Closed Circuit Messaging (CCM)

Document created by user.oxriBaJeN4 Employee on Sep 20, 2015Last modified by user.oxriBaJeN4 Employee on Apr 2, 2019
Version 8Show Document
  • View in full screen mode

All customers with Closed Circuit Messaging will be migrated to Secure Messaging - Lite in Mid August 2016. 

Closed Circuit Messaging™ (CCM™) allows internal users to transmit confidential messages to external recipients, using Mimecast Personal Portal or Mimecast for Outlook. Instead of sending the email to the recipient's mail server, the email is retained on the Mimecast platform, and the recipient is then notified. The recipient can view and respond to the email by logging on to Mimecast Personal Portal.

Closed Circuit Messaging can no longer be purchased. New customers should use Secure Messaging.

CCM is used to enhance the security of email delivery, and can be controlled using Administrator defined policies. End users can also activate CCM by adding a certain word or phrase to an outbound email, or by using the CCM Mode option when composing a new message within Mimecast Personal Portal.

Some of the advantages to using CCM include:

  • Not dependent on the recipients email server capability, or encryption technologies (unlike TLS)
  • Provides additional control of sensitive information, as the recipient is confined to replying only to the recipients and sender of the email
  • Further control is provided by limiting the number of days that CCM messages are visible within the archive
  • Consistent implementation of email security using a centrally administered granular policy is therefore possible. Messages can be identified by administrator-defined policies for CCM delivery, without users having to make any decision or learn any new procedures. This means that seamless and transparent secure communication for end users is readily available.

How does Closed Circuit Messaging work?

When an outbound email is sent via CCM, the email is held in the CCM Isolation area, instead of being delivered to the recipient's mail server. The recipient of the message will then receive a notification with instructions on how to view the message. If it is the first CCM message they are receiving from this customer, they will also receive a second notification with their login credentials.


There are two ways that an Administrator can implement CCM in their environment:

  • Using a route based Policy
  • Based on the content of the email

Postmaster Secure Message Notification

This notification provides the recipient with information that a secure message has been sent to them, and informs them that they will need to log onto the Mimecast Service to view the message. A URL is provided, which will take the recipient to Mimecast Personal Portal where they can view and respond to the message. For security reasons, the notification specifically does not mention the details of the email including the sender and subject.


Postmaster Password Notification

If this is the first CCM message that this recipient has received from the sender's company, they will receive a second notification, providing them with their login name and password to access the service. The email address of the recipient is used as the Login Name and the initial password is automatically generated by Mimecast. Once the user logs in, they will be forced to change this password. These credentials can be used for any future CCM emails sent to this recipient from this particular customer.


  • These notifications can be customized by the Administrator.
  • If the recipient forgets their password and then receives subsequent CCM messages, they will need to contact the Administrator at the sending company to request a password reset. Alternatively, the recipient can click on the link "I have forgotten my password" on the Mimecast Personal Portal logon screen.

CCM Delivery Information

Mimecast also allows Administrators to view each emails' forensic information, and determine how the email was delivered. This can be accessed by viewing the delivery transmission information for the email in the Mimecast Archive. Typically, outbound emails will show: "Email Delivered via MX resolution" in the delivery event field. However, for an email delivered using CCM, the delivery event is shown as "Delivered to CCM isolation area". This allows Administrators to troubleshoot delivery, and confirm if messages have been delivered securely as expected.ccm3.png

TLS Fallback to CCM

If using enforced TLS for email delivery, there is an option TLS fallback to CCM. This option provides those customers who have access to CCM, another means to send emails securely in the event that the encryption parameters for TLS cannot be negotiated. Mimecast will therefore attempt to deliver the email via TLS, however if this is not possible, CCM will be used.

User Invoked CCM

With the correct permissions assigned, users are able to invoke emails to be sent using CCM.

User ServiceDetails
Mimecast Personal Portal

Administrators are able to provide access for end users to invoke CCM when logged into Mimecast Personal Portal. Permission needs to be configured for their user account, and can either be enabled on a per user basis or for multiple users with Application Settings.


Once enabled, a CCM mode menu is available when Composing emails. The CCM mode drop-down, provides various options:

  • Off - CCM mode is by default set to Off, so emails will not be sent via CCM
  • External Recipients Only - Only external recipients will receive this email via CCM, even if internal recipients are included in the email
  • All Recipients - Both internal and external recipients will receive this email via CCM

External CCM recipients will not have access to this option. Their replies will always use the External Recipients only logic, i.e. replies to internal parties will be sent as conventional SMTP mail whereas other external parties will receive a further CCM notification.Internal CCM recipients will see the CCM Mode option. The default will be set to External Recipients Only although the user can override this at will.

Note: Closed Circuit Messaging Policies will always apply irrespective of the CCM Mode setting. For example, if an email matches a Closed Circuit Messaging Policy, the email will be delivered via CCM, even if the Mimecast Personal Portal composer had left CCM Mode as Off.

Mimecast for Outlook

Users with the relevant capability enabled, can select an email be sent via CCM when using Mimecast for Outlook.


The permission needs to be configured as part of the Application Settings definition. When composing a new email, users should select the Mimecast tab, click on the Send Secure icon, and choose the Closed-Circuit Message option.

1 person found this helpful