DNS Authentication Policies

Document created by user.oxriBaJeN4 Employee on Sep 11, 2015Last modified by user.oxriBaJeN4 Employee on Mar 16, 2017
Version 12Show Document
  • View in full screen mode

DNS Authentication policies help administrators control the types of email authentication checks that are performed when Mimecast receives or sends an outbound email. SPF is an open standard for email authentication, used to determine whether a message's sender is allowed to send using a specific domain. Outbound DKIM signing works by applying a signature to outbound messages that is then used to determine if the contents of a message have been tampered with.


SPF and DKIM Signing work by defining extra DNS records for the sending domain:

  • Sender Policy Framework (SPF) validates the connecting IP address by looking up the DNS record for the domain in the envelope MAIL FROM or HELO/EHLO.  It can tell you whether the IP connecting to Mimecast is permitted to send mail for that domain
  • DomainKeys Identified Mail (DKIM) validates the contents of the message body and headers by creating a cryptographic hash (or signature), and adding it as a new header to the message.  It confirms that the message's content was sent from a specific domain by matching the signature to the DNS records by verifying the signature using the DNS record published by the sending domain


Mail Transfer Agents (MTAs) can verify SPF or DKIM for inbound emails if the sender publishes DNS entries for them in their domain records.




For inbound emails DNS Authentication is helpful in preventing unwanted and potentially harmful emails from reaching your organization's users. These checks ensure that possibly forged items are processed by the Auto Allow database. If a DNS Authentication Policy is applied to internal user addresses and enables the DNS checks, and these checks fail on the inbound email, existing Auto Allow entries will not be respected.  This ensures that spam checks are not bypassed for future emails from the sender to these internal users.


This same behavior is performed on manually created Permitted Senders and global senders based on email address or domain.


With outbound emails, If the organization requires the implementation of DKIM signing for outbound emails, the organization's DNS record must be populated with the appropriate public key. The private key of the same keypair must be populated within a DNS Authentication Policy, along with the domain and selector of that record. Once that policy is applied to outbound mail, Mimecast will sign the email before sending it.

What You'll Need


  • An Administrator Console logon with access to the Services | Gateway | Policies menu item.
  • A previously configured inbound or outbound DNS Authentication definition.


Creating a Policy


To create a policy, follow the instructions in the Creating / Changing a Policy article, but using the following options:


Policy NarrativeProvide a description for the Policy to allow you to easily identify it in the future.
Select DNS Authentication

Select the required DNS Authentication definition for the policy.

Definition Required?


Yes. There are definitions for both inbound and outbound checks.

1 person found this helpful