Connect Process: Configuring Recipient Validation

Document created by user.oxriBaJeN4 Employee on Sep 21, 2015Last modified by user.oxriBaJeN4 Employee on Apr 2, 2019
Version 9Show Document
  • View in full screen mode

For us to accept your inbound email, recipient validation must be configured. This enables us to only accept messages from the email addresses you have authorized. To do this, we must have a complete list of all internal users.


Recipient validation can be completed by one of the following methods:


MethodApplicable ToAdvantagesDisadvantages

Synchronization with your Network Directory (e.g. LDAP)

This is the recommended method.

  • Office 365
  • On Premises
  • Hybrid
  • A message destined to be delivered to a mailbox, that is not present in your Exchange, is rejected.
  • Can also be used to authenticate user access to Mimecast, and their level of access.
  • Requires some configuration inside your Active Directory.

Active Directory Synchronization with the Mimecast Synchronization Engine

  • Office 365
  • On Premises
  • Hybrid
  • Automatically synchronizes users, groups, and group membership.
  • Can be used to synchronize user status, or user attributes.
  • Automatically links user alias addresses to their primary address.
  • Requires a separate installation on Mimecast Synchronization Engine.
  • Authentication using Active Directory / Domain passwords is not supported.
  • Authentication is made against the Active Directory server in real time.

Office 365 Azure Active Directory Synchronization

  • Office 365
  • Automatically synchronizes with Windows Azure to add and manage all of your user, group, group membership and user attributes.
  • Passwords are not synchronized using this feature.
Automatically by email flow as users send emails through Mimecast
  • Office 365
  • On Premises
  • Hybrid
  • G Suite
  • Does not require any configuration inside your environment.
  • Users are unable to authenticate without additional configuration.
  • Can take time to monitor outbound email and identify internal users.
  • Can result is rejected messages for internal users who rarely send emails.

Importing user data via a spreadsheet

  • Office 365
  • On Premises
  • Hybrid
  • G Suite
  • Can add multiple user accounts.
  • Sets user permissions, user attribute data and alias associations.
  • The recommended method for importing users in bulk.
  • The list of validated recipients is only accurate at the time the import is performed.
  • Changes made in your Exchange (e.g. deleted users) are not automatically reflected in Mimecast.

Adding users manually

  • Office 365
  • On Premnises
  • Hybrid
  • G Suite
  • Have more control.
  • Recommended for adding single users.
  • Can be more time consuming.


Office 365


Office 365 does not support Active Directory integration. User management is controlled manually through:

For environments that use a separate domain controller, Active Directory synchronization can be configured.

On Premises / Hosted Exchange (HEX)


To enable directory synchronization:

  1. Open the LDAP port on your firewall to the Mimecast Data Center IP ranges. By default, this will be:
    • Port 389 for LDAP
    • Port 636 for LDAPS
  2. Ensure the correct routing has been setup from the firewall through to the selected domain controller.
  3. Create a user account in the directory for Mimecast to use for authentication purposes. This enables the extraction of all valid email addresses, group structures, and any attributes that have been setup in Mimecast to be synchronized.
    See the User Account Requirements section below for further details.
  4. Review and complete the configuration steps outlined in the Directory Connections article for each connector.


See the Enable LDAP Directory Sync for Active Directory page for further details.


Ensure the domain controller has a publicly routable IP address configured that Mimecast can access. If LDAPS is used, ensure that the certificate is registered to the Fully Qualified Domain Name (FQDN) of the server. This means that LDAPS will not work unless the certificate name is based on the FQDN of the server.


User Account Requirements


The user account created in point 3 above does require:

  • Permissions to read Active Directory users and attributes. By default a member of the Domain Users group has these permissions.
  • A password that does not require to be changed at first logon, and does not expire.

The user account created in point 3 above does not require:

  • Special permissions.
  • A local mailbox.


G Suite


In order for your users to send and receive emails, they must be added to your Mimecast account. This can best be achieved by Recipient Validation which ensures a Mimecast user record is created when an outbound message is sent. 


You can also:

Include a cloud password for the above two methods if you want to allow users access to Mimecast end user applications.
1 person found this helpful