on Apr 14, 2016Applies To...
This page applies to new clients connecting with Mimecast using the Connect Application. If you are not using the Connect Application, click here.
Overview
Sender Policy Framework (SPF) is an open standard for email authentication. It validates the connecting IP address, by looking up the SPF / TXT record in DNS for the domain in the envelope MAIL FROM or HELO/EHLO. By adding our _netblocks.mimecast.com entry to your SPF / TXT record, you ensure we are allowed to send mail for your domain name. Mail Transfer Agents (MTAs) can verify SPF for inbound emails if the sender publishes DNS entries for them in their domain records.
Implementing SPF for Outbound Email Delivery
To ensure a successful implementation of SPF with Mimecast, include a comprehensive list of our outbound IP addresses in your DNS SPF record. This is a long list (24 distinct IP4 ranges at the time of writing) and new ranges may be added in the future without notice. However, you can ensure your record is always up to date by including the "xx._netblocks.mimecast.com" statement.
To determine what "xx" is for your region, refer to the table below:
| Region | Record |
|---|---|
| Europe (Excluding Germany) | v=spf1 include:eu._netblocks.mimecast.com ~all |
| North America | v=spf1 include:us._netblocks.mimecast.com ~all |
| South Africa | v=spf1 include:za._netblocks.mimecast.com ~all |
| Australia | v=spf1 include:au._netblocks.mimecast.com ~all |
| Germany | v=spf1 include:de._netblocks.mimecast.com ~all |
| Global (includes all the above) | v=spf1 include:_netblocks.mimecast.com ~all |
Some typical examples are suggested below as a starting point for constructing an appropriate record:
| Scenario | Description | Example | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Simple Case | Relaxed configuration for customers which only send external mail for a given domain via Mimecast. | "v=spf1 include:_netblocks.mimecast.com ~all" | ||||||||
| Strict Case | For customers wishing to implement a strict SPF reject for unmatched requests, we strongly recommend testing with the relaxed syntax first. | "v=spf1 include:_netblocks.mimecast.com –all" | ||||||||
| Customers with an Existing SPF Record for a Given Domain | If you have an existing SPF record representing a range of possible senders, these examples show how you can include Mimecast as a legitimate sender. |
| ||||||||
| Customers with an Existing SPF Include Record for a Given Domain | In all cases, customers with existing SPF records should review their entries to ensure Mimecast servers are referenced exactly once. Any previous Mimecast references should be removed in favor of _netblocks.mimecast.com. Customers using a domain include a mechanism to refer to a DNS entry which already references _netblocks.mimecast.com, need take no further action. |
|
Creating the DNS Entry
If you wish to implement SPF for your domain, you'll need to create a corresponding TXT DNS record. By adding our IP Ranges to your TXT / SPF record, you ensure Mimecast is allowed to send mail carrying your domain name.
To create a DNS record:
- Update the SPF records for your domains with the information displayed in the application under SPF Record, as shown below:
Only use the SPF record displayed in the application, as there are regional differences (i.e. "eu" for Europe in the above image). The regional records are also listed in the "Implementing SPF for Outbound Email Delivery" section above. If you're not the person responsible for this task, click the Share link to send an email containing the required detail to someone who is- Log on to your Domain Registrar.
- Update / replace each domain’s SPF record to specify us as the authorized outbound service.
- If all email for your domains will be routed via us, remove all previous SPF records.
- Other outbound sources for your domain may require a combined SPF record. In this instance, ensure you include the Mimecast "xx_netblocks.mimecast.com" entry before creating a mail flow connector. To determine what "xx" is, refer to step 1 above.See the "Implementing SPF for Outbound Email Delivery" section in the Configuring DNS Authentication Definitions and Policies page, and the Implementing SPF for Outbound Email Delivery page for additional information.
- Optionally test your SPF record:
- Navigate to Platform | Set Up Your Outbound Email in the Connect Application.
- Select your domain from the Record to Validate drop down menu.
- Click on the Validate button. One of the following messages will display:
- A green tick confirms the SPF record is valid.
- A red exclamation confirms the SPF record is invalid.
- Click on the More or Less links to view further information about the SPF record and toggle the display.This step performs a TXT record lookup and validates the SPF record entry. You can have more than one mechanism (IP/Host), but Mimecast must be the first one listed.
Why is the SPF record for Mimecast doing 4 DNS lookup requests. This seriously hurts companies as adding you in to ours makes 5 queries and is half of the allowed DNS lookups for SPF. Can you make a single line SPF record for people like us who are hurting. Microsoft Office 365 has the same problem and is 3 lines. If you use Sharepoint that includes outlook but is 6 DNS lookups in total. So just Mimecast and office 365 with sharepoint hits the 10 record limit.
Yours
_netblocks.mimecast.com:
_netblocks.mimecast.com. 289 IN TXT "v=spf1 include:eu._netblocks.mimecast.com include:us._netblocks.mimecast.com include:za._netblocks.mimecast.com include:au._netblocks.mimecast.com ~all"
eu._netblocks.mimecast.com. 102 IN TXT "v=spf1 ip4:195.130.217.0/24 ip4:91.220.42.0/24 ip4:146.101.78.0/24 ip4:207.82.80.0/24 ip4:213.167.81.0/24 ip4:213.167.75.0/24 ip4:185.58.84.0/22 ~all"
us._netblocks.mimecast.com. 278 IN TXT "v=spf1 ip4:207.211.31.0/25 ip4:207.211.30.0/24 ip4:205.139.110.0/23 ip4:216.205.24.0/24 ip4:63.128.21.0/24 ip4:205.217.25.135/32 ip4:205.217.25.132/32 ip4:207.211.41.113/32 ~all"
za._netblocks.mimecast.com. 202 IN TXT "v=spf1 ip4:41.74.192.0/22 ip4:41.74.200.0/22 ip4:41.74.196.0/22 ip4:41.74.204.0/22 ip4:41.74.201.0/24 ip4:41.74.205.0/24 ip4:41.74.204.3/32 ~all"
au._netblocks.mimecast.com. 164 IN TXT "v=spf1 ip4:103.13.69.0/24 ip4:124.47.150.0/24 ip4:124.47.189.0/24 ip4:180.189.28.0/24 ~all”
Can be done as
_xxx.mimecast.com. 300 IN TXT "v=spf1 ip4:195.130.217.0/24 ip4:91.220.42.0/24 ip4:146.101.78.0/24 ip4:207.82.80.0/24 ip4:213.167.81.0/24 ip4:213.167.75.0/24 ip4:185.58.84.0/22 ip4:207.211.31.0/25 ip4:207.211.30.0/24 ip4:205.139.110.0/23 ip4:216.205.24.0/24 ip4:63.128.21.0/24 ip4:205.217.25.135/32 ip4:205.217.25.132/32 ip4:207.211.41.113/32 ip4:41.74.192.0/22 ip4:41.74.200.0/22 ip4:41.74.196.0/22 ip4:41.74.204.0/22 ip4:41.74.201.0/24 ip4:41.74.205.0/24 ip4:41.74.204.3/32 ip4:103.13.69.0/24 ip4:124.47.150.0/24 ip4:124.47.189.0/24 ip4:180.189.28.0/24 ~all"
The one line above which is under the 512 byte limit of a UDP dns packet (which is 450 bytes of data) and done in ONE DNS request. Yes it's a PITA to manage but solves Many issues.