Mimecast Policies – Groups are best

Mimecast policies are complicated, and we advise using a structured approach when configuring your policies. It is always best to follow a uniform approach for your customisations to ensure ease of management and less errors.

For example, let’s take a look at the Permitted Senders policy – it is common to add a domain or email address as a permitted sender, if there are delivery issues through the Mimecast platform. It could be forgiven for the Admin Console Administrator to add a new policy within this area for each new address or domain. However, that would mean many entries that are all doing the same thing would end up listed.

It is best to create a single policy, and link it to a group.

As above, we have just two policies. One is used just to whitelist IP addresses, and one links to a group which contains our list of whitelisted domains and email addresses.

The policy settings look like this:

This single policy entry links to our Permitted Senders group, and the group is set up as follows:

Multiple entries can be added with an import, or copied and pasted, and a single entry can easily be added also. It is also easy to remove entries by selecting them, and then clicking (the rather poorly worded option) ‘Clear Selected Links’. Beware that you do not accidentally select all and click this option!

This group could be synced with AD rather than being managed within Mimecast itself, which could be even easier to manage for you!

We recommend this general approach to policies and groups for other Bypass polices. Take a look at DNS Authentication for example, it is strongly recommended to apply DKIM, SPF, and DMARC checks to inbound messages. However, we understand that senders have misconfigured systems and these checks mail fail from time to time – in and ideal world, the sender would correct their platforms… but we are not in an ideal world, and we know a temporary whitelist is often the only option.

If we click the Definitions button, we can see that we have set up 2 Definitions for this particular policy:

One Definition applies SPF, DKIM, and DMARC checks. And one does none of these checks. Within each of these definitions are further options to define what actions are taken upon the outcome of the checks.

This Mimecast guide shows the recommended entries for this:
https://community.mimecast.com/s/article/DNS-Authentication-Configuration-Guide-345109074

Only whitelist the parts of Mimecast that are necessary! It is very easy to take what we believe is a too aggressive approach in whitelisting senders to ensure delivery, while forgetting that e-mail security is far more important.

The policy created is similar to any other, but links to our other group:

We can populate the Bypass DNS checks group with our email addresses and domains.

However, we advise that these are treated as TEMPORARY entries! The sender is responsible for ensuring their domain is configured properly to make sure they do not fail SPF, DKIM, and DMARC checks. If a sender fails these checks, they need to take corrective action on their systems.

Bear in mind that if you choose to bypass these checks for a domain, you have opened up the possibility for that sender to be spoofed when sending email to you – and that could be a major security risk.