event.
• An end user continuity event: wherein if end users are given permissions, may start their
own personal continuity event that only affects them.
Note: If you do not wish for a user to be able to enable Continuity Mode manually, navigate to
Administration | Application Settings | Continuity Settings and uncheck Allow User to Failover
Manually.

Create a Continuity Event

You can create a continuity event by clicking on New Continuity Event or by cloning an existing
continuity event. Once created, all continuity events are listed including details about the affected
group, event status, active dates / times, time zone, and whether it is set for Outlook or Mobile
devices.
To create a continuity event:

Continuity Event Properties

1. Navigate to Administration | Services | Continuity
2. Click New Continuity Event
3. Enter a Description
Notes: Enter notes here to describe why you are setting this up.
4. Affected Group: Click Lookup to select a group to which a continuity event applies. The
members of the group must be set up in a group tied to an Application Setting with
Continuity enabled.
5. Enable Outlook Continuity: Select this option to apply the continuity event to Mimecast for
Outlook.
NOTE: Mimecast for Outlook can only enter continuity mode if Microsoft Outlook has the
“Use Cached Exchange Mode” option enabled in
Exchange Account Settings. If Microsoft Outlook is
in non-cached or “online” mode, Mimecast
continuity is not available, and users should access
Mimecast Personal Portal during unplanned
outages.
Allow Cloud Password Reset: Choose By Email, By SMS, or By Email and SMS.

©2022 Mimecast. All Rights Reserved |61

 Note 1: Any of these options (other than None) will allow end users to reset their cloud
password during a continuity event, by clicking the "Reset Cloud Password" link in the
Mimecast Personal Portal log in dialog.
Note 2: An Administrator must have enabled ‘Allow Cloud Authentication’ when they
configured an Authentication Profile under Services | Applications for this to work.
6. Expand Distribution Lists During Continuity Event: Select this option to allow users to
view/respond to messages sent to distribution lists that they are a member of during a
continuity event. These messages will be available via the online inbox of all Mimecast
applications. This includes the user’s local Inbox when Mimecast for Outlook is working in
Continuity Mode. It also applies when viewing the online inbox of a delegate’s mailbox.
NOTE: Active Directory synchronization must be enabled for group membership to be
available. Group membership is based on the last successful synchronization.
7. Pause Inbound Delivery for the Duration of This Event: This option will hold inbound emails in
the Mimecast delivery queue during the continuity event. These messages are still available to
users through all Mimecast user applications during the continuity event. When you remove the
pause the delivery queue will start sending the emails that were held.
Note: Choosing Pause Inbound Delivery will help prevent a delayed delivery notification from
being sent to external senders if delivery has been unsuccessful for more than an hour.

Event Duration
8. Time Zone: Select the appropriate time zone from the drop-
down list that the continuity event start/end time should be
based upon.
9. Event Start: Specify the start date/time for the continuity
event. This must be within five (5) days of the planned
continuity event start. Mimecast provides a 5-day rolling
mailbox.
Note: Setting the event to start on a date/time prior to the outage ensures that the
Mimecast for Outlook and Mimecast Mobile apps will download the affected messages,
allowing end user access to them.
10. Event End: Specify the end date/time for the continuity event. Click the Eternal button to
set the continuity event to Never End, if you are not sure when the outage requiring the
continuity event will end. When you want to end the event, click the End Now button.
Alternatively, set the Event End time to a date/time well in the future. Once the outage is
over, set the Event End to a date/time in the past to complete the event.
Note: If you see a field appear that allows you to click a button to check for an Overlapping
Continuity Event, use it to check.

Application User Notifications

Send in-app continuity notifications to affected Mimecast for Outlook and Mimecast Services for
Blackberry users.
11. Event Start Message: Language you will use in notification to users upon commencing the
event (up to 250 characters). This will appear as a pop-up within the application.
12. Event End Message: Language you will use in notification to users upon ending the event
(up to 250 characters). This will appear as a pop-up within the application.

©2022 Mimecast. All Rights Reserved |62

SMS User Notifications
Send SMS continuity notifications to a group of users.
Note: Members of the user group must opt in to receive SMS notifications. For more
information, consult the Mimecast Knowledge Base.
13. SMS Group: Click the Lookup button to select a group to which the SMS notifications will be
sent to. This can be a group from your Active Directory, or a Mimecast user groups. Select a
group that you know has the cell phone number defined.
14. Phone Number Attribute: The directory attribute used to define your users’ cell numbers.
15. Event Start SMS: Enter message here for the text you will send users about the start of the
event (120-character limit).
16. Event End SMS: Enter message here for the text you will send users about the start of the
event (120-character limit)
17. Save and Exit

Clone a Continuity Event

Cloning an event allows you to copy an existing event, saving you time in filling out the details. You
can change the group and the event schedule time and dates. This will make it easier to create
multiple events faster, that impact different groups in your organization, without having to recreate
all of the event settings.
To clone an event:
1. Navigate to Administration |Services | Continuity
2. Click Show All Events
3. Right-click the Continuity Event to be cloned
4. Click on the Clone Event button
5. Change description, group if desired and any of the other fields / options as required
6. Save and Exit

During an Event
Outlook Continuity mode takes about 10 minutes to invoke. The API will switch to listening directly
to the Mimecast system for the new email pushes. If the user sends an email, it is sent out through
Mimecast and not your Exchange server and a copy of the message is populated into the Sent Items
folder in your Mimecast mailbox and your local Outlook client Sent Items.
Mimecast for Outlook can only enter continuity mode if Microsoft Outlook has the
"Use Cached Exchange Mode" option enabled in your Account Settings. If Microsoft
Outlook is in non-cached mode, continuity functionality is not available from Outlook.

When Event is Complete

To understand what happens when a Continuity Event is complete be aware of the following:
• By default, messages sent while in continuity will be BCC’d to the sender. This is to ensure
there will be a copy of those messages in Exchange (and not just Mimecast).
• Every message that the user sent or responded to during the event will be in their inbox.
They can then move the duplicated messages to their sent items.
• It will take approximately 10 minutes for the event to end

©2022 Mimecast. All Rights Reserved |63

 The BCC occurs due to a setting under Administration | Account Settings called “Send
BCC to Mail Server”.

©2022 Mimecast. All Rights Reserved |64

Lesson 3: Continuity Event Monitor
Continuity Event Monitor uses a detection algorithm to configure thresholds to detect email delivery
latency or failures in a timely manner. If the threshold conditions are met, an alert is issued. The
alert contains a link (valid for 24 hours) that provides access to a continuity portal that can be used
to start, extend, or stop continuity events. The portal can also be used to suspend these
notifications for a set time frame.
For more detailed information on the Continuity Detection and Alert Process, click here.

What you will need:

To use Continuity Event Management, your organization must have access to:
• A Mimecast account enabled with Continuity Event Management.
• In order to notify administrators of a potential issue you will need either:
o A valid SMS numbers
o A group of external email addresses to notify administrators of a potential issue.
• A configured Connector (e.g., Microsoft 365)
• Impersonation rights to your organization's mailboxes for the outbound test email message
to be sent.
o If you're using Exchange On-Premises, see the Configuring Application
Impersonation guide for your version of Exchange. You'll need to provide the
credentials of the mailbox you want to grant this permission to.
Click here for configuration requirements specific to your environment.

Latency and Failure Thresholds

Before configuring the Continuity Monitor, you need to understand what Latency and Failure
Thresholds are. What each of these does is explained below.
• Latency Threshold - Specify the maximum number of seconds allowed to receive an
outbound message, before a failure occurs. A value of 30 to 300 can be entered, but a value
of "50" is a good starting point.
• Failure threshold: Sets the failure count required to trigger an alert. Each monitoring cycle is
two minutes, with the counter incremented once per cycle. A value of 1 to 20 can be
entered, but a value between "3" and "6" is a good starting point.

Configuring Continuity Monitor

In creating a Continuity Monitor, you are setting up mail server monitoring that will notify
administrators of potential continuity issues. If you set up the thresholds for inbound check and
outbound check and we detect there might be a continuity event occurring and we notify you, you
can decide if you want to trigger the continuity event. The notification will give you information on
the detected threshold problem and would ask you if you want to enable continuity or not.
To access and create a Continuity Monitor:
1. Navigate to Administration | Services | Continuity | New Continuity Monitor
Mail Server Monitoring
2. Description: Enter an easily identifiable description
3. Notes: Enter notes here to describe why you are setting this up.
©2022 Mimecast. All Rights Reserved |65
 4. Time Zone: Select the time zone for your account.
5. Enable Inbound Check: Inbound checks will monitor if a specified delivery route fails. If one
or more delivery errors occurs in a monitoring cycle, the failure counter increases by one. If
there aren’t any errors, the failure counter decreases by one.
o Delivery Route: Select the inbound delivery route you will have configured upon
your implementation under Administration | Gateway | Policies (e.g., 365 Route)
o Preview Route: This will allow you to look at the configuration
6. Enable Outbound Check - An Outbound check will send a test message to Mimecast. If the
message is not received, the failure counter increases by one. If the message is received, the
failure counter decreases by one.
o Latency Threshold - Specify the maximum number of seconds allowed to receive an
outbound message, before a failure occurs. A value of 30 to 300 can be entered, but a
value of "50" is a good starting point.
o Connector - Sets the connector used for the mailbox delivery test. To configure a
connector, navigate to Administration | Services | Connectors.
o Test Email Address - Click on the Lookup button to select the email address to be used
to send the test message. We recommend that this should be on the same server as the
affected users and is not an active user. An alias email address cannot be used.
7. Failure Counter Threshold – Sets the failure count required to trigger an alert. Each
monitoring cycle is two minutes, with the counter incremented once per cycle. A value of 1
to 20 can be entered, but a value between "3" and "6" is a good starting point.
8. Send Administrator Notifications: Click Lookup and choose Administrator Alerts (most
accounts should have this or you can choose another group). Select Notify by email or
Notify by SMS or both.
Continuity Event
Set the event properties. When notified of a potential issue, administrators can start and
manage the event in the Continuity Portal.
9. Affected Group: Sets the user group the event applies to. This can be a Directory group or a
local Mimecast Profile group (all users or maybe you are making by region)
10. Enable Outlook Continuity: Forces Outlook into continuity. Overrides user settings to force
all Mimecast for Outlook users into continuity mode.
11. Allow Cloud Password Reset: Allows users to reset their passwords via the ‘Reset Cloud
Password’ option. They'll receive a reset code by email or SMS, depending on what they
choose from this drop-down menu.
12. Expand Distribution Lists During Continuity Event: Ensure that all users in Continuity can
view and respond to emails sent to distribution lists that they are a member of.
13. Pause Inbound Delivery for the Duration of This Event: Select this option to hold inbound
emails in the Mimecast delivery queue. These messages are still available to users through
all Mimecast user applications during the continuity event.

Application User Notifications

Send in-app continuity notifications to affected Mimecast for Outlook and Mimecast Services for
Blackberry users.
14. Event Start Message: Language you will use in notification to users upon commencing the
event (up to 250 characters). This will appear as a pop-up within the application.
15. Event End Message: Language you will use in notification to users upon ending the event
(up to 250 characters). This will appear as a pop-up within the application.

©2022 Mimecast. All Rights Reserved |66

SMS User Notifications
Send SMS continuity notifications to a group of users.
Note: Members of the user group must opt in to receive SMS notifications. For more
information, consult the Mimecast Knowledge Base.
16. SMS Group: Click the Lookup button to select a group to which the SMS notifications will be
sent to. This can be a group from your Active Directory, or a Mimecast user groups. Select a
group that you know has the cell phone number defined.
17. Phone Number Attribute: The attribute used to define your users’ cell phone numbers. You
can change the attribute on the SMS dashboard.
18. Event Start SMS: Enter message here for the text you will send users about the start of the
event (120-character limit)
19. Event End SMS: Enter message here for the text you will send users about the start of the
event (120-character limit)
20. Save and Exit
See the Continuity Event Management: Configuring a Continuity Monitor page for full details.

Outbound Traffic
After creating the monitor, if you navigate to Administration | Message Center | Accepted
Messages and filter on Outbound you will be able to identify the outbound messages coming from
the monitor as they are addressed from “<custom-string>@mimecastmonitor.com”. Here you will
notice the timing between them is two minutes apart.
At the start of each two-minute window, Mimecast checks to see if the last sent message was
received, and if so, within the acceptable latency time specified.

Managing a Continuity Event

If an alert is triggered, you'll receive a notification Email
or SMS (depending on how you set this up). This informs
you of the event details (e.g., the affected server), and
allows you to manage the event via an alert link to the
Continuity Portal.
The alert link (valid for 24 hours) provides access to a
Continuity Portal, which can be used to start, extend, or
stop continuity events.
Alerts are issued every hour for as long as the algorithm detects a
potential issue, and one or more threshold conditions have been met.
The Continuity Portal can also be used to suspend these notifications for
a set time frame.
More information on the options in the continuity portal instance can be
found here.

©2022 Mimecast. All Rights Reserved |67

Continuity Portal
To access the Continuity Portal:
• Open the Email or SMS message
• Click Manage Event in the Email or use the link provided in the SMS message)
In the Continuity Portal open in your browser, you can:
• Activate continuity mode: Click on
one of the buttons to start a
continuity mode for the desired
duration
• Extend the continuity mode: Click
on one of the buttons to extend a
continuity mode for the desired
duration.
• Stop receiving notifications for the
event: Click on one of the buttons
to stop receiving notifications for
the desired duration.
• Stop the continuity mode: Click on
the "Stop" button to end a
continuity mode.

In an SMS message, you can do all the things you can do in the browser:

©2022 Mimecast. All Rights Reserved |68

Lesson 4: SMS Continuity Services
Depending on your Mimecast subscription, you may have access to Mimecast SMS Continuity
Services. This extends some Mimecast capabilities for use with the Short Message Service (SMS) text
features available to mobile phones.

SMS Dashboard
The SMS (Short Message Service) Services Dashboard
displays a graphical summary of recent SMS activity
on your account. It allows administrators to monitor
SMS activity, view SMS information, and setup /
change SMS configuration.
To access navigate to:
1. Navigate to Administration | Services | SMS
Dashboard (or use hamburger menu on main
Administration Console dashboard)
2. The dashboard is split into the following
sections:
• SMS Messages per Day: Displays the number
of successful and failed SMS messages sent per day over the last 14 days. Hover over the bar
graph to display more information.
• Phone Numbers Settings: Displays the current attribute used for sending SMS messages.
Click on the Change Attribute button to use a different attribute.
• Last 10 Active Messages (Last 14 days): Displays a summary of the last 10 active messages
by user primary email address, mobile (cell) number registered, the SMS message type, the
last update time for the message, and the current status. Click the View All link to display the
full list of messages sent over the last 14 days.

SMS Attribute
To enable SMS messages sent out during a continuity event, you will need to ensure that you have a
mobile number attribute referenced under Administration | Account | Account Settings | System
Notification Options | SMS Attribute. You can also use the Change Attribute button on the SMS
Dashboard to navigate here. This specifies the Mimecast attribute that identifies the mobile phone
number of users. When sending an SMS to a user, we use the number associated with this attribute.

Active Directory Synchronized Mobile Attribute

If you have your Active Directory synchronized with us, navigate to Administration | Directory |
Attributes and look for a directory linked attribute that identifies your cell phone numbers. The
Attribute in Mimecast should have been created during the synchronization of your Active Directory.
If one is not there you can create one. View the Managing Attributes page for more information.

Local Groups
If you do not have your Active Directory synchronized and you are using local groups, you will need
to do a bulk import of profiles of users. Include a column with the title of “mobile” and list the
numbers associated with the persons you are importing. Use this article to help you with this.
Then, on the attributes page, create a new attribute with the following settings:
• Name (Prompt): mobile (the name is case sensitive to the column head in the import)

©2022 Mimecast. All Rights Reserved |69

• Group: General Attributes
• Type: Small Text Capture (50 pixels)
• Order: 0
• Options: [Leave blank]
• Show In Tables: false

Number Verification
You can verify the cell phone numbers entered for a
group of users to ensure they meet the format
required [+<country code><mobile number>] so you
can send them SMS messages.
1. Navigate to Administration | Services | SMS
Dashboard
2. Click on the Number Verification toolbar
button.
3. Specify the group of users to be checked in the
Select Group field
4. Click Verify Group. The summary results of the verification check are displayed at the
bottom of the dialog.
Note: At the bottom, you will have an option to download a report or verify another group.

SMS Status
You can display all SMS messages sent to users for the last 30 days in the SMS Status view. This has
the advantage of allowing you to filter the records by type and date range.
To access the SMS Status view:
1. Navigate to Administration | Services | SMS Dashboard
2. Click on the SMS Status toolbar
The SMS types seen in this list would be as follows:
• Password Reset
• Continuity Event
• Two-Step Authentication
• Unsubscribe (administrators can unsubscribe)
• Continuity Event Monitor Alert
Statuses:
• Queued
• Sent Awaiting Verification Sent Verified
• Unsubscribed Failed

Resources
For updated information regarding managing Mimecast Continuity, refer to the following links:
Continuity Guides
Continuity Best Practice

©2022 Mimecast. All Rights Reserved |70

Security Policies Fundamentals
Mimecast Email Inspection Funnel
The graphic below represents the Mimecast Email Security Inspection funnel. The Secure Email
Gateway applies a dynamic, multi-layered approach to the analysis of inbound, outbound, and
internal emails. From higher level inspections such as DNS authentication, including
SPF/DKIM/DMARC, to spam and virus protection.

Lesson 1: Policy Basics

Mimecast Gateway Policies are the set of rules applied to inbound or outbound messages that affect
the flow of email traffic. The most important policies you will need are very likely already built
during your implementation depending on the Mimecast products purchased.
When creating policies, learn more from the Gateway Policy Types article in our Knowledgebase.
To be more specific:
• Definitions define what needs to happen.
• Policies define when definitions are applied based on sender, receiver, time, and other
parameters.
Some policies work on their own without a definition (for example, Greylisting and
Anti spoofing) whereas others require a link to a definition.

Gateway Policy Editor

The policy editor can be found under Administration | Gateway | Policies and is used to manage
the policies and definitions in the Administration Console.
Take note, there is a Definitions drop-down menu in the upper left and there are Definition buttons
to the right of the policies that require a definition. Both options will direct you to the definition for
a particular policy type.

©2022 Mimecast. All Rights Reserved |71

In the Policy Editor, you will see a Policy Name Column with the name of the policy and a
Description Column that provides detail. In addition, there are columns labeled Policies and
Definitions. These have numbers that represent the number of policies and definitions for each.
They also have a Tell Me More button in the far right which will take you to the relevant
Knowledgebase articles.

Policy Specificity
Mimecast applies policies to messages based on
specificity. The more specific a policy is, the higher the
priority.
For example, a policy specifying a single individual email
address is very specific and is favored above a policy
applied to everyone (which is the least specific of all). See
the table below and the article here to understand the
different levels of specificity.
Each policy performs an action that is applied to messages
as they are processed by the Mimecast Gateway. In many
cases, more than one policy of the same type (e.g., Blocked Senders) is considered for the same
message, but only the most specific policy of that type is applied.
Specificity Level Description
Everyone This is the least specific of all from / to options and includes all email
addresses.
Internal Addresses All addresses internal to your account, typically found under
Directories > Internal Directories.
External Addresses All addresses external to your account, typically found under
Directories > External Directories.
Email Domain Enables you to specify one or more domain names to which the
policy is applied.
Freemail Domains Only available under the "Email From" section of Impersonation
Protection policies. Includes sender domains that are present on a
Mimecast list of freemail domains.
Address Groups Enables you to specify a predefined Directory or Profile Group which
could hold domain names or individual addresses.
Header Display Name Only available under the "Email From" section of Impersonation
Protection policies when the "Addresses Based On" option has been
set to "The Message From Address" or "Both". This enables you to
specify a Header Display Name.
Address Attributes Enables you to specify a predefined attribute and can only be used
when attributes have been configured.
Individual Email Address This is the most specific of all from / to options and relates to a
single email address.
Using Policy Specificity

©2022 Mimecast. All Rights Reserved |72

Mimecast uses a multi-threading process where policies are applied simultaneously but only the
policy that matches is applied.
There are some exceptions to this rule:
• Content Examination
• Content Examination Bypass
• Impersonation Protection
• Impersonation Protection Bypass
• Smart Tag Assignment
These policy types are cumulative. When multiple cumulative policies match the From and To of a
message, all those cumulative policies are applied to the message and the appropriate action(s)
taken.

Equal Specificity
For policies (except cumulative policies), where there is equal specificity between two (or more)
policies of the same policy type, the following logic is applied to decide which policy needs to be
applied:
Recipient Trumps Sender: When there is equal specificity, the "Emails To" value receives a slightly
higher score. This means the Mimecast Gateway considers the recipient more specific than the
sender.
Conditions: Where there is equal specificity, and the "recipient trumps sender" logic does not
resolve this, a policy that has a matching "Source IP Range" or matching "Hostname" validity
condition is considered to be more specific.
Most Recently Created: Where there is equal specificity and the "recipient trumps sender" and
"conditions" logic do not resolve this, the most recently created policy is favored.
Use this article to see some specificity examples based on Messages From / Emails To Details as well
as working with groups.

Policy Details
When creating or editing a policy, there will be three sections:
1. Options: Here you enter a name for the policy and select
either the Action to take or the definition you are
applying to the policy.
2. Emails From and To: Here you need to specify the
conditions an email has to have to activate the policy. This
includes the Emails “From” and “To” addresses.
3. Validity: Choose to enable / disable a policy, determine
the time the policy will be active, along with IP ranges if
applicable.

Set policy as perpetual: Always On if you do not wish to

provide a date range for the policy to be valid.

Date Range: If you wish for your policy to be valid for a specific date range.
Policy Override: If the Policy Override option is enabled, the policy will be considered before
those that do not have it enabled. When multiple policies have it enabled, those policies will

©2022 Mimecast. All Rights Reserved |73

 follow the specificity rules to determine which should apply to your email. If none of those
policies apply, only then will your remaining non-override, policies be considered using the
specificity rules.
Bi-Directional: Applies the policy in the reverse mail flow so the policy is applied in both
directions.
Source IP Ranges: If a Policy is configured with both a specific FROM variable and source IP
address, only emails which match both of these properties will trigger the Policy. Alternatively, if
you would like to specify only the source IP address, select the FROM variable as Everyone, and
enter the desired IP address/range in the Source IP Range field.
To navigate to a policy, go to Administration | Gateway | Policies and click on a policy to open it.

©2022 Mimecast. All Rights Reserved |74

Lesson 2: Gateway Security Policies
There are features that are activated by default on all new Mimecast accounts that provide out of
the box protection. They are a starting point for your Mimecast journey, and can be left as they are
or amended to build a configuration that suits your needs.
Refer to this article entitled Out of the Box Settings for Mimecast Email Security. Many of these will
be discussed in this course. Those that are not will be covered in our level 2 courseware.

Configurable Block / Permits

In the top three layers of the Email Inspection funnel, we apply different methods of checking who is
sending the email. These checks are controlled by the following policies:
1. Blocked Senders
2. Permitted Senders
3. Auto-Allow
4. Anti-Spoofing
In the next section, we will take you into the Administration Console and discuss what these policies
are used for and the actions they perform.
Spoofing
Spoofing is the forgery of email headers, so messages appear to come from someone other than the
actual source. This tactic is used in phishing and spam campaigns, as recipients are more likely to
open a message that looks legitimate.

Envelope From and Header From

Sometimes spoofed emails don’t emanate from an attacker. Sometimes this traffic is from
legitimate services such as Survey Monkey or Mail Chimp. These services spoof (pretend to be
internal) but they don’t do this in the “envelope from” of an address. They will usually do this from
the “header from” address, however either one of these can be spoofed. The difference between
the Envelope From and Header From is this:
• Envelope From – This is the actual address that is stored behind the scenes
• Header From – This is the email address that is displayed when you open an email in
Outlook for example.
Anti-Spoofing Overview
An Anti-Spoofing policy is used to avoid spoofing. Having one configured will ensure external
messages appearing to come from an internal domain are blocked. The policy is configured to apply
anti-spoofing to email from your domain to your domain.
Things to be aware of:
• When an email is blocked/rejected by Mimecast, its content is not kept, so cannot be
released, or recovered by Mimecast, so it’s important that this policy is configured correctly.
• If you find that you don’t have a default policy blocking mail from your internal domain to
internal addresses, you will need to create one.
• Anti-spoofing can be applied automatically when a customer is registering a domain or sub-
domain in your Mimecast account.
• If you have a third-party vendor such as MailChimp, Constant Contact or Salesforce that
send email appearing to be from you, you will need to create an Anti-Spoofing exception
policy (outlined below) or an Anti-Spoofing SPF Based Bypass.

©2022 Mimecast. All Rights Reserved |75

Usage Considerations
• Anti-Spoofing policies override addresses or domains permitted by users. For example,
messages from a domain added to a user's permitted senders list AND an Anti-Spoofing
policy are rejected.
• This is a “policy only” configuration.
Anti-Spoofing Default Policy
1. Navigate to Administration | Gateway | Policies
2. Click on the Anti-Spoofing policy in the Policy Editor
3. Open the Default Anti-Spoofing policy
Options
4. Policy Narrative: Default Anti-Spoofing
5. Select Option: Apply Anti-Spoofing (Exclude Mimecast IPs)
This will apply anti-spoofing except if an email is sent from one of Mimecast’s public IPs.
Emails From
6. Address Based On: Both
7. Applies From: Email Domain
8. Specifically: Enter the applicable internal domain you wish to block spoofs from.
Emails To
9. Applies To: Internal Addresses
10. Specifically: Applies to all Internal Recipients
Validity
11. Enable / Disable: Enable
12. Set policy as perpetual: Always On
13. Date Range: All Time
14. Policy Override: Disabled
15. Bi Directional: Disabled
16. Source IP Ranges: No entries
17. Hostname(s): No entries

Policy Validity
Validity parameters control the application of a Policy to an email. An Active Policy
is applied to emails, and an Expired Policy is ignored by Mimecast. Validity can be
controlled manually, and Policies can also be automatically set to expire on a
certain date. By default policies are set to apply Eternally.
Note: Policy Validity also allows certain options to be applied to policies. For
example, bi-directional policy application, policy override, and adding Source IP
addresses.
For information on Policy Validity, click here.

Note: Messages rejected by the Anti-Spoofing policy can be seen in Message Center | Rejected and
Deferred Messages.

Anti-Spoofing Exception Policy

There may be instances where you want legitimate spoofed emails to come in to Mimecast (e.g.
using a 3rd party system to generate an email that you are sending inbound to your colleagues). This
would require an Anti-Spoofing expectation policy. The policy should be scoped as followed:

©2022 Mimecast. All Rights Reserved |76

 1. Click on the Anti-Spoofing policy in the Policy Editor
2. Open the Anti-Spoofing IP-Based Exception-Constant Contact policy
Options
3. Policy Narrative: Anti-Spoofing IP-Based Exception-Constant Contact
4. Select Option: Take no action
Emails From
5. Address Based On: Both
6. Applies From: Everyone
7. Specifically: Applies to all Recipients
Emails To
8. Applies To: Everyone
9. Specifically: Applies to all Recipients
Validity
18. Enable / Disable: Enable
19. Set policy as perpetual: Always On
20. Date Range: All Time
21. Policy Override: Enable
22. Bi Directional: Disabled
23. Source IP Ranges: IP addresses of Constant Contact
24. Hostname(s): No entries
Note: Whenever a policy is scoped to be less specific (e.g., Everyone to Everyone), and you wish for
it to be considered before more specific policies, you must check the Policy Override button as
outlined in the configuration above.
To access the policy, navigate to Administration | Gateway | Policies. To configure, see this article.

Blocked Senders
A Blocked Senders policy restricts messages to or from specific email addresses or domains. It can
apply to inbound or outbound messages, although is typically used to block inbound messages.

Default Blocked Senders Policy List

The following default Block Sender policies are created during your Mimecast account creation, and
cannot be changed by administrators:
• An inbound Blocked Senders policy that references an empty group. You can populate this
group by adding email addresses / domains manually, or by importing a spreadsheet file. See
the Importing Users via a Spreadsheet page for full details.
• An exception policy with the option set to External to a Relay Group and Take no action.
This allows addresses / domains known to your company and can be relayed via your mail
server. For example, a staff member that has left your organization, but their email address
is being forwarded on to a different email address.
• An External-to-External Block Sender policy that prevents senders using your mail server
as an open relay. For example, we only accept messages from addresses belonging to your
internal domains. Additional External to External Blocked Sender policy cannot be created.

Usage Considerations
Consider the following before creating a policy:
• Messages from blocked senders are rejected and logged in the Rejections Viewer. See the
Message Center: Rejected and Deferred Messages page for further details.

©2022 Mimecast. All Rights Reserved |77

 • Blocked Senders policies override any configured Permitted Senders policies.
• Blocked Senders policies override addresses allowed by individual users.
Blocked Senders Profile Group
There is a Blocked Senders profile group that is created by default on all accounts. Here, you will see
which addresses / domains are being blocked. Administrators can populate this group with
additional email addresses or domains.
By maintaining the addresses in the Blocked Senders profile group, any address changes are
automatically applied to the Blocked Senders policy.
1. Navigate to Administration | Directories | Profile Groups
2. Select the Blocked Senders folder
3. Take note of email addresses and domains listed here
4. Use the Build drop-down to Add Email Addresses or Domains
5. Save and Exit
Blocked Senders Default Policy
1. Navigate to Administration | Gateway | Policies
2. Click on the Blocked Senders policy in the Policy Editor
3. Open the Default Blocked Sender policy
Options
4. Policy Narrative: Default Blocked Sender
5. Blocked Sender Policy: Block Sender
Emails From
6. Address Based On: Both
7. Applies From: Address Groups
8. Specifically: Blocked Senders
Emails To
9. Applies To: Everyone
10. Specifically: Applies to all Recipients
Validity
11. Enable / Disable: Enable
12. Set policy as perpetual: Always On
13. Date Range: All Time
14. Policy Override: Disabled
15. Bi-Directional: Disabled
16. Source IP Ranges: No entries
17. Hostname(s): No entries
To access the policy, navigate to Administration | Gateway | Policies. To configure, see this article.

Permitted Senders
Permitted Senders policies ensure successful delivery of inbound messages from trusted sources.
Messages from permitted senders bypass our Spam Scanning, Greylisting and IP Reputation checks,
avoiding the possibility of being rejected or placed in the hold queue. This is useful in situations
where the sender's mail server is listed in an RBL, or for messages flagged by our content checks.
Note: A permitted sender messages are still subject to system wide message compliance and virus
checks. Adding an address to the permitted senders list, just removes the message from additional
spam checks.

©2022 Mimecast. All Rights Reserved |78

Usage Considerations
Consider the following before creating a policy:
• It isn't necessary to create a policy for all trusted senders, only if a sender is having difficulty
sending messages to your end users.
• End users have a personal permitted sender list. These are managed by them using The
Digest Email, or when logged onto the Mimecast Personal Portal or Mimecast for Outlook.
• Referencing a user group enables you to minimize the number of Permitted Sender policies
you need. The only time a specific policy is required is if the domain entry contains a
wildcard. This requires a separate policy to permit by IP (everyone to everyone).
• Blocked Senders Policies always supersede over Permitted Senders policies. This means that
messages from a domain or email address that are added to both a Blocked AND Permitted
Senders policy are rejected. These policies don't override default virus checks.
• An entry on a user's blocked senders list in Managed Senders, whether it has been added by
an administrator or a user, is always superseded by a Permitted Senders policy if it relates to
(P1) envelope addresses. Read more on this here.

Permitted Senders Profile Group

There is a Permitted Senders profile group that is created by default on all accounts. Here, you will
see which addresses / domains are being permitted. Administrators can populate this group with
additional email addresses or domains.
By maintaining the addresses in the Permitted Senders profile group, any address changes are
automatically applied to the Permitted Senders policy.
1. Navigate to Administration | Directories | Profile Groups
2. Select the Permitted Senders folder
3. Take note of email addresses and domains listed here
4. Use the Build drop-down to Add Email Addresses or Domains
5. Save and Exit
Permitted Senders Default Policy
1. Navigate to Administration | Gateway | Policies
2. Click on the Permitted Senders policy in the Policy Editor
3. Open the Default Permitted Sender policy
Options
4. Policy Narrative: Default Permitted Sender
5. Permitted Sender Policy: Permit sender
Emails From
6. Address Based On: Both
7. Permitted Sender Policy: Permitted Sender
8. Applies From: Address Groups
9. Specifically: Permitted Senders
Emails To
10. Applies To: Everyone
11. Specifically: Applies to all Recipients
Validity
12. Enable / Disable: Enable
13. Set policy as perpetual: Always On
14. Date Range: Eternal
©2022 Mimecast. All Rights Reserved |79
 15. Policy Override: Disabled
16. Bi Directional: Disabled
17. Source IP Ranges: No entries
18. Hostname(s): No entries
To access the policy, navigate to Administration | Gateway | Policies. To configure, see this article.

Auto-Allow and Auto-Allow Creation

An Auto Allow is a user-level permit that is generated by your users’ outbound messages. When an
email is sent to an external recipient, it will result in that external address being added as an “auto-
allow” within the Managed Senders area which then allows inbound emails from those external
address to bypass Spam Scanning, Greylisting and IP RBL checks that are performed by those types
of policies.
While Auto Allow policies tell Mimecast how we should honor an Auto Allow entry, an Auto Allow
Creation policy will give you control over which of your users will generate Auto-Allow entries from
their outbound emails and which will not.
These messages are still subjected to DNS authentication. Failing SPF, DKIM and
DMARC checks can cause Mimecast to ignore this list entirely.

Usage Considerations
• An Auto Allow entry is automatically deleted if no emails are sent to the address for 120 days.
• Auto Allow database entries are maintained in an End User's Managed Senders List.
• Auto Allow database entries are not generated when:
o Auto-responses are sent (including Out of Office messages).
o Suspected spam related messages are released, and the recipient subsequently replies to
the sender.
Auto Allow Default Policy
1. Navigate to Administration | Gateway | Policies | Auto Allow
2. Click on the Auto Allow policy in the Policy Editor
3. Open the Auto Allow policy
Options
4. Policy Narrative: Default Auto Allow
5. Auto Allow Policy: Apply Auto Allow
Emails From
6. Address Based On: The Return Address
7. Applies From: Everyone
8. Specifically: Applies to all Recipients
Emails To
9. Applies To: Everyone
10. Specifically: Applies to all Recipients
Validity
11. Enable / Disable: Enable
12. Set policy as perpetual: Always On
13. Date Range: Eternal
14. Policy Override: Disabled
15. Bi Directional: Disabled
16. Source IP Ranges: No entries
17. Hostname(s): No entries

©2022 Mimecast. All Rights Reserved |80

If you needed to make an exception to exclude certain addresses you can create an Auto Allow
Creation policy with the Select Option set to “Do Not Generate AAL Entries”. You would do this, for
example, if you had a marketing group mailbox sending out mass mailings and you did not want
those external email addresses to be logged as Auto Allow entries.

Auto Allow Creation Policy

1. Navigate to Administration | Gateway | Policies | Auto Allow Creation
Options
2. Open the AAL Creation policy
3. Policy Narrative: AAL Creation policy
4. Select Option: Do Not Generate AAL Entries
Emails From
5. Address Based On: Both
Applies From: Everyone
6. Specifically: Applies to All Senders
Emails To
7. Applies To: Everyone
8. Specifically: Applies to All Recipients
Validity
9. Enable / Disable: Enable
10. Set policy as perpetual: Always On
11. Date Range: Eternal
12. Policy Override: Disabled
13. Bi Directional: Disabled
14. Source IP Ranges: No entries
15. Hostname(s): No entries

To view Auto Allow Entries, navigate to Administration | Gateway | Managed

Senders and use the View menu to filter on these.

To access the policy, navigate to Administration | Gateway | Policies. To configure, see this article.

Managed Senders
Managed Senders are the email addresses that end users have blocked, permitted, or have been
added to their auto-allow list. Users can block or permit from either the Personal Portal, Mimecast
for Outlook or a Digest Email.
An administrator can view, add, modify, or delete these entries. In fact, you may need to edit these
entries to troubleshoot some email delivery flow issues, or to prevent users from accepting email
from dubious sources.

Usage Considerations
• Administrators can manage a user's personal managed senders. Corrections may be
necessary when a user has incorrectly created an entry by:
o Using a digest set to block / permit an external email address.
o Using Mimecast Personal Portal or Mimecast for Outlook to block / permit addresses and
/ or domain names.
o Sending a message to an external recipient, which adds the external address to their auto
allow list.

©2022 Mimecast. All Rights Reserved |81

 • Blocked Senders Policies always supersede Permitted Senders policies. This means that
messages from a domain or email address that are added to both a Blocked AND Permitted
Senders policy are rejected. These policies do not override default virus checks.
• An entry on a user's blocked senders list in Managed Senders, whether it has been added by
an administrator or a user, is always superseded by a Permitted Senders policy.
• Permitted / blocked addresses only apply to the user's primary SMTP address. If you update
the user's primary SMTP address, the personal managed senders list no longer applies, and
the address must be re-added.

Managed Senders Page

To view the managed senders of a particular individual:
1. Navigate to Administration | Gateway | Managed Senders
2. Once here you can do any one of the following:
• Search for an entry by entering the email address / name of the internal user
• Block / Permit addresses / domains
• Delete addresses / domains
• Add / Import Managed Senders
• Add Postini Approved and Blocked Senders
• View Blocked Senders, Permitted Senders, Auto Allow Entries, Trusted Senders
• Export Data

The View menu can be used to filter by blocked, permitted, trusted senders and auto allow entries.
Each entry displays the sender / recipient address, along with the policy type. For more detail see
Managing an End User’s Managed Senders List.

DNS Authentication
What is DNS Authentication?
DNS Authentication combines three industry-standard email authentication technologies (DMARC,
DKIM and SPF) that allow domain owners to control who sends on behalf of their domains. It also
validates the authenticity of inbound messages.
• SPF (Sender Policy Framework) is an open standard for email authentication. It ensures that
any messages sent using a domain come from permitted sources. It does this by checking
the domain from the inbound message's "From Address", to see if the originating IP address
is listed in the domain's DNS record. If the IP address is not listed, a failed result is returned.
• DKIM (Domain Keys Identified Mail) adds a cryptographic hash or signature as a new
header to outbound messages. This ensures outbound messages haven't been altered after
leaving the sending organization's mail server, by matching the hash or signature to the DNS
records. DKIM requires a public DKIM key to be published in a TXT record in the DNS record
for the sender's domain by the domain owner.

©2022 Mimecast. All Rights Reserved |82

 • DMARC (Domain Based Message Authentication, Reporting & Conformance) is an email
validation system designed to detect and prevent email spoofing, that builds protection on
top of the SPF and DKIM mechanisms. It ensures messages are correctly authenticated using
the SPF and DKIM email authentication standards.

DNS Authentication Checks – Inbound and Outbound

DNS Authentication definitions are required for both inbound and outbound checks, prior to
configuring DNS Authentication policies. Consider the following before getting started:
• Inbound Emails: DNS Authentication is helpful in preventing unwanted and potentially
harmful messages from reaching users. When enabled, checks are performed against all
messages regardless of any auto allow or permitted sender entries being present. This
ensures any messages from the sender to these internal users are not bypassed for spam
checks. The following actions can apply, depending on the result of the inbound checks:
• Reject
• Ignore Managed / Permitted Sender entries
• Take no action
• Outbound Emails: If DKIM signing is required for outbound mail, your organization's DNS
record must be populated with the appropriate public key as part of a DNS Authentication
Outbound Signing definition. The private key of the same keypair must be populated in a
DNS Authentication policy, along with the domain and selector of that record. Once this
policy is applied to outbound mail, messages that meet the policy criteria are DKIM signed.
• Action Severity: If your definition settings conflict with each other, the most restrictive
action wins.

SPF Inbound Check Actions

Different actions can apply, depending on the result of the inbound checks:
• Take no action: No specific action is applied to the inbound message.
• Reject: The inbound message is rejected.
• Ignore Managed/Permitted Sender entries: Reputation, greylisting, and spam checks are
performed on the inbound message.

Inbound DNS Authentication Checks

Inbound DNS Authentication checks allow Mimecast to validate the sending systems using pre-
configured DNS entries. We've configured settings across all three DNS services (SPF, DKIM, and
DMARC). These take no action if there are no records found.
By default, we are looking for SPF, which means we are only verifying sending IP addresses in
relation to the sending domain based on their DNS SPF record. You can check DKIM or DMARC as
well.
DNS Authentication definitions/policies control the types of email authentication checks performed
when we send or receive a message.
Note: Mail Transfer Agents (MTAs) can verify SPF or DKIM for inbound mail, if the sender publishes
DNS entries for them in their domain records.

©2022 Mimecast. All Rights Reserved |83

SPF Settings
SPF
Description Recommended Setting Notes
SPF None Ignore Managed/Permitted The domain owner has not chosen to
Sender Entries implement SPF, meaning that senders using
this domain do not need to authenticate to
(Note: DNS Checks are still send on its behalf. Therefore, it is
performed) recommended to perform spam /
reputation-based checks to minimize the
level of unwanted mail.
SPF Neutral Ignore Managed/Permitted Neutral SPF results are for when the domain
Sender Entries owner has not specified whether a sender
using this domain are permitted to send on
their behalf. With this in mind, messages
returning this SPF result should be spam
scanned to minimize the level of unwanted
mail being received.
SPF Soft Fail Ignore Managed/Permitted The Soft Fail result is generally considered to
Sender Entries be a temporary setting, whilst SPF is being
configured. It does not cause any
restrictions to be applied. All that is added is
a header value containing the check result.
However, once all the sending IP Addresses
are added to the relevant SPF DNS record,
the SPF failure action should be changed to
Hard Fail. Therefore, inbound messages with
this result should have spam / reputation-
based checks applied rather than rejected.
SPF Hard Fail Reject Any inbound messages that result in an SPF
Hard Fail should be rejected. In these cases,
the sender is not sending the message from
an authorized IP address.
SPF PermError Ignore Managed/Permitted PermErrors are similar to TempErrors. They
Sender Entries can be caused by incorrectly formatted SPF
records being present and require DNS
administrator intervention to correct.
Messages with this status should be
accepted after having Spam / Reputation
based checks applied.
SPF TempError Ignore Managed/Permitted TempErrors are normally caused by
Sender Entries transitory DNS issues that cause SPF record
lookups to fail. Due to the temporary nature
of this problem, messages should be
accepted after having spam / reputation-
based checks applied.

The default definition is set to Ignore Managed/Permitted Sender entries which means Reputation,
greylisting, and spam checks are performed on the inbound message.

©2022 Mimecast. All Rights Reserved |84

Default DNS Authentication Inbound Definition
1. Navigate to Administration | Gateway | Policies | DNS Authentication – Inbound
2. Click on the Default DNS Authentication Definition
3. Description: Default DNS Authentication Definition
4. Verify SPF for inbound mail: Enabled
5. SPF None: Ignore Managed/Permitted Sender Entries
6. SPF Neutral: Ignore Managed/Permitted Sender Entries
7. SPF Soft Fail: Ignore Managed/Permitted Sender Entries
8. SPF Hard Fail: Reject
9. SPF PermError: Ignore Managed/Permitted Sender Entries
10. SPF TempError: Ignore Managed/Permitted Sender Entries

Note: In this course, we will not cover the DKIM or DMARC settings. Please refer to the article below
for further detail.

Default DNS Authentication Inbound Policy

1) Navigate to Administration | Gateway | Policies | DNS Authentication Inbound
2) Policy Narrative: Default Inbound DNS Authentication Policy
3) Select Option: Default DNS Authentication Definition
4) Addresses Based on: Both
5) Applies From: External Addresses
6) Specifically: Applies to all External Senders
7) Applies To: Internal Addresses
8) Specifically: Applies to all Internal Recipients
9) Save and Exit
For further information on both inbound and outbound checks, read the DNS Authentication
Configuration Guide.

Reputation
Reputation policies allow you to manually configure the reputation checks applied to inbound mail.
Together with reputation definitions, they provide granular control over the default reputation spam
detection technologies we apply. When an inbound message is rejected because of a reputation
check, the event is logged in the Rejection Viewer.
Reputation policies check the reputation of the sending IP against Mimecast Global Permitted List of
IPs and Global Block Lists (RBL). We use several block lists and give a score to the IP based on how
many of those lists it matches (how many hits it gets).
By default, all block lists and reputation checks are applied to inbound mail.
However, by configuring a reputation definition, you can adjust or exclude
some of these checks, or decrease their sensitivity.

Reputation Definition
1. Navigate to Administration | Gateway | Policies | Definitions | Reputation Definition
2. Open the Reputation Definition
3. Description: Reputation Definition
4. Mimecast Global Permitted List
[Check inbound email against an IP address based permitted list. If the connecting IP address
is present on the permitted list, it bypasses the spam check.]

©2022 Mimecast. All Rights Reserved |85

 5. Global Block Lists
[If selected, all inbound email is checked for spam against 5 IP address-based block lists. This
option is used in conjunction with the "Number of Block List Hits" option]
6. Number of Block List Hits
[Specify a value to set the number of hits required before the sending IP address of a
message is rejected.]
Reputation Policy
1. Navigate to Administration | Gateway | Policies | Reputation Policy
2. Open the Reputation Policy
Options
3. Policy Narrative: Reputation Policy
4. Select option: Reputation Definition
Emails From
5. Address Based On: The Return Address
6. Applies From: Everyone
7. Specifically: Applies to All Senders
Emails To
8. Applies To: Internal Addresses
9. Specifically: Applies to all Internal Recipients
Validity
10. Enable / Disable: Enable
11. Set policy as perpetual: Always On
12. Date Range: Eternal
13. Policy Override: Disabled
14. Bi Directional: Disabled
15. Source IP Ranges: No entries
16. Hostname(s): No entries

17. Save and Exit

To access the policy, navigate to Administration | Gateway | Policies. To configure, see this article.

Greylisting
Greylisting is a default compliance check applied to all inbound messages not previously seen by the
Mimecast Servers. This helps to defend email users from unsolicited spam email.
The vast majority of spam is sent from applications designed to "fire-and-forget" emails, where they
attempt to send spam to one or more MX hosts for a domain, but never attempt a retry. By using
greylisting policies, any messages sent from an incorrectly configured MTA aren't accepted.

The Greylisting Process

Greylisting looks at the following pieces of information for the delivery attempt:
• IP address of the MTA
• Envelope sender address
• Envelope recipient address
With this information, we have a unique relationship for that particular SMTP session:
• If we've never seen this information before, a server busy status (451 Resource is
Temporarily Unavailable) is issued. This is a temporary failure and is maintained for 60
seconds, forcing the sending server to queue and retry.

©2022 Mimecast. All Rights Reserved |86

 • A correctly configured MTA always attempts to retry the message's delivery. If the MTA
retries after 60 seconds and before the 12-hour upper limit, the message is accepted.
• If the message is not retried in this 12-hour period, an entry is logged in the Rejection
Viewer as "Sender Failed to Retry" (12 hours after the initial attempt). See the Message
Center: Rejected and Deferred Messages page for further details.
• If the sending MTA attempts again after 12 hours from the initial attempt, the greylisting
process restarts.

Usage Considerations
Consider the following before creating a policy:
• All email connections that have been subjected to greylisting are logged in the Deferred
Messages Queue.
• Any sender email address, domain, or IP address added to the Auto Allow or Permitted
Senders list isn't subjected to greylisting.
• A greylisting policy is created by default by Mimecast Support during the Implementation
process, configured to apply to all inbound traffic. There may be instances where you have
trouble receiving email from legitimate senders, whose MTA haven't been correctly
configured. If the sender's MTA doesn't comply with RFC standards, but their messages are
deemed safe for your organization, you can create a greylisting bypass policy.
Greylisting Policy
1. Navigate to Administration | Gateway | Policies | Greylisting
2. Open the Greylisting Policy
Options
3. Policy Narrative: Greylisting Policy
4. Select option: Apply Greylisting

Emails From
5. Address Based On: The Return Address
6. Applies From: Everyone
7. Specifically: Applies to All Senders
Emails To
8. Applies To: Internal Addresses
9. Specifically: Applies to all Internal Recipients
Validity
10. Enable / Disable: Enable
11. Set policy as perpetual: Always On
12. Date Range: Eternal
13. Policy Override: Disabled
14. Bi Directional: Disabled
15. Source IP Ranges: No entries
16. Hostname(s): No entries
To access the policy, navigate to Administration | Gateway | Policies. To configure, see this article.

Spam Scanning
Mimecast's multiple scanning engines examine the content of inbound mail by searching for key
phrases and identifiers commonly used by spammers. Based on the findings Mimecast will make a
decision based on whether or not an email is allowed through, held or rejected.

©2022 Mimecast. All Rights Reserved |87

Considerations
Consider the following before configuring a definition or policy:
• Our spam engine works by giving each email a spam score. A message with a spam score of
28 or higher is automatically rejected in protocol and logged in the Rejection Viewer. This
happens regardless of whether a spam scanning policy is configured.
• If an email address, domain name, or IP address is added as a permitted sender, the inbound
message still undergoes spam scanning, but the spam scanning definition action is not
applied.
• If a DNS Authentication policy applies to a message, but the permitted sender fails the DNS
checks (e.g. SPF) the message is still subjected to spam scanning.

MSOC will evaluate spam reports submitted by customers.

Spam Scanning Default Definition

1. Navigate to Administration | Gateway | Policies | Definitions | Scan Definitions
2. Click on the appropriate folder (e.g., Default Definitions)
3. Open your Default Spam Scanning Definition
4. Description: Default Spam Scanning Definition
5. Spam Detection Level: Relaxed
[This sets the definition triggering threshold to 7 points and is recommended for users that
only receive some junk email. The other options are Moderate (5 points) and Aggressive (3
points). The default here is dependent upon your region.]
6. Spam Detection Action: Hold for Review
[Messages triggered as spam are sent to the hold queue.]
7. Enable Graymail Control selected.
8. Greymail Detection Action: Tag Headers as Greymail
[The SMTP header is tagged with "X-Mimecast-Bulk-Signature: yes". With this header
enabled, you can define a rule in your email client to take action on greymail – for example,
moving messages to a graymail folder.]
9. Configure Hold Notification Options section as desired.
• Notify Group - Notifies a pre-defined Group of users when the definition is triggered
(e.g., Administrators).
• Notify Recipient - Notifies the internal recipient when the definition is triggered.
• Notify Overseers - Notifies users that are specified within the Content Overseers Policy.
Users can prevent messages from being classified as greymail by adding
senders to their Managed Senders list using a Mimecast End User Application
like Mimecast for Outlook or the Mimecast Personal Portal.

Spam Scanning Default Policy

1. Navigate to Administration | Gateway | Policies | Spam Scanning
2. Open the Default Spam Scanning policy
Options
3. Policy Narrative: Default Spam Scanning Policy
4. Select Message Scan Definition: Default Spam Scanning Definition

©2022 Mimecast. All Rights Reserved |88

 Emails From
5. Address Based On: The Return Address
6. Applies From: Everyone
7. Specifically: Applies to All Senders
Emails To
8. Applies To: Internal Addresses
9. Specifically: Applies to all Internal Recipients
Validity
10. Enable / Disable: Enable
11. Set policy as perpetual: Always On
12. Date Range: Eternal
13. Policy Override: Disabled
14. Bi Directional: Disabled
15. Source IP Ranges: No entries
16. Hostname(s): No entries

To access the policy, navigate to Administration | Gateway | Policies. To configure, see this article.

Secure Delivery and Receipt

Since some organizations will not accept emails from you that are not sent with forced encryption,
you will need to understand how to set this up. Previously you would have set this up through your
Exchange Server or Cloud Service, but now you need to do this with Mimecast.
To set up forced encryption, you will need to use the Secure Delivery and Receipt policies that come
with your account. Secure Delivery and Receipt policies allow inbound and outbound messages to be
received and sent securely using Transport Layer Security (TLS) technology. TLS is designed to reduce
the risk of eavesdropping, interception, and alteration of mail sent across the internet as it encrypts
data between the sending mail server and us.

Usage Considerations
Consider the following before configuring a policy:
• Secure Delivery and Secure Receipt policies are required to ensure the entire transmission is
encrypted
• TLS technology protects confidentiality and data integrity by encrypting connections
between servers
• Using TLS Requires an installed third-party certificate at each end of the tunnel
• Mimecast supports connections using TLS 1.2, 1.1, and 1.0 for AES-256, MD5, and AnonDH
Secure Delivery and Receipt Defaults
The policies listed below are added to all new accounts to add email addresses or domains that must
only be communicated with using TLS.
• A Secure Delivery definition called "Default Secure Delivery - Enforced TLS" is created with
the "Enforced TLS" option. This requires a publicly signed certificate from a root certificate
authority. See the Configuring Secure Delivery Definitions and Policies page for full details.
• A Secure Delivery policy from "Everyone" to a group called "Enforced TLS Group". Add
email addresses or domains to this group so that email to them will attempt Enforced TLS.
• A Secure Receipt policy from "Everyone" to a group called "Enforced TLS Group". See
the Configuring Secure Receipt Policies page for full details.

©2022 Mimecast. All Rights Reserved |89

 These policies are bi-directional so it will apply to both inbound and outbound email.

To access the Secure Delivery and Receipt policies, navigate to Administration | Gateway | Policies.

©2022 Mimecast. All Rights Reserved |90

Lesson 3: Data Leak Prevention Policies
Secure Messaging
Mimecast Content Control and Data Leak Prevention (DLP) is an email security service that works in
conjunction with the other security services of Mimecast to deliver additional regulatory compliance
controls and email content security tools. Optional additions, such as Mimecast Secure Messaging
and Mimecast Large File Send can also be added to give additional security and functionality.
Since certain communications or files are so sensitive that delivering them via email using the open,
public internet is unacceptable, Administrators need a way for employees in their organization to
send sensitive information securely.
Mimecast’s proprietary Secure Messaging lets you share sensitive information with people outside
your organization without a message ever leaving the confines of the secure Mimecast network.
How Secure Messaging works
• When a sender decides to send a message via Secure
Messaging, the message goes through the same checks as
standard email. It is then stored in the Secure Messaging
portal within the Mimecast cloud.
• Mimecast then sends an email with a link to this portal to
the message recipient so they can use the link to view the
message. The recipient will need to login to the Secure
Message portal to read the message.
Sender Options
The important thing is that the sender can put limitations on what
the recipient can do with the message, depending on the
configuration set by their Administrator.
They may be able to decide not to allow printing, or they might
set an expiry date as to how long the recipient can access the
message.

You can send and manage secure

messages in the various Mimecast
end user applications:
• Secure Messaging Portal
• Mimecast for Outlook
• Mimecast for Mac
• Mimecast Mobile

Click here to access documentation on how to use Secure Messaging.

Configuring Secure Messaging
Secure Messages can be triggered by Content Examination, Mimecast for Outlook or the Secure
Message Policy itself as well as other end user applications (e.g., Mimecast for Mobile, Mimecast
Personal Portal).

©2022 Mimecast. All Rights Reserved |91

Below is an example of a Secure Messaging configuration to setup Secure Messaging in the
Mimecast for Outlook ribbon:

Secure Messaging Definition

1) Navigate to Administration | Gateway | Policies | Definitions | Secure Messaging
2) Create a folder or select and existing one (e.g., Secure Messaging Definition)
3) Choose New Secure Messaging Definition
4) Description: Secure Messaging Definition (Print, Reply, Reply All)
5) Message Permissions: Allow external recipients to print, reply and reply all
6) Message Expiry: 14 Days (external person will not be able to access the message after it
has expired)
7) Allow Sender to Extend: 30 Days
8) Send Read Receipt (This setting allows a read receipt email to be sent to the sender of
the secure message when the recipient opens and views the message.)
9) Customize Internal Notification Banner (Enable this option if you’d like to change the
default notification banner added by Mimecast to internal secure messages.)
10) Save and Exit

There is NO POLICY required with the MFO configuration. You will need to apply this
definition to all users by way of options you select under an Application Settings
Definition.

Configure in Application Settings

1) Navigate to Administration | Services | Applications | New Application Settings
2) Description: Secure Messaging Application Setting
3) Group: All Users
4) Authentication Profile: Default Application Settings Authentication Profile
Note: All other settings under General configure as you wish. More detail on Applications
Settings can be found in the Configuring Application Settings article.
Gateway Settings
5) Enable Send as Secure Message
[This enables end users to send emails using Secure Messaging through Mimecast
applications]

6) Secure Messaging Folder: Use Lookup and select the appropriate Secure Messaging
Definitions folder
[This will pull in all the definitions under this folder]
7) Save and Exit

Secure Messaging options in the Mimecast For Outlook plugin are based on the
Secure Messaging folder chosen within Application Settings. All definitions within the
chosen folder will appear as options when applicable users click the Send Securely
button in their email client.

©2022 Mimecast. All Rights Reserved |92

Content Examination
Overview
A Content Examination definition analyzes the content of messages (e.g., message body, subject and
header), looking for patterns and matches you provide. It sets the conditions under which a
message is considered safe, and what action should be taken if it isn’t.
Content Examination Policies can trigger:
• Actions:
▪ None
▪ Hold
▪ Delete
▪ Bounce

• Policies Override Options:

▪ Secure Messaging
▪ Secure Delivery
▪ Group Carbon Copy

Content Examination Policies don’t apply based on policy specificity. They can apply to
every single message that falls under the scoping of the policy. In other words, multiple
content examination policies can be applied to a single message.

Reference Dictionaries
Content Examination definitions can link to a reference dictionary. These are typically created by the
administrator to contain a list of words, phrases, or regular expressions. The email content is
matched against a predefined set of text entries.
Content reference dictionaries are added from the Insert menu inside a Content Examination
Definition.
Each line in the word/phrase match list within the definition must have a scoring number in front of
it, which is the number that will be added to the message's score. Then if the total score matches
the activation score, the action will be taken on the message.
Multiple definitions can point to the same dictionary. We have a set of Mimecast-managed
reference dictionaries that you can use for credit cards, profanity, and healthcare. Custom reference
dictionaries can also be created.

ALERT: Please note that while Mimecast supports the use of regular expressions, and
may recommend certain ones to use, we do not directly support the writing of the
expressions themselves and cannot provide troubleshooting based on how they are
constructed - we can only compare the regex you are using vs. message content to see
if the content matched or not, if troubleshooting is needed.

Entities
Entities allow administrators to search for sensitive information in messages and attachments,
without the need to create complicated word lists or regular expressions (regex). Entity groups are a
©2022 Mimecast. All Rights Reserved |93
collection of entities aligned by category (e.g., PII, PHI or Financial). This allows administrators to
search based on a subject area, rather than listing individual entities to achieve the same goal.
How Entities Work
An entity consists of:
• A validator: confirms that the structure of the content meets the defined standards for the
item you are looking for. For example, if looking for credit cards, the content must contain
four blocks of four numbers, and a check digit within the specified range.
• A regular expression. This is applied to the target content, if the validator check passes.
Should the validator check fail, the content checks stop.
• A word list. This is used to limit the number of false positives encountered by matching
keywords for the subject area. For example, credit card keywords are used when using the
credit card entities. This helps determine the context of the match and allows us to exclude
a string of numbers that meet the credit card checks but which isn't a credit card number.
There is also an option to not require a keyword by using the “_nkw” feature that goes after
the entity.
Types of Entities
• Credit Cards
• Passport Numbers
• Date of Birth
• Social Security Number

Note: See the Content Examination Definitions: Using Reference Dictionaries and Content
Examination Definitions: Using Entities pages for more information.

Single Entity Example

The "creditcard" entity finds all credit card numbers, regardless of the credit card type. For example,
the following would match any credit card number found in the specified areas of an email (header,
body, attachment), if it is within proximity to a credit card entity keyword. This would be typed in
the Word / Phrase match list of a Content Examination Definition. See the "Credit Card" section of
the Content Examination: Entity Keywords page for further details.

• 1 detect creditcard

Other examples:
• 1 detect passport
• 1 detect DOB
• 1 detect SSN
Content Examination Definition Examples
• Content Examination Keyword Trigger: If you want users to have the freedom to decide (on a
per message basis) to send something via Secure Messaging (if they don’t use MFO, MPP or
Mimecast for Mac), the Administrator will have to decide on a keyword, make it part of the
configuration and tell their users what that keyword is and have them use it in the “Subject”
line, for example, the word “Secure” in brackets preceding a normal subject – [Secure] Financial
Documents.

©2022 Mimecast. All Rights Reserved |94

• Content Examination Dictionary Attribute: Your Administrator can set up a Content
Examination Definition with a Mimecast Managed Reference Dictionary or a Custom Reference
Dictionary they create, that will either prevent a message from being sent or send a message
using Secure Messaging if the email contains certain text (e.g., credit card number or profanity).
• Content Examination Word / Phrase Match: Your Administrator can set up a Content
Examination Definition with a keyword (or words) in the Word / Phrase match list that will either
prevent a message from being sent or send a message using Secure Messaging if the email
contains a social security number for example (or any other key word).
The following configuration will Hold for Review all messages outgoing that contains profanity.

Content Examination Definition –Profanity Hold

1. Navigate to Administration | Gateway | Policies | Definitions | Content Definitions
2. Choose the appropriate folder (or create one)
3. Click the New Content Definition button
4. Description: Profanity Hold Definition
5. Definition Type: Independent Content Definition
6. Activation Score: 1
7. Fuzzy Hash Setting – Do not use Fuzzy Hash techniques
8. Click the menu item Insert | Mimecast Managed Reference Dictionary
9. In the Link Content Reference field, click Lookup and click Select next to Profanity, add a
comment Save and Exit
10. Choose which contents to scan (Subject, Message Body)
Inbound and Outbound Settings
Enable Inbound and Outbound Check
Policy Override Options
11. Policy Action: Hold for Review
12. Hold Type: Administrator
Notification Options
13. Notify Group: Administrator (Alerts)
14. Save and Exit

ALERT: If you are creating your first Content Examination policy and you are unsure of
the impact, select None as the Policy Action, and use a Notify Group | Administrator
alerts. Monitor how often you are getting notifications.

Content Examination Policy – Profanity Hold

1. Navigate to Administration | Gateway | Policies | Content Examination
2. Click the New Policy button
Options
3. Policy Narrative: Profanity Hold Policy
4. Select Content Definition: Use the Lookup button and choose Profanity Definition
Emails From
5. Addresses Based On: The Return Address
6. Applies From: Internal Addresses
7. Specifically: Applies to all Internal Recipients

©2022 Mimecast. All Rights Reserved |95

 Emails To
8. Applies To: External Addresses
9. Specifically: Applies to all External Recipients
Validity
10. Enable / Disable: Enable
11. Set policy as perpetual: Always On
12. Date Range: Eternal
13. Policy Override: Disabled
14. Bi-Directional: Disabled
15. Source IP Ranges: No entries

16. Save and Exit

In the following configuration, we will configure Content Examination to look for specific keywords,
e.g., [Secure], etc. and Send as a Secure Message based on the matches we find.
For Example: An administrator will notify their employees that if they wish to send something using
Secure Messaging, they can insert a key word – for example: [Secure] into the Subject of an email so
it triggers a Secure Message.

Content Examination Definition – Keyword Trigger

1. Navigate to Gateway | Policies | Definitions | Content Examination
2. Choose the appropriate folder (or create one)
3. Click the New Content Definition button
4. Description: Content Inspection-Keyword Trigger
5. Definition Type: Independent Content Definition
6. Activation Score: 1
7. Fuzzy Hash Setting – Do not use Fuzzy Hash techniques
In the Word/Phrase Match List: For each word/phrase, enter a 1 and a space, and then the word
or phrase - Phrases must be in quotes
▪ 1 “[Secure]”
8. Case Sensitive
[Uppercase, Lowercase and Proper Case is matched exactly. If not selected, any case will be
matched.]

9. Match Multiple Words

[The definition will search for repetitions of the listed words in the Word/Phrase Match List
within the email.]
10. Choose which contents to scan (Subject for this example)

Inbound and Outbound Settings

Policy Override Options
11. Policy Action: None
12. Secure Messaging Override: Click lookup and choose the secure messaging definition that
you wish to use.
Notification Options

©2022 Mimecast. All Rights Reserved |96

 13. Notify Group: Click Lookup and choose and Admin group - e.g., Administrator Alerts
(default)
14. Save and Exit

Content Examination Policy – Keyword Trigger

1. Navigate to Administration | Gateway | Policies | Content Examination
2. Click the New Policy button
Options
3. Policy Narrative: Content Inspection-Keyword
4. Select Content Definition: Content Inspection-Keyword Trigger
Emails From
5. Addresses Based On: The Return Address
6. Applies From: Internal Addresses
7. Specifically: Applies to all Internal Recipients
Emails To
8. Applies To: External Addresses
9. Specifically: Applies to all External Recipients
Validity
10. Enable / Disable: Enable
11. Set policy as perpetual: Always On
12. Date Range: Eternal
13. Policy Override: Disabled
14. Bi Directional: Disabled
15. Source IP Ranges: No entries

16. Save and Exit

©2022 Mimecast. All Rights Reserved |97

Lesson 4: Attachment Policies
Attachment policies are those that are configured to scan attachments.

Suspected Malware
Suspected Malware policies, or Zero Hour Adaptive Risk Assessor (ZHARA), is our proprietary
software that provides early detection and prevention against zero-day malware and spam
outbreaks. This provides protection against previously unknown threats using deep level anomaly
detection, and trending against our entire customer base.

What is a Suspected Malware Policy used for?

A Suspected Malware policy is created to ensure messages containing the following file types in a ZIP
file, are held in the hold review queue and marked as suspected malware:
EXE PIF
MSI SCR
COM CPL

• Encrypted ZIP files are not affected by this policy.

• This policy works independently of any attachment management policy that you've created.
• The policy can be bypassed via a Suspected Malware Bypass policy, but this is not
recommended. If you do, a new virus outbreak might go undetected while signatures are
being updated.
By default, there is usually only one default Suspected Malware definition configured.

Suspected Malware Default Definition

Note under the Malware Definition Settings section, there are some options that do not need to be
enabled if Attachment Management is part of the Mimecast subscription.
1) Navigate to Administration | Gateway | Policies | Suspected Malware | Default Definition
2) Policy Narrative: Default Suspected Malware Definition
3) Suspected Malware: Enabled by default
[This option is enabled by default, and it is recommended to leave it enabled. The check
provides additional protection against (zero hour) viruses and will look out for specific file
types found within archives.]

4) Archive limit: This option is enabled by default if Attachment Management is not part of the
Mimecast subscription and in which case it is recommended to leave it enabled. The check
offers protection against archives that might be malicious.
5) Policy Action: Hold for Review
6) Hold type: Administrator
7) Notify Internal Recipient: check
Suspected Malware Default Policy
1) Navigate to Administration | Gateway | Policies | Spam Scanning
2) Click the New Policy button
3) Policy Narrative: Default Suspected Malware
4) Select Message Scan Definition: Default Suspected Malware Definition

©2022 Mimecast. All Rights Reserved |98

 5) Addresses Based On: The Return Address
6) Applies From: Everyone
7) Applies To: Internal Addresses
8) Save and Exit

Attachment Management
What is Attachment Management?
There are attachment-based policies to filter out possible malware by controlling for attachment size
or types of files that are allowed through.
Similar to Suspected Malware but extremely granular. There are several different policies that
correspond with Attachment Management.
There are 3 similar policies: Attachment Block on Size, Attachment Link on Size and Attachment
Hold on size if you navigate to Administration | Gateway | Policies. These policies are intrinsically
matched with our default Attachment Management policy.

Attachment Block on Size

Maximum attachment size: The sum total of all attachments (e.g., text, PDFs, etc.) in Kilobytes. If
the attachments exceed this number, the message will be blocked for user.

Attachment Link on Size

Sum total of all attachments: Instead of us delivering it to user’s email server, we will give them a
link where they can access attachments and download them.

Some companies have limited storage on their mail servers. This policy will allow
attachments to be directly downloaded from Mimecast to the local machine.

Attachment Hold on Size

Attachment Hold on Size requires administrator intervention to release the held attachment and
because of this can create administrative overhead.
Click here for more detail.

Attachment Sets
You should have a default definition and policy configured for dangerous file types using Mimecast
Best Practice to block dangerous file types. This would be an Attachment Management Policy with a
Definition called Attachment Sets which is similar to suspected Malware but here you can granularly
decide what you want to do BASED ON THE FILE EXTENSION (block, allow or link).

Attachment Management Block Dangerous File Types Default Definition

1) Navigate to Administration | Gateway | Policies | Definitions | Attachment Sets
2) Click the folder called Dangerous File Types
3) Open the Default Attachment Management Definition – Block Dangerous File Types
Definition
4) Description: Default Attachment Management Definition – Block Dangerous File Types

©2022 Mimecast. All Rights Reserved |99

 5) Default Block / Allow: Block Specified Content Types (Allow or Link All Others)
6) Allow Auto Updates: Enabled
7) Pornographic Image Setting: Do Not Scan Images
8) Encrypted Archives: Hold
9) Unreadable Archives: Allow
10) Encrypted Documents: Allow
11) Hold type: User
12) Content Types: Note all of the dangerous file types blocked with this policy
Attachment Management Block Dangerous File Types Default Policy
1) Navigate to Administration | Gateway | Policies | Attachment Management
2) Open the Default Attachment Management Policy – Block Dangerous File Types policy
3) Policy Narrative: Default Attachment Management Policy – Block Dangerous File Types
4) Addresses Based On: The Return Address
5) Applies From: Everyone
6) Specifically: Applies to All Senders
7) Email To: Everyone
8) Specifically: Applies to All Senders
9) In the Validity section, enable Bi-Directional
10) Save and Exit

©2022 Mimecast. All Rights Reserved |100

Lesson 5: End User Notifications Overview
Digest Sets
Digest Set emails sent to end users allow them to release, block, or permit messages that are
deemed to potentially contain junk / spam content, or specific attachments. These messages are
held in a quarantine area called the held queue. Digest set emails can be configured to:
• Define the frequency of the emails sent.
• Specify the policies that will include messages in the emails.
• Specify the actions end users can take on messages that are in the held queue.
• Include your company's branding if this is part of your Mimecast subscription.

Configuring a Digest Set Definition and Policy

A digest set definition and policy controls the frequency
of the digest set emails sent to end users, and specifies
the policies used to include messages in the digest set
email.
The policies that can be used to control the digest set
messages are:

• Spam Scanning
• Attachment Management
• Content Examination

Select the boxes in the Digest Definition to apply the Digest Notification to inbound emails when
they trigger Spam, Content or Attachment Management Definitions.
Spam Scanning Digest Example:
If the spam detection action is set for hold for review in the spam scanning
definition, the digest can be utilized to inform the user of held messages, at
which point it can be released or blocked.

Frequency of Notifications
Digest Sets are only sent to internal users. The policy is set from
Everyone to Internal. These are sent specifically for an individual
internal user that has anything on user level hold.
Users can get a digest informing them of all spam caught by
Mimecast. These are set by default up to three times but can be sent
hourly over a 24-hour period. They can review these emails via their
Mimecast client and can release block or permit the sender for future communications.

Default Configuration
A default Digest Sets definition and policy is configured on Mimecast accounts as described in
Configuring Digest Set Emails. You can customize the default Digest Set or create new ones that are
specific to your needs.

©2022 Mimecast. All Rights Reserved |101

Digest Set Default Definition
1. Navigate to Administration | Gateway | Policies | Digest Sets | Definitions
2. Open the Default Digest Set Definition
3. Description: Default Digest Set Definition
4. Notice the options to apply the Digest Notification to inbound emails when they trigger
Spam, Content or Attachment Management Definitions.
5. See the times / days selected for when the Digests will be sent out
6. Make your desired changes.
7. Save and Exit
Digest Sets Default Policy
1. Navigate to Administration | Gateway | Policies | Definitions | Digest Sets
2. Open the Default Digest Set Policy
Options
3. Policy Narrative: Default Digest Set Policy
4. Select Digest Set: Default Digest Set Definition
Emails From
5. Applies From: Everyone
6. Specifically: Applies to All Senders
Emails To
7. Applies To: Internal Addresses
8. Specifically: Applies to all Internal Recipients
Validity
9. Enable / Disable: Enable
10. Set policy as perpetual: Always On
11. Date Range: Eternal
12. Policy Override: Disabled
13. Bi Directional: Disabled
14. Source IP Ranges: No entries
15. Hostname(s): No entries

Be aware, a notification sets definition and policy allows you to customize the digest
set email sent to end users.

Notification Sets
Notification Sets policies allow you to customize the notifications generated by Mimecast for certain
email delivery events. If no policy is configured, the default notifications apply. You can specify
which notifications apply to different end users, as well as user groups.
Some examples include notifying users when a message:
• Has been modified (e.g., stripped attachments)
• Did not complete delivery (e.g., bounced or held)
Normally, there is only one policy for the entire company, mostly scoped from everyone to
everyone.
Under Notifications, you will see you have a set of notifications. You can see which ones are enabled
and support branding.

©2022 Mimecast. All Rights Reserved |102

Evaluate Default Notifications
1) Navigate to Administration | Gateway | Policies |
Notification Sets | Definitions
2) Click on Default Notification Set
3) Open one (e.g., Hold for Review Notification)

Editing a Notification Set

By clicking on a notification, you can modify the sender (by default they come from your postmaster
address, but you can change this to an internal administrator), the subject, as well as the body of the
message in plain text or HTML (the version transmitted is dependent on the recipient MTA), e.g.
adding additional text to a digest instructing recipients on its usage.
When amending the body of notification sets, you must leave some Mimecast components
unaltered as the notification delivery relies on them.
Note: More on Notification Sets can be found in the Configuring Notification Sets Definitions and
Policies article here.

©2022 Mimecast. All Rights Reserved |103

Targeted Threat Protection
Fundamentals
Targeted Threat Protection Overview
Mimecast Targeted Threat Protection which includes URL Protect, Attachment Protect and
Impersonation Protect, safeguards your organization and employees against sophisticated email-
borne attacks. It helps defend against attackers trying to steal data or credentials, plant
ransomware, trick employees into transferring money, and springboard to attack supply chains.
These kinds of threats require advanced security measures over and above those provided by
traditional email security systems.
• Emails pass through the Mimecast gateway and are scanned for the presence of URLs,
attachments, key words/phrases, and other indicators of an attack.
• URLs are re-written and checked pre-click and on every click.
• Attachments are analyzed using a combination of static file analysis and full system emulation
sandboxing. Files can be converted to a safe format and delivered instantly.
• Emails are scanned for multiple indicators of compromise to protect against impersonation
attacks.
• Mimecast’s Threat Intelligence Dashboard provides actionable intelligence to aid incident
investigation and reduce mean time to respond.

Lesson 1: Impersonation Protect

Impersonation Protect delivers comprehensive protection against social engineering-based attacks.
Often called CEO fraud, impersonation, whaling or business email compromise, these attacks are
designed to evade traditional gateway checks and trick users into handing over money, company
secrets, or sensitive employee information. Attackers will pose as C-level execs, supply chain
partners or well-known internet brands in an attempt to exploit the relationship or trust of internal
employees.

How it Works
Impersonation Protect detects and prevents these types of attacks by identifying combinations of
key indicators in an email to determine if the content is suspicious, even in the absence of a
malicious URL or attachment.
These indicators include:
Similar Domain (including Attempts to use a similar domain to the target,
homoglyph/homograph) a popular internet domain, or supply chain
partner domain.
Newly observed domains These are more likely to be malicious.
Internal Username (e.g., display name) Is the attacker trying to spoof an internal
sender?
Reply to mismatch Senders trying to hide their true sending email
address.

©2022 Mimecast. All Rights Reserved |104

 Key phrases (e.g., “wire transfer”, or “W2”) A Mimecast managed and customizable threat
dictionary of common terms used in these types
of attacks.

Key Capabilities
• Ensures end users are protected by blocking, quarantining, or visibly marking suspicious emails.
• Protects against newly observed and newly registered domains used in an attack.
• Scans for popular internet domain brand impersonation.
• Uses a Targeted Threat Dictionary managed by Mimecast that customers can add custom terms to.
To access your Impersonation Protect policy and definition, navigate to Administration | Gateway |
Policies.

Out of the Box Configuration

A default Impersonation Protection definition is configured on Mimecast accounts as described in
the Out of the Box Configuration article here. You can customize your default impersonation
protection policy or create new ones that are specific to your needs.

Impersonation Protect Default Definition

1. Navigate to Administration | Gateway | Policies | Definitions | Impersonation Protection
2. Select the Default Impersonation Protection Definition
Identifier Settings
3. Description: Default Impersonation Protection Definition
4. 1Similar Internal Domain Enabled
[Checks sender domain against yours]
5. 2Similar
Monitored External Domains Enabled
-Check Mimecast Monitored External Domains Enabled
[Checks the sender's domain against Mimecast monitored external domains.]
-Check Custom Monitored External Domains Disabled
[Check the sender's domain against your custom monitored external domains.]
6. 3Newly Observed Domain Enabled
[Checks if the domain name used by the sender has only recently been seen (within the last 7
days) sending email messages.]
4Display
7. Name Enabled
[Checks if the display name used by the sender matches the display name of one of your
users.]

©2022 Mimecast. All Rights Reserved |105

 8. -All Internal Display Names Enabled
[Checks the sender display name against all internal display names.]
-Custom Display Names Empty
5
9. Reply to Address Mismatch: Disabled
[Identifies if a mismatch has occurred between the sender’s email address (both Header and
Envelope) and the Reply To email address.]
10. 6Targeted Threat Dictionary Enabled
-Mimecast Threat Dictionary Enabled
[Checks message content against the Mimecast threat dictionary]
-Custom Threat Dictionary Disabled
[Checks message content against a custom threat dictionary]
11. Number of Hits: 2
Note: The maximum number of hits is 6. This refers to all the “main” checkbox items (not
sub-categories) under the Identifier Settings in the configuration above (identified with
superscript numbers above).
Other fields below not set in the out of the box configuration, but available for you to
configure as desired:
12. Enable Advanced Similar Domain Checks
[Checks for advanced attacks where the sender's domain is “Advanced Similarity Checks” can
similar to your internal or monitored external domains.] identify advanced impersonation
attacks, where the domain of
13. Exclusions
inbound emails or links appear
-Ignore Signed Messages
similar to your internal domains or
[If enabled, Impersonation Protection is not applied to
digitally signed messages. This ensures the message's domains of external organizations.
signature remains intact but means impersonation checks
are not performed on the message.] Depending on your organizations'
preferences, select the "Action" to
-Bypass Managed & Permitted Senders either warn users when a similar
[Bypass IP checks for Managed Senders entries and link is detected, or block users
Permitted Senders policies.] from accessing the link and display
Identifier Actions
a block page.
14. Action: Hold for Review
[Action to take when the number of hits has been reached]
15. Hold Type: User
[If you choose User you are putting the review of the held messages in the hands of the user.
The other options are Moderator (Overseer access which is tied to an Overseer policy) and
Administrator].
16. Moderator Group: Choose a Moderator Group if desired.
17. Tag Message Body
[Enable this option if Mimecast should insert: “This message contains suspicious
characteristics and has originated from outside your organization” into the body of the
message.]
18. Tag Subject
[Enable this option if Mimecast should insert [SUSPICIOUS MESSAGE] into the subject of the
message.]Tag Header]

©2022 Mimecast. All Rights Reserved |106

 19. Tag Header:
[Enable this option if Mimecast should insert language if it detects Similar Domain, Newly
Observed Domain, Internal Username, items in Targeted Threat Dictionary]
General Actions:

20. Mark All Inbound Items

[If you choose this, it makes the options for tagging Subject, Message Body, and Header
visible in emails. Select at least one of the options (tag message body, subject or header) if
you've enabled 'Mark All Inbound Items as External']
Notifications

21. Notify Group: Choose your group (e.g., Administrator Alert)

Impersonation Protect Default Policy

1. Navigate to Administration | Gateway | Policies | Impersonation Protection
2. Open the Default Impersonation Protection Policy
Options
3. Policy Narrative: Default Impersonation Protection Policy
4. Select option: Default Impersonation Protection Definition
Emails From
5. Address Based On: Both
6. Applies From: External Addresses
7. Specifically: Applies to all External Recipients
Emails To
8. Applies To: Internal Addresses
9. Specifically: Applies to all Internal Recipients
Validity
10. Enable / Disable: Enable
11. Set policy as perpetual: Always On
12. Date Range: Eternal
13. Policy Override: Disabled
14. Bi Directional: Disabled
15. Source IP Ranges: No entries
For more detail, read Targeted Threat Protection: Impersonation Protect.

©2022 Mimecast. All Rights Reserved |107

Lesson 2: URL Protect
URL Protect rewrites all links in inbound emails and scans the destination website at time of click, to
block access to malicious websites and protect from delayed exploits. Access to malicious sites, is
blocked using a combination of global block lists and real-time web page analysis.
Administrators can block, warn, or allow employee access to websites. Real-time logging, auditing
and reporting, including a dedicated dashboard, enables administrators to monitor and track
phishing attacks.
Links attempting to directly download dangerous files are blocked and downloads are subject to the
same inspection as attachments.

User Awareness
If User Awareness settings are enabled as part of a URL
Protection Definition, users can be redirected to a page
providing information about the destination of the link
they've clicked.
Here the user can decide if they want to proceed to the
destination site or abort the request. What happens next
depends on:
• The settings configured in the URL Protect definition
• Whether the URL is considered safe, or harmful
• What action the user chooses when presented with
the user awareness prompts

©2022 Mimecast. All Rights Reserved |108

Browser Isolation
If you have TTP URL Protection and you have a URL
Protection definition set to block, you will have
access to a feature called Browser Isolation. How it
works is as follows:
• If the link you click on in an email is new
and has never been seen before by
Mimecast (therefore, uncategorized), the
web page is opened, and the code
executed in remote browsers
in the Mimecast cloud and streams only safe video to users.
• Click here for more information on Browser Isolation.
To access your URL Protect policy and definition, navigate to Administration | Gateway | Policies.

Out of the box Configuration

A default URL Protect definition is configured on Mimecast accounts as described in Out of the Box
Settings for Mimecast Email Security article. In the configuration here we will only discuss the
Inbound Checks.

URL Protection Default Definition

1. Navigate to Administration | Gateway | Policies | Definitions | URL Protection
2. Select the Default URL Protection Definition
Enable Inbound Check
3. Rewrite Mode: Moderate
[Rewrite only when certain the URL is valid – for example, the URL contains a valid scheme or
path.]
4. URL Category Scanning: Moderate
[This setting controls how aggressively the URL
categorization engine operates on dangerous URL If you choose the “Action: Block” and
categories. Other detection capabilities are not leave “Disable Browser Isolation”
altered when changing this setting.] unchecked, you will enable Browser
Isolation which invokes a feature so if the
5. Action: Block
link a user clicks on in an email is new and
[User will be shown a block page if trying to
has never been seen before by Mimecast
access a suspicious URL and will be prevented
(therefore, uncategorized), the web page
from accessing the website.]
will be opened, and the code executed in
6. Disable Browser Isolation: Unchecked (therefore, remote browsers in the Mimecast cloud
enabled) and will stream only safe video to users.
[This option disables Browser Isolation for this
TTP URL definition only. Browser Isolation is only
available for TTP URL Protection definitions using the ‘Block’ action.]
7. Message Subject Protection: Rewrite URLs
[Rewrite any URLs in the message's subject, so they are scanned by URL Protection.]
8. Create Missing HTML Body: Enabled
[Reformat inbound plain text emails as HTML to allow URLs to be rewritten.]

©2022 Mimecast. All Rights Reserved |109

 9. Force Secure Connection: Enabled
[All links will be rewritten as HTTPS. If disabled,
HTTP links will be rewritten as HTTP.]
10. Set to Default: Enabled
Mimecast rewrites URLS and, in the
11. Ignore Signed Messages: Disabled
process, obfuscates the URL string to
[If enabled, URL Protection will not be applied to
ensure users are not able to bypass the
digitally signed messages. This ensures the
protection. However, there is a setting
signature of the message remains intact, but
called “Display URL Destination Domain”
means URLs will not be rewritten.]
to provide users with the ability to see
12. Display URL Destination Domain: Enabled where a link is going without
[The destination domain of the URL will be visible compromising security.
at the end of the rewritten link.]
13. Strip External Source Mode: Disabled
[If this is turned on it may impact the formatting and readability of messages.]
14. File Protocol URL Handling: Hold
[Protect against "hashjacking" attempts by
checking for URLs that use the 'file://' protocol. If Enable all the options under URLs and
you choose Hold, it will add the message to the Attachments. These settings protect your
Held Messages Queue] organization from URLs with dangerous
15. Block URLs Containing Dangerous File Types: file extensions, rewrite URLs, as well as
Enabled scan URLs in attachments that cannot be
[Block URLs containing file extensions which rewritten.
commonly contain malware.]
It’s also important to set the URL File
16. Rewrite URLs Found in Attachments: Enabled Download setting to “Sandbox”, as this
[When enabled at least one attachment part causes inspection of a directly downloaded
needs to be selected. Mimecast will then rewrite file for deep security analysis.
URLs found within the selected attachment
part(s).]
▪ Select Attachment Parts to Rewrite:
▪ HTML
▪ Text
▪ Calendar
17. URL File Download: Sandbox
[Stop the direct download and send the file to the Mimecast sandbox for security checking.
Once checking is complete, notify the user.]
18. Scan URLs in Attachments: Enabled
[Security check URLs in attachments.]
Advanced Similarity Checks
19. Advanced Similarity Checks: Enabled
▪ Check Internal Domains
[Checks links against your internal domains.]
▪ Check Mimecast Monitored External Domains
[Checks links against Mimecast monitored external domains.]
▪ Check Custom Monitored External Domains
[Check links against your custom monitored external domains.]
▪ Action: Block
[Block the user from accessing the link and show a block page.]

©2022 Mimecast. All Rights Reserved |110

 User Awareness
20. Enable User Awareness: Enabled
▪ User Awareness Challenge Percentage: 5% If “User Awareness” settings are enabled,
[Select the frequency for displaying user users can be redirected to a page
awareness pages to the user when URLs in providing information about the
emails are clicked. Default: 5% of clicks.] destination of the link they've clicked.
▪ Disable User Awareness Dynamic Challenge
Adjustment: Disabled
[Incorrect responses to user awareness prompts will increase the frequency of which the
prompts are shown to the user. Select this option to disable dynamic challenge
adjustments.
▪ Use a Custom Page Set: Disabled
[Select a page set to display custom User Awareness web pages and safety tips to your
users]

Notifications
21. Enable Notifications: Enabled
22. Notification Group: Choose your group (e.g., Administrator Alert)

Note: Outbound and Journal Checks will not be discussed in this course. Those configurations are
discussed in the Internal Email Protect course.
URL Protection Default Policy
1. Navigate to Administration | Gateway | Policies | URL Protection
Options
2. Policy Narrative: Default URL Protection
3. Select option: Default URL Protection
Emails From
4. Address Based On: The Return Address
5. Applies From: Everyone
6. Specifically: Applies to All Senders
Emails To
7. Applies To: Internal Addresses
8. Specifically: Applies to all Internal Recipients
Validity
9. Enable / Disable: Enable
10. Set policy as perpetual: Always On
11. Date Range: Eternal
12. Policy Override: Disabled
13. Bi Directional: Disabled
14. Source IP Ranges: No entries

For more detail, read Targeted Threat Protection – URL Protection.

Device Enrollment
Device enrollment enhances security when accessing attachments and links in messages, by using an
authentication service. If the authentication service is turned on, a cookie is stored on the user's
device.
When they access a Targeted Threat Protection service (e.g. a rewritten or attachment release link),
a check is made to see if the cookie is on their device:

©2022 Mimecast. All Rights Reserved |111

 • If yes, the user is allowed to access the service.
• If no, the user must complete a two-step authentication process to enroll their device. Once
their device is enrolled, a cookie is added to their browser, which is used for future
interactions with our Targeted Threat Protection service.
Once a cookie is stored on the end user's device, it's renewed with each additional Targeted Threat
Protection service interaction. You can set an expiry period for the cookie. However, because it's
renewed with each Targeted Threat Protection service interaction, the user only enrolls once unless
they don't access the service again before the cookie expires.

Enable Device Enrollment

1. Navigate to Administration | Account | Account Settings
2. Expand the User Access and Permissions section
3. Select the Targeted Threat Protection Authentication option.
4. Set the Authentication Duration (Days) option to a value between 1 and 365.
[This controls the expiration date of the device's cookie, but as the cookie is renewed with each
Targeted Threat Protection service interaction, the end user only enrolls once unless they don't
access the service again before the cookie expires.]
5. Save and Exit

Benefits of Device Enrollment

Device enrollment offers the following security benefits:
• The user who clicked a link in a forwarded message is recorded. If a message containing a
URL is forwarded, the recipient that clicks on the link is recorded in a log file. Without device
enrollment, the log entry shows the details of the user that forwarded the message, not the
recipient.
• Releases attachments found in internally forwarded messages to the recipient. If the
"Release Forwarded Internal Attachment" option is enabled in an Attachment Protection
definition, users can release an attachment from the sandbox when a message is forwarded
to them. If the option isn't set, and device enrollment is not enabled, the attachment is
released to the original forwarder instead. See the Configuring Attachment Protection
Definitions for full details.
• User awareness checks are not available externally. User awareness is not available for
non-Mimecast customers.
• Releases attachments sent to a distribution list to the recipients. If device enrollment is
enabled, and a distribution list recipient requests an attachment, it's sent to that user only. If
device enrollment is not enabled, and a distribution list recipient requests an attachment,
it's sent to everyone on the distribution list.
• Where a message is sent to a distribution list and a recipient clicks on a link where URL
Protection is applied to embedded links, the logs record the user details. The URL is
rewritten before the message is forwarded to the Exchange. Once there the message is
exploded, everyone gets a copy of the same message. As a result, you're able to track which
distribution list recipient clicked on the link.
Read Targeted Threat Protection: Device Enrollment for further detail.

©2022 Mimecast. All Rights Reserved |112

Lesson 3: Attachment Protect
Attachment Protection is an advanced service,
that protects customers from the growing risk
of spear phishing and other targeted attacks
using email attachments. This protection is
provided on all devices used for the end user's
enterprise email account, including
smartphones or tablets, whether they are
provided directly by the employer or not.

How it Works
You can configure Attachment Protect in
different ways, but the following are the two
most common. Pre-emptive Sandboxing is the
out of the box setting:
1. Pre-emptive Sandbox:
A user is sent an email with attachments. Prior to it reaching their mailbox, a pre-emptive sandboxing
and static file analysis is performed on the file before delivering the email with its attachment to the
user.
If the files are deemed safe, the files are passed through whereas if the files contain malicious code,
they are rejected, the Administrator is alerted and directed to the Held Queue to review.
2. Safe File On-Demand:
Attachments are converted to PDF and sent to the user, giving them the option to request the
original files if they wish to edit. If they want the original files, a pre-emptive sandboxing and static
file analysis is then performed on the files before delivering to the user.
If the files are deemed safe, the files are passed through whereas if the files contain malicious code,
they are rejected, the Administrator is alerted and directed to the Held Queue to review.

Delivery Methods
Attachment Protection uses a definition that can be configured to deliver messages using one of the
following methods:
1) Safe File: Users are provided with a safe, transcribed version of the attachment.
2) Safe File with On-Demand Sandbox: Users are provided with a safe, transcribed version of
the attachment, and an option to request the original attachment via the sandbox. When an
original attachment is requested, a detailed security analysis is performed before it is
provided to the user.
Note: The original attachment can only be released within your data retention time frame.
For example, you receive the safe file and confirm it’s what you want, but don’t request the
original file. If there is a 30- day retention period, and you request the original file on the
31st day, you won’t be able to release it.
3) Pre-Emptive Sandbox: Files are submitted to the sandbox during the email delivery process.
All vulnerable file types are analyzed in the sandbox. The message and its attachments are
only delivered to the user if they are considered safe.

©2022 Mimecast. All Rights Reserved |113

 4) Dynamic Configuration: Allows users to specify the delivery option for individual senders, by
adding them to their trusted user list. The delivery option used, depends on whether the
sender is on the user's trusted sender list.
a. Senders who aren't on their trusted list, use the Safe File With On-Demand Sandbox
delivery option.
b. Senders who are on their trusted list, use the Pre-Emptive Sandbox delivery option.
To access your Attachment Protect policy and definition, navigate to Administration | Gateway |
Policies.

Out of the Box Configuration

A default Attachment Protect Out of the Box configuration is created on all Mimecast accounts as
described in the Out of the Box Settings for Mimecast Email Security article. In the configuration
here we will only discuss the Inbound Checks.

Attachment Protection Default Definition

1. Navigate to Administration | Gateway | Policies | Definitions | Attachment Protection
2. Select the Default Attachment Protection Definition
Enable Inbound Check
3. Attachment Protection Delivery Options: Pre-emptive Sandbox
[Analyses all vulnerable file types in the Pre-Emptive Sandbox, before delivering the mail and
attachments to the user.]
4. Ignore Signed Messages - Disabled
5. Sandbox Fallback Action – Hold for Administrator If the “Release Forwarded Internal
Review Attachments” is enabled, users can
[Select the action to take if an attachment cannot be release an attachment from the sandbox
processed by the Pre-emptive Sandbox] when a message is forwarded to them. If
6. Release Forwarded Internal Attachments – Enabled the option isn’t set, and device enrollment
[Controls whether any internally forwarded isn’t enabled, the attachment is released
attachment can be released from the sandbox. If to the original forwarder instead.
disabled, no internally forwarded attachments can
be released.]
Bounce / Review Notifications
7. Enable Notifications – Enabled
[Select this option to enable notification alerts. These are sent to users and / or user groups
when unsafe attachments are requested by a user. The precise users and / or groups notified,
is controlled by additional options that are displayed with this option selected.]
8. Administrator Group: Choose your group (e.g., Administrator Alert)
Other fields below not set in the out of the box configuration, but available for you to
configure as desired:
9. Internal Sender:
[If checked, the Postmaster will send a notification to the internal sender if the Sandbox Fall-
back Action is triggered.]
10. Internal Recipient:
[If checked, the Postmaster will send a notification to the internal recipient if the Sandbox
Fall-back Action is triggered.]

©2022 Mimecast. All Rights Reserved |114

 11. External Sender:
[It checked, the Postmaster will send a notification to the external sender if the Sandbox Fall-
back Action is triggered.]
Note: Outbound and Journal Checks will not be discussed in this course. Those configurations are
discussed in the Internal Email Protect course.
Attachment Protection Default Policy
1. Navigate to Administration | Gateway | Policies | Attachment Protection
Options
2. Policy Narrative: Default Attachment Protection Policy
3. Select option: Default Attachment Protection Definition
Emails From
4. Address Based On: The Return Address
5. Applies From: Everyone
6. Specifically: Applies to All Senders
Emails To
7. Applies To: Internal Addresses
8. Specifically: Applies to all Internal Recipients
Validity
9. Enable / Disable: Enable
10. Set policy as perpetual: Always On
11. Date Range: Eternal
12. Policy Override: Disabled
13. Bi Directional: Disabled
14. Source IP Ranges: No entries
For more detail, read Targeted Threat Protection – Attachment Protection.

©2022 Mimecast. All Rights Reserved |115

 © 2022 by Mimecast Services Ltd. The information posted in this guide is for use by
Mimecast customers only. Use of the guide is governed by the terms contained in the
user’s agreement with Mimecast. Information in this guide is subject to change
without notice. The Mimecast name and logo are owned by Mimecast Services Ltd
and its affiliates. All other names and marks are the property of their respective
owners.

©2022 Mimecast. All Rights Reserved |116