To ensure all inbound email is filtered through us, you must lock your firewall traffic down on port 25 to the Mimecast Data Center IP Ranges. If you don't, you could be exposing your mail server to direct attacks and spam email delivery. This is a common method spammers utilize to bypass gateway security services. By locking down your firewall you ensure all your messages are scanned by us to prevent viruses and spam from reaching your internal environment.
- Ensure you cancel any contracts with your previous email cloud security provider. This prevents any disruption to your email flow before you complete your firewall lock down.
- Ensure all emails are being delivered by Mimecast only, including removing any other MX Records. Your Technical Point of Contact (TPOC) is responsible for completing this step.
Locking Down G Suite
To lock down your G suite to Mimecast:
- Add Mimecast IP ranges to your inbound Gateway
- Configure a delivery route in Mimecast
- Reject all mail not from your Gateway IPs
Adding Mimecast IP Ranges to Your Inbound Gateway
To add the Mimecast IP Ranges to your inbound Gateway:
- Navigate to .
- Click on the Configure button.
- Enter "Mimecast Gateway" in the Short description.
- Use the Add button to enter the Mimecast Data Center IP for your Mimecast account region. See the Mimecast Data Centers and URLs page for full details.
- Ensure the Require TLS for Connections From the Email Gateways Listed Above option is selected.
- Ensure the other two options aren't selected.
- Click on the Add Setting button to save the change.
Configuring a Delivery Route in Mimecast
To configure a Delivery Route in Mimecast:
- Create a Delivery Routing Definition using the G Suite MX record value in the routing definition.
- Primary host: ASPMX.L.GOOGLE.COM
- Alternative host: ALT1.ASPMX.L.GOOGLE.COM
- Create a Delivery Routing Policy:
Field / Option Value> Policy Narrative G Suite Route Select the definition created in step 1. Address Based On Both Applies From Everyone (Applies to all Senders) Applies To Internal Addresses (Applies to all Internal Recipients)
- Click on the Save and Exit> button.
Rejecting all Mail not from Your Gateway IPs
To reject all Mail Not From Your Gateway IPs:
- Click on the Edit button.
- Check on the Reject all Mail Not From Gateway IPs option.
- Click on the Save button.