Mimecast Logo
Get a Quote
    Cyber Resilience Insights
    All Topics
    Email and Collaboration Threat Protection
    Insider Risk Management
    Security Awareness Training
    Data Compliance and Governance
    Threat Intelligence
    Email & Collaboration Threat Protection

    Common pitfalls in Mimecast email security configurations

    Insights from the field

    Key Points

    • Using SPF-based bypasses that include large cloud provider IP ranges (like O365 or Google) or adding entire domains to Permitted Senders can inadvertently let spoofed or malicious emails slip past your defenses. Always use specific, known IP addresses instead.
    • Simple oversights—like forgetting to enable the anti-spoofing policy when registering a new domain, or leaving spam auto-allow set to "Do Nothing"—can quietly create significant security gaps.
    • Features like Threat Remediation should have automatic remediation turned on rather than relying on manual processes, and VIP/executive lists for impersonation protection need regular updates as staff change roles.

    Even the most security-conscious organizations can fall into configuration traps that leave them exposed. As a Mimecast Sales Engineer, I’ve seen recurring missteps that can undermine your email security posture. Here’s a practical guide to the most common pitfallsꟷand how to avoid them.

    1. Anti-spoofing: avoiding bypass pitfalls and missed policies

    What does anti-spoofing do? 

    Anti-spoofing policies are your first line of defence against email header forgeryꟷwhere attackers make messages appear as if they’re from your own domain. These policies block external emails that pretend to come from internal addresses, a favourite tactic in both phishing and business email compromise.

    Common pitfalls and what to check

    A. SPF-based bypass policies shouldn’t include O365/Google

    A frequent misconfiguration is using SPF-based bypass policies that include broad cloud provider IP ranges (like O365 or Google). This can inadvertently allow spoofed emails from those platforms to slip through.

    Best Practice: Always use IP-based bypass for trusted senders where possible, not broad SPF-based bypasses. Restrict bypasses to specific, known IP addresses or ranges. 

    Learn More: Configuring Anti-Spoofing Policies, Anti-Spoofing SPF Bypass 

    B. Missing the ‘Create Anti-Spoofing Policy’ checkbox for new domains 

    When adding new domains, many enterprise admins forget to tick the box to automatically create an anti-spoofing policy. The result? The new domain is left unprotected and vulnerable to spoofing.

    What to Do: Always select “Automatically Create Anti-Spoofing Policy for this Domain” when registering new domains. If you missed it, manually create the policy right away. 

    Learn More:  Managing Internal Domains & Subdomains, Adding an Internal Domain

    2. Impersonation protect policies: best practices and VIP protection

    What does Impersonation Protect do? 

    Impersonation Protect policies are designed to catch sophisticated phishing attempts that mimic executives, finance staff, or other high-value targets. These policies analyse sender names, domains, and message content for signs of impersonation.

    Common pitfalls and what to check 

    Best practice configuration: 

    • Set up strict policies for executives and VIPs using profile groups and higher hit scores.
    • Regularly update your VIP list as staff change roles.
    • Tune identifiers and alternative spellings to catch subtle impersonation attempts. Mimecast’s social graph does this for you automatically if you have Advanced BEC.

    What to watch for: 

    • Don’t forget to add new executives to your VIP group.
    • Review and adjust hit scores to balance security and false positives. 

    Learn more: 

    3. Feature enablement: Threat Remediation, Secure & Restore, and Continuity Event Monitor

    What do these features do? 

    Threat Remediation: Lets you find and remove malicious emails even after delivery.  This is an available feature of Internal Email Protection.

    Secure & Restore: Enables recovery of mailboxes in the event of an outage or attack. 

    Continuity Event Monitor: Monitors mail flow and triggers continuity mode during outages. 

    Common pitfalls and what to check 

    Threat Remediation: Ensure automatic remediation is enabled and incident queues are monitored. 

    Secure & Restore and Continuity Event Monitor: Verify all required connectors are set up for your environment (O365, Google, Exchange). 

    What to watch for 

    • Missing connectors can leave gaps in coverage.
    • Manual remediation only is less effective—enable automation where possible. 

    Learn more

    4. Permitted Senders: bypass risks and best practices

    What does Permitted Senders do? 

    Permitted Senders are trusted addresses or IPs that bypass spam scanning, greylisting, and IP reputation checksꟷensuring important emails aren’t blocked.

    Common pitfalls and what to check 

    Risks of Adding Broad Providers (O365/Google): Adding entire domains or IP ranges for cloud providers can let malicious emails from those platforms bypass your security. 

    Internal Domains: Never add your own internal domains to Permitted Sendersꟷthis can be abused by attackers to spoof internal communications. 

    Best Practices for Services (PayPal, DocuSign, etc.): Only permit official, specific and documented sender addresses or IPs for third-party services. Regularly review and update your list. 

    What to watch for 

    • Audit your Permitted Senders list for broad or risky entries.
    • Ensure Anti-Spoofing policies override Permitted Senders for internal domains. 

    Learn more

    5. DNS authentication inbound scans: enforcing SPF, DKIM, and DMARC

    What does DNS authentication do? 

    Mimecast checks inbound emails for SPF, DKIM, and DMARC compliance to verify sender authenticity and prevent spoofing.

    Common pitfalls and what to check 

    Default Actions May Be Too Permissive: Out-of-the-box, policies may not take strict action on authentication failures. 

    What to do 

    • Configure policies to reject or quarantine emails that fail SPF, DKIM, or DMARC checks.
    • Regularly review DNS records for all domains. 

    Learn more

    6. Spam Scanning Auto Allow: Why ‘Hold’ is safer than ‘Do Nothing’

    What does this setting do? 

    The Auto Allow Spam Detection action determines what happens to emails from permitted senders that are flagged as spam.

    Common pitfalls and what to check 

    If Set to ‘Do Nothing’: Spam results are ignored, and risky emails may reach users. 

    Best Practice: Set the action to “Hold for Review” or “Reject” to prevent malicious emails from being delivered unchecked. 

    Learn more 

    Final thoughts 

    The most common pitfalls in Mimecast configurations are often simple oversightsꟷbroad bypasses, unchecked boxes, or default settings left unreviewed. Regular audits, strict policy enforcement, and staying up-to-date with Mimecast best practices are your best defense.

    Stay vigilant, review your configurations regularly, and leverage the Mimecast Knowledge Base for guidance. Your email security is only as strong as your weakest policy!

    Related Articles

    Email & Collaboration Threat Protection
    How effective is Microsoft Defender against phishing attacks?
    Email & Collaboration Threat Protection
    How NIS2 and HIPAA are reshaping email and collaboration security standards for CISOs
    Email & Collaboration Threat Protection
    Why CISOs can't afford blind spots in email governance audits

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Ready to secure the human layer? REQUEST A DEMO
    Back to Top