Spam filters

Mimecast overview and troubleshooting tips

Mimecast is a leading email security vendor with products spanning email and data security. Their products are used by more than 30000 businesses worldwide. Their Email Security With Targeted Threat Protection product helps protect businesses from inbound spam, malware, phishing, and zero-day attacks.

Mimecast uses numerous layers of threat detection techniques to identify spam and other harmful messages.

Infrastructure

Regions

North America, Europe, Middle East, Africa, Asia-Pacific

Website

Mimecast main website

Permitted sender list

Mimecast has a global permitted sender list comprised of IPs and domains known to have a good reputation. Senders cannot apply to or pay to be on their permitted sender list.

Mimecast administrators and end users may also create a permitted sender list for trusted senders. 

Messages on the permitted sender list bypass Mimecast's reputation and spam checks, but not virus checks. 

Mimecast administrators can ignore the global permitted sender list and apply their own policies if desired.


Methodology

To give businesses more flexibility, Mimecast allows administrators to customize the Mimecast Email Security With Targeted Threat Protection product settings to fit their business needs.  This flexibility can lead to inconsistent filtering results for a sender at different businesses using Mimecast.

  • All incoming email is scanned for potential threats and assigned a spam score. The spam score measures the probability that the message is spam.
  • Administrators set the action taken when your email crosses the spam score threshold related to the selected aggressiveness setting: Tag the headers - do nothing, hold for review, and reject.
  • Senders receive bounce messages (non-delivery reports) from the mailbox provider for deferred and blocked messages.

Troubleshooting

  • Ensure your email system is not sending spam or viruses from an unauthorized third party.
  • Ensure all of the URLs used in your email (including third party URLs) point to legitimate websites that are not infected with malware.
  • Check if you are using link shorteners such as bit.ly in your content. Link shortening services are often used to hide malicious website domains.
    • Use the full URL string for your website or images.
  • Ensure your subject line is relevant to the email content. Deceptive subject lines may be perceived as a phishing attempt. 
  • Check your overall complaint rates and volumes through complaint feedback loops. Mimecast does not provide a complaint feedback loop, however, high complaint rates at other providers can signal a problem with your list quality.
  • Ensure you have unsubscribe links in your email and immediately honor all unsubscribe requests.
  • Check your SMTP error codes to help you identify potential problems.
    • If you receive a block code indicating the user has blocked your email address or domain, add that address to your suppression list. Further attempts to send to the recipient will contribute to a poor reputation, which could impact delivery to recipients at other Mimecast customer domains.
    • If you receive an error code indicating an issue with content, review your content for possible spam characteristics such as using ALL CAPS in the subject line, using numerous special characters (e.g. !!!!!!, $$$$$, #####), 
    • If you need help with any of the error codes, contact the recipient's email administrator for more information. Mimecast only works directly with designated customer contacts and not bulk senders.
  • If using TLS, ensure you are using TLS version 1.2 or higher. Not all Mimecast customers require TLS, but enforcing it is an option.
    • In most cases, if a Mimecast customer requires TLS, you will see a corresponding SMTP error code.
  • Ensure you do not exceed 25 server hops prior to sending your email or it will be rejected. For most senders, this should never be a problem.
  • Check the email headers of a message sent through Mimecast in Everest.
    • X-Mimecast-Spam-Score: The higher your score generally means you have sending reputation issues and your email displays spam or phishing characteristics. There are three spam score threshold settings available that determine when your email is labeled as spam, and each Mimecast customer uses the setting that fits their business. Mimecast recommends that customers start with the relaxed setting and adjust based on user feedback in order to reduce the number of false positives. Most companies have a relaxed or moderate setting, so email with a spam score of 5 or more is likely filtered as spam.
      • Relaxed: 7 points. Companies using this setting typically don't receive a lot of spam and allow their users more flexibility to determine which email is relevant to them.
      • Moderate: 5 points. Companies using this setting typically receive spam and other promotional emails. Users are required to be more active managing incoming email when a company uses this setting.
      • Aggressive: 3 points. Companies using this setting typically receive a lot of spam and may be in a high risk industry such as banking or finance. Users must take an active role managing permitted email and senders.
  • Ensure you are respecting the Mimecast customer's server resources. Administrators can customize connection and throughput settings for incoming email for a domain and IP.
    • The default concurrent number of connections permitted is 20.
    • The default number of recipients per connection is 100.
    • An IP address that continually violates the concurrent connections permitted threshold are added to the block list.
    • If you get an SMTP error message indicating invalid connections or too many recipients, lower your connections and throughput until the error message is no longer received.
  • Check IPs and domains for blocklistings. Mimecast does not disclose which third party block lists they or their customers use, however, a listed IP or domain can indicate a problem that Mimecast may be factoring into their filtering decisions.
  • Is your new IP recently recycled? Ask your email service provider (ESP) when the last time the IP had any sending volume on it prior to being assigned for your use. IPs used recently by another sender could still have a poor reputation attached to it.
    • A general guideline is for an IP to have zero sending volume for at least six months prior to it being assigned to another sender.
  • Are you using a new sending domain? New domains are often created by spammers in an attempt to bypass IP reputation scans and may receive additional scrutiny at Mimecast, especially if the IPs have a bad sending reputation.
    • It is a best practice to notify recipients of your new sending domain prior to using it so they can add the new domain to their permitted sender list.
  • Ensure you are authenticating all email with SPF, DKIM and DMARC and confirm they are passing checks at mailbox providers such as Gmail, Microsoft, and Verizon Media (AOL & Yahoo!). Mimecast uses these authentication protocols to help protect their users from domain spoofing.
  • Ensure you have valid PTR records for your sending IPs.
  • Make sure you are not sending attachments with bulk marketing email. Attachments sent to numerous recipients at the same time are likely to be perceived as spam or phishing.
    • If you want the recipient to download a whitepaper or other resource, use a link to your website where the recipient can download the document directly.
  • If you send an attachment in 1:1 communications, Mimecast will scan it for potential threats. Make sure all attachments are free from viruses and malware.
  • What is the size of your email, including attachments? Mimecast has a default size limit of 100MB (Legacy Gateway) and 200MB (Latest Gateway). However, administrators may set a lower size limit based on their company's policy.
    • You should get an SMTP error message indicating your email size exceeded the limit.
    • Content encoding can add to the message size. So if your file attachment is small enough, and you continue to exceed the limit, it may be because of content encoding.
    • If you continually exceed the message size, use a file sharing service such as Dropbox.
  • Ensure you are using either a shared or dedicated IP address for your bulk marketing email. Do not use a dynamic IP address as they are frequently used by spammers.
  • Ensure you are not asking for personally identifiable information from the recipient such as a bank account number, credit card number, social security number, insurance number, or driver's license number. 
    • If you need the recipient to update their account information, ask them to login to their account at your website by opening a separate browser window. Existing customers know how to find you.
    • Including a link to your website for this type of email is not recommended because a popular phishing tactic is asking someone to click on a link to update their information and then sending them to a fake website.

Mediation for blocked email

If you have an established business relationship or partnership with a Mimecast customer and your email is being blocked, contact that partner directly to ask that you are removed from the block list and added to the permitted sender list.

You can submit a feedback request to Mimecast to investigate the block, but you need to make sure you have followed their suggestions listed on their sender feedback page prior to submitting the request. Mimecast will advance your feedback request only after you have contacted the recipient's email or network administrator and that administrator has contacted Mimecast.

 

 

Related articles

Turn your data into revenue

Whether you’re looking to optimize the performance of your email marketing, data management or sales functions, Validity is your trusted partner to ensure you’re reaching who you need to.

Company
Products
Solutions
Resources
Contact