IT Operations & Cybersecurity Encyclopedia
Mimecast email security guide
Mimecast email security helps organizations reduce phishing, business email compromise, malicious links, unsafe attachments, spoofing, and email-borne ransomware risk. A mature operating model reviews Microsoft 365 integration, inbound and outbound policies, impersonation protection, URL and attachment controls, DMARC, monitoring, exceptions, and evidence on a recurring schedule.
Why it matters
Operate email security as a layered control
Mimecast should be reviewed as part of the complete email security stack, including Microsoft 365 mail flow, Defender for Office 365 if used, SPF, DKIM, DMARC, user reporting, incident response, and mailbox remediation.
IT and security teams should know which domains are protected, how mail routes, which policies block or warn users, how exceptions are approved, and how incidents are investigated.
This guide is practical operations guidance. It does not replace Mimecast documentation, Microsoft documentation, phishing simulation, incident response, cybersecurity audit, or managed IT support.
Practical rule: Every email security control should document the protected domain, mail flow dependency, policy purpose, action, exception process, monitoring owner, and evidence retained for review.
Review scope
Mimecast email security review areas
Microsoft 365 mail flow
Validate MX records, connectors, domains, routing, fallback, and coexistence with Defender for Office 365.
Inbound protection
Review spam, malware, phishing, URL, attachment, quarantine, and user notification behavior.
Impersonation and BEC
Protect executives, finance users, display-name patterns, lookalike domains, and external sender risk.
Email authentication
Review SPF, DKIM, DMARC alignment, domain inventory, spoof results, and DMARC reporting.
Exceptions
Control allowed senders, bypasses, quarantine releases, temporary exceptions, and expiration dates.
Monitoring and incidents
Track user reports, blocked threats, released mail, policy changes, admin actions, and remediation tickets.
Review matrix
Mimecast email security operations matrix
| Area | What to verify | Questions to answer | Evidence |
|---|---|---|---|
| Mail flow | Review MX, connectors, accepted domains, routing, outbound relay, and continuity assumptions. | Is all protected mail flowing through the intended security path? | DNS records, connector export, route map, and test messages. |
| Policies | Review inbound, outbound, spam, malware, URL, attachment, quarantine, and notification policies. | Are policy actions aligned with business risk? | Policy export, action summary, exception list, and owner signoff. |
| Impersonation | Review protected users, display-name rules, lookalike domains, external sender treatment, and spoof handling. | Can attackers impersonate executives, finance, HR, or vendors? | Protected user list, rule settings, sample detections, and tuning notes. |
| Authentication | Review SPF, DKIM, DMARC records, alignment, reporting, domain ownership, and spoof trends. | Are sending domains authenticated and monitored? | DNS records, DMARC reports, domain list, and remediation tickets. |
| Incidents | Review blocked threats, user-reported phishing, released mail, false positives, and mailbox remediation. | Are suspicious emails handled consistently? | Incident log, release approvals, user reports, and closure notes. |
| Governance | Review admin roles, audit logs, policy changes, exceptions, monthly reporting, and management summary. | Can email security controls be audited and improved? | Role export, change log, exception register, and executive report. |
Step-by-step review
Mimecast email security runbook
Validate mail flow and domains
Confirm MX records, Microsoft 365 connectors, accepted domains, outbound routing, test messages, and failback notes.
Review protection policies
Check inbound, outbound, spam, malware, URL, attachment, quarantine, impersonation, and notification settings.
Verify email authentication
Review SPF, DKIM, DMARC alignment, sending sources, domain ownership, spoof attempts, and reporting trends.
Audit exceptions and releases
Review bypass rules, allowed senders, quarantine releases, expiration dates, and approval evidence.
Investigate incidents and user reports
Triage phishing reports, blocked threats, released messages, false positives, mailbox exposure, and remediation actions.
Report email security posture
Summarize threat trends, policy changes, exceptions, DMARC status, admin actions, and owner assignments.
Common risks
Common Mimecast email security gaps
Mail bypasses the gateway
Incorrect connectors, MX records, or routing can allow mail to avoid intended security inspection.
Executives are not protected
BEC and impersonation controls should cover executives, finance, HR, and other high-risk users.
DMARC is not monitored
SPF, DKIM, and DMARC require ongoing review of legitimate senders and spoof attempts.
Exceptions accumulate
Allowed senders, bypasses, and release decisions should have owners, reasons, and expiration.
User reports are not closed
Reported phishing should result in triage, mailbox review, remediation, and user feedback.
No monthly evidence package
Email security needs recurring proof of policy review, incidents, exceptions, and threat trends.
Related support
Where IT Perfection can help
IT Perfection can help administer Microsoft 365 mail flow, Mimecast email security operations, help desk phishing workflow, monitoring, and managed IT remediation.
OC Security Audit can help assess email security posture, Microsoft 365 controls, DMARC readiness, phishing risk, cyber insurance readiness, and audit evidence.
Created by Ali Hassani, CISO
Professional Mimecast email security support
Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.
This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.
Email security needs mail flow, policy, and evidence discipline
A mature Mimecast operating process improves phishing protection, BEC resistance, DMARC visibility, incident response, Microsoft 365 mail security, and audit readiness.
FAQ
Mimecast email security FAQ
What should be reviewed in Mimecast email security?
Review mail flow, inbound and outbound policies, impersonation controls, URL and attachment protection, DMARC, exceptions, admin roles, incidents, and reporting.
Why is Microsoft 365 mail flow evidence important?
Email security depends on mail routing through the intended inspection path without bypasses, connector gaps, or unprotected domains.
What evidence should be retained?
Retain DNS records, connector exports, policy exports, DMARC reports, incident logs, release approvals, exception registers, and monthly summaries.
How should exceptions be handled?
Allowed senders, bypasses, and quarantine releases should have business justification, owner approval, expiration dates, and periodic review.