Secure Receipt Policies

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.oxriBaJeN4 Employee on Sep 26, 2016
Version 6Show Document
  • View in full screen mode

Mimecast provides access to send and receive emails securely using Transport Layer Security (TLS). The Secure Receipt policy is concerned with the receipt of emails from the sender to the Mimecast platform; and this applies to both inbound or outbound email.


TLS technology is designed to protect confidentiality and data integrity by encrypting connections between servers so that emails are transmitted through a secure tunnel.  It uses SMTP over an SSL encrypted tunnel, and requires a valid, third-party certificate to be installed at each end of the tunnel.

Mimecast supports connections using TLS 1.0, 1,1 and 1.2 for AES-256, RC4, MD5 and AnonDHE.

In order to configure and use TLS, each mail server involved in the sending and receipt of the email must have an SSL certificate from a public root certificate authority installed and configured. By default, TLS connections take place over port 25.


When configuring route based TLS, two policies are required to ensure the entire transmission is encrypted:

  • Secure Receipt policy: This is required to encrypt data between the sending mail server and Mimecast (i.e. how Mimecast receives the message)
  • Secure Delivery policy: This  is required to encrypt data between Mimecast and the destination mail server (i.e. how Mimecast delivers the email)

Self-signed certificates

For Secure Receipt Policies, Mimecast acts as the server. The client application connects to Mimecast and checks the server certificate to see if it is acceptable. Typically it would be and the connection would be established. However, if a self-signed certificate is used by the client, it would not succeed in the connection attempt.


A configuration option can be enabled by Mimecast support that will allow the connection to be established. In this scenario, Mimecast acts as the the client and the customer application acts as the server. Mimecast will then verify the certificate.


Using Secure Receipt, an Administrator can set up specific policies to enforce TLS or use TLS where possible when accepting emails. This refers to both inbound and outbound emails, but always from the perspective of Mimecast receiving the emails. Additionally TLS provides email security, and reduces the risk of eavesdropping, interception, and alteration of emails as they are sent across the internet.

What you need

  • An Administrator Console logon with access to the Services | Gateway | Policies menu item.


Creating a policy


To create a policy, follow the instructions in the Creating / Changing a Policy article, but using the following options:


Policy NarrativeProvide a description for the Policy to allow you to easily identify it in the future.
Select Option

Select one of the following values from the drop down list:

Delivery OptionDescription
DefaultUses Opportunistic TLS as described below.
Enforced TLSEmail is only delivered if the remote email server accepts TLS. If TLS is not configured, the connection will be dropped and the email delivery rejected.
When configuring TLS on Mimecast using SMTP Enforced, ensure that the recipients mail server is configured to accept TLS messages, otherwise all emails delivered using this policy will fail. It is recommended to test this communication before enforcing it across your entire organization.
Opportunistic TLSTLS will always be attempted first when sending email, but if not accepted by the remote mail server, the message will be delivred using standard SMTP.

Once the Secure Receipt Policy has been applied, send a test email to check if TLS is being applied as expected. To verify if TLS has been applied, check the Receipt/Delivery view of the message.

Definition required?


2 people found this helpful