Secure Email Gateway:

Setup and Administration

Fundamentals
Student Guide
 TABLE OF CONTENTS

HOW MIMECAST WORKS 7

LOGGING IN 7

LESSON 1: THE DASHBOARD 8

NAVIGATION 8
MIMECAST STATUS PAGE 9
NOTIFICATION FEED 9
EMAIL QUEUES 10
DIRECTORY CONNECTORS, JOURNAL CONNECTORS AND EXCHANGE SERVICE 10
ACTIVITY OVER 24 HOURS 10
TOTAL EMAIL TRAFFIC 11
REJECTIONS 11
ACCOUNT SUMMARY 11
ACCESSING OTHER DASHBOARDS 11

LESSON 2: ACCOUNT SETTINGS 12

ACCOUNT SETTINGS 12
DIRECTORY OPTIONS 13
USER ACCESS AND PERMISSIONS 13
SYSTEM NOTIFICATION 14
ACCOUNT CONTACT 14
PASSWORD COMPLEXITY AND EXPIRATION 15
ENHANCED LOGGING 15

LESSON 3: AUDIT LOGS 16

WORKING WITH THE AUDIT LOGS 16

COMMON EXAMPLES 16

LESSON 4: ROLES 18

SECURITY PERMISSIONS 18
ROLE EDITOR 19
ELEVATE BASIC ADMINISTRATOR ROLE 21
CUSTOM ROLES 21
PARTNER (EXTERNAL) ADMINISTRATOR ROLES 22

LESSON 5: CONNECTIVITY 24

©2022 Mimecast. All Rights Reserved |2

 ON-PREMISES ACTIVE DIRECTORY 24
AZURE ACTIVE DIRECTORY 24
GOOGLE WORKSPACE 24
DOMINO DIRECTORY 24
CREATING DIRECTORY INTEGRATIONS 25
VALIDATING YOUR CONFIGURATION 25
VERIFYING YOUR INTEGRATION 26
SYNCHRONIZATION ISSUES 27
OUTBOUND TRAFFIC 27
JOURNALING 28
INBOUND EMAIL 28
MANAGING CONNECTORS 30

LESSON 6: USER AND GROUP MANAGEMENT 31

INTERNAL DIRECTORIES 31
INTERNAL DOMAINS 32
EXTERNAL DIRECTORIES 37
GROUPS 37

LESSON 7: ATTRIBUTES 41

ACTIVE DIRECTORY SYNCED ATTRIBUTES 41

CREATE A DIRECTORY ATTRIBUTE 41

LESSON 8: APPLICATION SETTINGS 42

COMPONENTS OF AN APPLICATION SETTING 42

AUTHENTICATION PROFILE 42
APPLICATION SETTINGS DEFINITION 42
GROUP 42
PROPAGATION 42
DEFAULT AUTHENTICATION PROFILE AND APPLICATION SETTINGS DEFINITION 42
CUSTOMIZING APPLICATION SETTINGS 43

LESSON 9: REPORTING 45

ACCESS REPORTING 45
ACCOUNT ASSESSMENT REPORT 45
PDF REPORTS 46
CSV DATA 47
OVERVIEW REPORTS 48
CUSTOM REPORT DEFINITIONS 48

©2022 Mimecast. All Rights Reserved |3

 LESSON 10: SERVICE MONITOR 50

ACCESS AND NAVIGATION 50

FUNCTIONALITY 50
DASHBOARD 50
ALERTS 54
SUBSCRIBERS 55
NOTIFICATIONS 56

LESSON 11: MESSAGE CENTER 57

MESSAGE CENTER STATUS QUEUES 57

MESSAGE TRACKING 58
ACCEPTED MESSAGES 59
HELD MESSAGES 59
REJECTED AND DEFERRED MESSAGES 60
BOUNCED MESSAGES 61
MESSAGE DELIVERY 61
PROCESSING QUEUE 61

©2022 Mimecast. All Rights Reserved |4

 Prerequisites
• N/A

Course Objectives
Following the course, you should be able to:
• Navigate and understand the functionality the Administration Console
• Explain the relevancy of the Mimecast Services status page.
• Explain the Account Settings menu item and its subsections
• Create and manage Mimecast administrators
• Understand Connectivity
• Manage your users and groups
• Explain what Attributes and how they are used
• Control user access to End User Applications and the limits within
• Schedule delivery and read the reports Mimecast provides.
• Explain the service monitor features and create alert notifications.
• Locate and act on emails within Mimecast in the Message Center

©2022 Mimecast. All Rights Reserved |5

 How this Guide Works
This guide has been designed to follow the structure of the instructor-led training session. Here you
will find the use cases, walkthroughs and scenarios discussed during the session, as well as useful
configuration and troubleshooting tips. In addition, where we can provide you will find some
frequently asked questions.

Scenario
These will highlight real-life use cases that will be covered with students in class.
Those targets without a green background are for students to have as added take-
aways from the session.

Troubleshooting / Knowledge Tips

These are intended to provide important points or facts that you should be aware of,
as well as helpful troubleshooting tip.

Discussion
There may be times in the course where the instructor asks participants to take part
in a discussion about a particular topic (e.g., to discuss something where there may be
more than one solution to a problem).

Warning or Alert
This is meant to provide you with a warning about something.

©2022 Mimecast. All Rights Reserved |6

 Welcome to Mimecast Services. This session will introduce you to the basic functionalities of using
the Mimecast Administration Console. As someone with administration permissions, you will be
given control over some or all parts of your organization’s Mimecast account. With certain
permissions, you can manage users, create policies, review logs, track user activity, troubleshoot
email delivery, and much more.

How Mimecast Works

Mimecast’s focus is Security, Archiving and Continuity. When it comes to Security, we are essentially
the middle person between you and your clients and your clients and you. What this means is that
your email will go through the Mimecast cloud for inspection when you are sending mail to external
parties ensuring your employees are not sending sensitive information out. And when clients are
sending emails to you, those emails are inspected for malicious links, attachments and more.
Mimecast uses policies to do this which will be discussed in our Security Policies course.
In addition, Mimecast archives email data and metadata based on your defined retention period.
This data is captured through several input mechanisms including gateway-level capture, journal
feeds, LAN and cloud information syncs and bulk ingestion of historical data. All major mail
platforms are supported, including Exchange, Office 365 and Google Workspace.
The archive allows employees to search from anywhere, and on most devices. It is always accessible,
even when primary mail systems are down. Administrators and legal staff can run comprehensive e-
discovery searches, manage cases and data exports. Data can also be recovered from the archive to
the primary mail system if needed.
These are just some of the things Mimecast can do for you.

Logging In
You can login using the Login button on mimecast.com. The options are Access my email - My Apps
- Partner Portal. To open the Administration Console, you will click the My Apps option. Here you
will also see the other applications you have purchased from Mimecast (e.g., Awareness Training,
Case Review, DMARC Analyzer)

Your login credentials will either be a Mimecast cloud account controlled by Mimecast or your
domain directory account password controlled by your organization’s directory.

©2022 Mimecast. All Rights Reserved |7

 Lesson 1: The Dashboard
The first time you log on to the administration console you will be greeted with a Virtual Tour
popup. This can be revisited at any time. The dashboard provides multiple status updates and
notifications. Graphs will show your email traffic during certain time periods.

Navigation

The top bar will be the main means of navigating the Administration Console.
Selecting Administration will reveal the menu of items you have permissions to see. Depending on
your role you may be limited to what you have access to.
The Mimecaster Central Search Bar allows you to search Mimecaster Central, our knowledge base
of page breakdowns and best practices.

The icons to the right will allow you to:

History - A list of the last 10 dialogs you opened (Clear History to delete)
Favorites - You can mark up to ten dialogs as favorites, using the stars next to each sub-menu
item in the Administration drop-down (use the X next to each to remove).
Mimecast Apps - List of all the applications you have purchased from Mimecast as well as
things automatically given to you (e.g., Mimecaster Central, Threat Dashboard)
What’s New, Guides, Product Overview, Events and Feature Requests

User Account Profile

Your Mimecast user account profile details are displayed on the
right-hand side of the Administration Console header. It displays
your:
• Mimecast account name
• Mimecast logon
• Role
• Avatar
Clicking anywhere on your account profile details displays a popup
dialog with access to:
• Account and support details (see below).
• Preferences (early access toggle)
• Contact Support
• Ask a Question
• Share an Idea (This has been moved to the bull horn “Feature Requests”)
• Send Technical Information (This option has been deprecated with change in support
systems and instead information should be shared through Mimecaster Central)
• Log Out
Note: The Account and Support details menu item displays your "Mimecast ID". This is a numeric
code that you will need when raising telephone support cases with us.

©2022 Mimecast. All Rights Reserved |8

 Mimecast Status Page
Mimecast provides a status page of all services in all serviced regions at: status.mimecast.com
You can also access it from the Administrative Console Dashboard in the upper right corner of the
Notification Feed.

This page is separate from Mimecast infrastructure to provide an accurate and independent status.
Use this page when troubleshooting any Mimecast related problems to keep yourself informed

Status
A general status indicator at the top provides immediate overview of Mimecast’s services. Selecting
any of the regions provides the breakdown of the services Mimecast provides.

History
Here you can view any previous incidents as well as the timeline of actions Mimecast has taken to
investigate and resolve the situation.

Notification Feed
The Notification Feed displays notifications sent by Mimecast to you about your account. The
notifications are displayed in a list with the latest at the top. You can filter the notification feed by
either Product which displays only notifications about things like new releases or by Service which
will display only notifications about your Mimecast service.
In situations where we want to draw your
attention to a notification, for example a service
outage, this will be the only filter type available.
Service notifications will have a color-coded title
and icon that have the following statuses.

©2022 Mimecast. All Rights Reserved |9

 Email Queues
The Email Queues are a graphical display of the volume of your incoming and outgoing messages
over the last 48 hours. You can hover over a graph’s data point to display the number of the emails
per category at a given point in time. The See More link in the upper right will allow you to navigate
directly to the Delivery Queue which you can also navigate to under Administration | Monitoring |
Delivery. The Delivery Queue displays all inbound and outbound messages waiting to be delivered
and therefore, is often empty as long is there nothing wrong with inbound and outbound mail flow.

Directory Connectors, Journal Connectors and Exchange

Service
The Directory Connectors, Journal Connectors, and Exchange Services sections show you your
Service status indicators.
• Green = good service
• Amber = partial disruption or errors/warnings
• Red = the service has been disrupted
Each section has a “See more” link to bring you directly to the relevant area in the Administration
Console.
• Directory Connectors: Directory Connectors are added to allow Mimecast to Synchronize
with an organization’s Active Directory so that the users can be managed on the Mimecast
platform and assigned to certain policies and applications.
There are different types of directory connectors, depending upon the infrastructure you
have - Active Directory (LDAP) - Domino Directory (LDAP) - Office 365 / Windows Azure
Active Directory - Google Directory
• Journal Connectors – Journal Connectors are created to capture internal email between
users. In this way, internal email communications are added to your organization's Mimecast
Archive.
• Exchange Service– This replicates your Outlook folders into your archive, so you have
consistency in your views. This is for customers with an On-Premises environment who use
the Mimecast Synchronization Engine.

Activity over 24 Hours

The Activity over 24 hours section displays the total number of messages in each of the categories
displayed over the previous 24 hours.

Use the path next to each item to navigate to the areas identified below and act.
• Attachments Blocked - Monitoring | Attachments
• Rejected Messages - Message Center | Rejected and Deferred Messages
• Bounced Messages - Message Center | Bounced Messages
• Policy Edits - Gateway | Policies
• Held Messages - Message Center | Held Messages
• Attachments Linked - Monitoring | Attachments

©2022 Mimecast. All Rights Reserved | 10

 Total Email Traffic
The Total Email Traffic section displays an hourly breakdown of your total internal, inbound, and
outbound email traffic over the previous seven days. You can hover over a graph's data point to
display the number of the emails per category at a given point in time.

Note: You can zoom in on the graph’s data to display the hourly breakdown by dragging over the
date range and releasing the mouse.

Rejections
Displays the top five rejection types for your account, in no specific order, over a 24-hour period.
You can hover over a graph's data point to display the date, time, and the number of rejections at a
given point in time.

Account Summary
This summary provides you with information about your account.
• Your account name
• Mimecast ID
• Your account code
• Your security passphrase (if one has been configured with us)
• Your support code. This must be quoted when calling Mimecast Support to log a call.
• Your account's maximum retention period for messages

Accessing Other Dashboards

To access the main dashboard if you have closed it, you will click the Mimecast logo in the upper left
corner of the Administration Console. However, to access other administrative dashboards:

1. Click the icon in the top left-hand corner of the Administration Dashboard.
2. Select either the:
• Attachment Protect menu item to display the Targeted Threat Protection - Attachment
Protect dashboard.
• URL Protect menu item to display the Targeted Threat Protection - URL Protect
dashboard.
• Large File Send menu item to display the Large File Send dashboard.
Note: You will only see the dashboards for the services you have purchased.

©2022 Mimecast. All Rights Reserved | 11

 Lesson 2: Account Settings
Your account's settings contain information about your account (e.g., your archive retention period,
the number of licensed users, the Mimecast Service you have purchased). There are also some
configurable settings. Some of these can only be amended by Mimecast Support and are typically
configured when your account is initially created.
To access Account Settings, navigate to Administration | Account | Account Settings.
The menu groups are as follows:
• Account Settings: License and retention details regarding your Mimecast account. The menu
is displayed by default.
• Directory Options: Options to link or clear alias addresses.
• User Access and Permissions: Configure global access for users and timeout for Ad-
ministration Console sessions.
• System Notification Options: Specifies certain notification addresses.
• Account Contact: Account contact details.
• Cloud Password Complexity and Expiration: Controls password complexity, expiration and
account lockout for Mimecast Cloud passwords.
• Enhanced Logging: For use with APIs

Account Settings
The Account Settings sub-group provides license and retention details regarding your Mimecast
account. Much of what you see here cannot be edited even as a super administrator.

Account Settings
Account Name The name for your Mimecast account. This is usually your organization's
name.
Mimecast ID The ID of your Mimecast account. This is to be used for interactions with
Mimecast Service Delivery.
Account Code A unique identifier for your Mimecast account to log a support ticket.
Database Code A reference for the database instances of your Mimecast account.
Account Status Enabled by default. This is only disabled if your account has been
terminated.
DNS Authorization Used to verify permissions for sending through the Mimecast SPF IP
Code Addresses. Added during account implementation.
Maximum Retention Added during account implementation, this specifies the maximum
(Days) number of days messages will be retained in the archive. This setting
cannot be increased by administrators, but it can be reduced for retention
of specific messages.
Maximum Retention Specifies that the Maximum Retention (Days) value has been approved by
Validated a user with Super Administrator, Full Administrator, or Partner
Administrator permissions. Occasionally requested to verify account
retention setting is still accurate.
Number of Users The number of users licensed within this Mimecast account.

©2022 Mimecast. All Rights Reserved | 12

 Pause Inbound
Deliveries
Warning Message
After (Attempts)
Bounce Message
After (Attempts)
Ingestion Partner
Ingestion Size Limit
API Export (Case
Review)
Awareness Training
Modules
Awareness Training
Custom Modules
Directory Options
This grouping deals with either linking or not, the Aliases within your environment.
Automatically Link
Aliases
Clear All Aliases
User Access and Permissions
There are various settings here to control user access and permissions for your Mimecast account.
Administration
Console Timeout
Send BCC to Mail
Server
SMTP Submission
Override
©2022 Mimecast. All Rights Reserved
If your email system is temporarily unable to accept messages, enabling
this option will globally halt Mimecast from sending emails to that email
environment.
Mimecast will send a warning notification to users in your organisation
notifying them that Mimecast has an issue delivering mail to them. By
default, these notifications are delivered to senders after 60 minutes or
six retry attempts, whichever comes first.
Mimecast will send a bounce notification to users in your organisation
notifying them that Mimecast has an issue delivering mail to them.
By default, these soft bounce notifications are delivered to senders after
96 hours (four days) or 30 retry attempts, whichever comes first.
Certified Ingestion Partner to perform end-to-end migrations using
Mimecast Simply Migrate client via the Ingestion API.
Specify the maximum amount of data the account can ingest in Terabytes
(TB), e.g., 10 for 10 TB, 0.1 for 100 GB, 0.01 for 10 GB.
Enables ‘API Exports’ section in Case Review. Which will allow to
download export data through Simply Migrate.
The value displayed here reflects the total number of Modules allowed
within the Awareness Training platform. This value is automatically set
when an Administration Console is created during the implementation
phase and/or is updated automatically upon the Mimecast subscription
renewal date. This is a read-only field that can only be set by Mimecast
Support.
The value displayed here reflects the total number of Custom Modules
allowed within the Awareness Training platform This value is
automatically set when an Administration Console is created during the
implementation phase and/or is updated automatically upon the
Mimecast subscription renewal date. This is a read-only field that can only
be set by Mimecast Support.
Uses the mailbox information from Active Directory to link alias addresses
to primary mailbox addresses in Mimecast. This allows users to login using
their primary address, and access emails for the aliases.
Removes the alias links to the primary addresses in Mimecast Directory.
If an administrator is inactive for the selected time the session will expire
and they will have to log back in.
When sending mail using Mimecast for Outlook or Mimecast Personal
Portal during a Continuity Event, or the Mobile application, the platform
automatically adds the sender’s email address in the BCC field. This
ensures that a copy of the message is routed back to your infrastructure
by default.
SMTP Submission Override allows all Internal users to use the Mimecast
Platform as an alternative outgoing mail server using SMTP
| 13
 Authentication. This option should only be used with care and therefore
only Mimecast Service Delivery can enable/disable it for you.
Display Sender If you use Directory Synchronization, Mimecast can retrieve images
Avatar to External associated with the user's email address. With this option enabled, these
Users images can be displayed as user avatars in Mimecast solutions (e.g.
Secure Messaging).
Admin IP Ranges You can restrict those who can log on to the Administration Console to
(CIDR n.n.n.n/x specific IP addresses and / or ranges.
Content When set to "Content" an administrator with content permissions will by
Administrators default be presented with the content of the items they open after which
Default View they can toggle to the metadata. When set to "Metadata" an
administrator with content permissions will by default be presented with
the metadata of the items they open after which they can toggle to the
content.
Targeted Threat A user’s device cannot be authenticated perpetually. Set a period after
Protection which a user's device must be reauthenticated, if there has been no user
Authentication interaction with Targeted Threat Protection.
Authentication Enter the number of days that need to pass before a user will have to re-
Duration (Days) authenticate.

System Notification
Systems notifications control who gets notified by SMS, the postmaster address, and who is alerted
for specific events such as archive searches or when export blocks are finished.
SMS Attribute
Notification
Postmaster Address
Privileged Access
Notifications
Enforce Archive
Search Reason
Send Notification
When Export Block is
Complete
Specifies the Active Directory or Mimecast attribute that identifies the
mobile phone number of users. When sending an SMS to a user, we use
the number associated with this attribute.
Specifies the email address from which all user notifications are sent. A
postmaster address is created by default in the internal domains and is
selected by default. The address cannot be deleted but a different email
address can be used by clicking the "Lookup" button.
This email address will be notified when an archive search is performed
by an administrator.
When selected, Administrators will be required to provide a reason when
searching for emails under Administration | Archive | Archive Search or
Administration | Message Center | Message Tracking. The reason
provided will be reflected within Administration | Archive | Search Logs
under the “Reason” column as well as within the Privileged Access
Notifications email that is sent to the email address listed within the
“Privileged Access Notifications” field under Administration | Account |
Account Settings | System Notification Options.
This option enables automatic email notifications when exports are
requested.

Account Contact
The contact information here provides Mimecast the point of contact to alert regarding Mimecast
services. Keep this information up to date as frequently as possible.

©2022 Mimecast. All Rights Reserved | 14

 Contact Name This is the contact that Mimecast Support uses to contact customers
regarding your Mimecast Account. When updating these fields, please do
so by contacting Support via phone or by opening a Support ticket via
Mimecaster Central.
Telephone Number for the Contact.
Emergency SMS The contact’s mobile phone number.
Number
CC Email Addresses Alternate email addresses. Multiple email addresses can be added
separated by a comma. Ensures that notifications can be communicated
to a wider group.

Password Complexity and Expiration

As a Mimecast customer you can login to the Administration Console either by a Domain Password
or a Cloud password. The settings in this section only effect cloud passwords. Active Directory
accounts and passwords are not controlled by this.
Mimecast provides options for administrators to enforce user account password complexity and
expiration settings. This feature enhances Mimecast cloud account security by reducing the risk of a
security breach through end users setting weak passwords and brute force attacks. These settings
include defining the password length and complexity (e.g., enforcing numeric, non-alphanumeric
characters and uppercase letters), the expiration period, and the account lockout policy. More info
here.
Minimum Password 8
Length
Include at least one Select the complexity, must have at least 3 of the items selected that
lowercase alpha make up complexity.
character (a-z)
Include at least one Select the complexity, must have at least 3 of the items selected that
lowercase numeric make up complexity.
character
Password Expiry The account lockout setting cannot be disabled. Administrator can
configure custom settings, or the Mimecast default system settings will be
applied (e.g., after five consecutive unsuccessful log on attempts, the
account is locked for 15 minutes.)

More detail can be found here.

Enhanced Logging
If you are using a SIEM or any other data analytics platform, you can enable additional logging of
email transactions on your account. These logs are available using the SIEM Logs API.
For more information, see the Mimecast Documentation site and SIEM Logs API here.
These additional settings do not impact the current Reporting features available in the
Administration Console and are only available using an API integration.

©2022 Mimecast. All Rights Reserved | 15

 Lesson 3: Audit Logs
Audit Logs are system related logs that help administrators monitor changes
and events in their Mimecast platform. They act as a security measure and a
troubleshooting tool. The logs monitor the activity of both admins and users,
whether they were performed manually or automatically. Some events
captured are:
• Account changes
• User account changes
• Policies and definition altering
• Directory syncs
• Journal failures
• Folders created, updated
• Login attempts, failures

Working with the Audit Logs

To access Account Settings, navigate to Administration | Account | Audit Logs.
Filter and Search
You can filter on the types of logs you wish to see using the filter in the top right, as well as search
using the tools available in the top left to enter specific criteria and choose a date range.

Common Examples
Some common examples of logs are as follows:
Event Description Information Provided
Logon A user attempted to log on to • User’s login
Authentication the Administration Console, but • Date and time
Failed their authentication failed • IP address
• Application used to access Mimecast
New Policy A policy was created • Administrator
• Date and time
• Policy type
• Full policy details

On the Audit Logs page, select a log to display its information. The log displays details about each
event.
• User: Email address of who triggered the event
• Category: Category of the event that generated the log file (e.g., Policy Logs, Account Logs)
• Type: Displays the type of event (e.g., New Policy, Completed Directory Sync)

©2022 Mimecast. All Rights Reserved | 16

 • Details: Displays brief details about the event or changes made. The details displayed
depends on the type of event.
• Date / Time

Exporting
When exporting, you can select which columns of the log you want
included. Click the Export button in the top left corner to see the panel
shown here.

©2022 Mimecast. All Rights Reserved | 17

 Lesson 4: Roles
The Mimecast administrator roles are a collection of permissions that control access to
Administration Console functionality and certain Mimecast Applications (e.g., Awareness Training,
Case Review, DMARC Analyzer, Brand Exploit Protect, CyberGraph, etc.). Each role determines the
depth of access and can be used to control the tasks performed.

Default Roles
Protected Roles have a padlock next to them (see items 1-5 below).
1. Super Administrator: Can manage application roles and has full privileges to all account
options, including the content view of all email, delegate mailbox access, and the
assignment of protected permissions (for example, the assignment of content view).
2. Full Administrator: Can manage application roles and has high-level administrator
privileges, including the content view of all messages, delegate mailbox access, message
exports, and the creation and approval of retention adjustments.
3. Partner Administrator: Can manage application roles and has full privileges for Partner
Administrators, including delegate mailbox access, but excludes protected permissions.
4. Discovery Officer: Cannot manage roles but has access to common eDiscovery features
such as archive search with content view, messages exports, and the creation or
approval of retention adjustments.
5. Reviewer: Cannot manage roles but has access to the Case Review application as a
reviewer, where discovery cases can be reviewed for relevance and privilege.
6. Gateway Administrator: Has read access to common gateway functionality (e.g., policy
management, message tracking, service connections, and user settings) and rights to
create other administrator accounts without protected permissions.
7. Basic Administrator: A primary administrator account with rights to create other Basic
Administrator accounts, but with no access to protected permissions. You can do basic
things such as create policies, but you cannot read email for example.
8. Help Desk Administrator: Has access to common help desk tasks (e.g., message tracking,
read-only access to policy management, service connections, and user settings).
Read Administrator Role Permissions for a detailed list of permissions.

Security Permissions
Your account comes with a list of default roles. Each role has a security permission assigned. The
security permissions are as follows:
• Cannot Manage Roles: Access to the Roles tab is disabled.
• Manage Application Roles: The Application Role also allows Administrators the ability to
control the Administration Console menu items that other administrators can access. The
exception is if the application areas are marked as protected with the "Protected Roles"
permission.
• Manage Protected Roles: A Protected Role is one that allows an Administrator to control
the Administration Console menu items that other administrators can access, including
functionality with protected content (e.g., viewing email content, archiving email content,
exporting messages, managing retention and smart tag assignment). Protected roles have a
padlock icon located to the left of the "View Role" button.

©2022 Mimecast. All Rights Reserved | 18

 The default roles, their respective security permissions, and the types of permissions they have are
listed in the table below.
Default Role Security Permission

Super Administrator Manage Application & Protected Roles

Partner Administrator Manage Application Roles

Full Administrator Manage Application Roles

Discovery Officer Cannot Manage Roles

Reviewer Cannot Manage Roles
Basic Administrator Manage Application Roles
Help Desk Cannot Manage Roles
Gateway Administrator Manage Application Roles
Synchronization Engine Administrator Cannot Manage Roles

Synchronization Engine Administrator

This is a unique role in that it cannot be used to login/manage Mimecast Administration
console rather it’s only used for MSE Site binding purpose.

Role Editor
Administrator roles are managed using the Role Editor. This allows administrators to:
• Control the users assigned to roles
• Create custom roles in addition to the default roles provided
To access the Role Editor, the administrator must have the correct Security Permissions. Without
these permissions, the Roles tab is not displayed in the Administration Console.
To display the Role Editor:
1. Navigate to Administration | Account | Roles
Within the Role Editor, you will see the following.
• Default Roles: Default roles are listed and indicated by a View Role button next to them.
These can only be viewed and not edited.
• View Role and Edit Role Buttons: In the list of roles you will notice, some have a View Role
button and others have an Edit Role button. Those with the ability to edit are Custom Roles
(names and description displayed in italics. These are a copy of an existing role. The roles
with the View Role button are roles that you cannot edit.
• Right-Click options: Right-clicking on a role will allow you to do things such as Add Users to a
Role, Manage Users for a Role, Copy a Role, and Remove a Role for those Administrators
with the proper permissions.
• Padlock: Roles with a Padlock have access to the Role Editor and have Protected
Permissions, meaning they can modify access to protected application areas (e.g., archive
email content, exporting messages, managing message retention).
• Custom Roles: Custom roles can be changed / deleted and are displayed in italics.

©2022 Mimecast. All Rights Reserved | 19

 • Members Column: This column shows the number of members added to a particular role.
• Description Column: This column provides detail on what each Administrator has
permissions to do.

Default Roles can

only be viewed

Right-click a role to
display a pop-up
menu

Roles with the padlock Number of users

icon have access to assigned to a Description of the
the Roles Editor and particular role level of permissions
also have protected for a particular role
permissions
Custom Roles can be
changed / deleted
and are displayed in
italics

View a Role
To view what permissions a particular role has in detail:
1. Click View Role next to any of the roles
2. Once opened, you will see Properties and Security
Permissions sections.
3. Under Security Permissions you will see what
type of security permissions that role has.
4. Under the Application Permissions area you will
see all the menus in the Administration Console
that role has access to and what type of access
[e.g., Read, Edit, etc.]

©2022 Mimecast. All Rights Reserved | 20

 Elevate Basic Administrator Role
The first Administrative Role assigned is Basic Administrator during your implementation. Since you
may want more permissions within the console, you will need to upgrade to a Super Administrator
or another protected role. To do this, you must contact Mimecast Support.

Mimecast Support Case

If a user requires a Super Administrator, Full Administrator, or Discovery Officer role, the following
steps must be followed:
1. Create a Mimecast Support Case. This request must:
• Be written on your company letterhead.
• Be signed & dated by a director or higher in your organization.
Note: The signatory and assigned person cannot be the one and the same person. If a
director is the designated superuser, another director of the company needs to sign
accordingly.
• Specify their name and position.
• Clearly state the email address that needs to be added / removed, and / or the password
to be reset.
Note: Click here and under the Managing Administrators section, you’ll see a clink to
download a template that can be used for this purpose.
2. Once the request has been received, we perform a series of checks to confirm the request.
3. When successfully confirm, a change request is issued to the Mimecast Security Team.
4. Once the new email address has been assigned to the role and / or the password has been
reset, a Mimecast Support representative will contact the Director to verify this request.

Custom Roles
You can only create a role with the permission level up to or lesser than the logged in administrator.
Depending on administrative permissions, you can only create an administrator with the same or
lesser permissions.
When creating a role, we suggest copying a role instead of creating new. The best practice is to
assign permissions less than what the user needs and then add permissions. Another
recommendation is to keep part of the name of the original role as part of the description.

Create Custom Roles

To create a custom role:
1. Inside the Role Editor right-click on an existing
role close to the permissions of the role you
wish to create and choose Copy Role.
2. A role is created and placed at the end of the list
and italicized. Click the Edit Role button next to
it.
3. Complete the Properties section with a name
and description

©2022 Mimecast. All Rights Reserved | 21

 Note: When creating a custom role, be sure to be very specific with the name and description so
that you and any other administrators know what the custom role entails when assigning it to
others.
4. Select the desired Security Permission
5. Select / Deselect Application Permissions for the role
[Read, Edit, Protected Areas]
6. Save and Exit
Note: Use the Edit Role button next to the copy you just made and add / remove permissions.

Custom Role Actions

Action Steps
Changing Click Edit Role, make changes, Save and Exit
Copying Right-click on a role and choose Copy Role
Adding Users Right-click on a role and Add Selected Users
Removing Users Right-click and select Manage Users for Role, right-click on the user and
choose Remove User from Role
Deleting a Role Remove all users from the role then right-click and choose Remove Role

Partner (External) Administrator Roles

At the top of the Roles Editor, you will see a button labeled Manage External Administrators.

• As a Customer, this is the area where you will see any 3rd party administrators that have
access to your Administration Console.
• As a Managed Service Provider (MSP), this is the area where you will see who you have at
your partner organization set up to manage that customer’s account.

MSPs should be encouraged as a part of best practice to link their External Address to
any Customer they are supporting, ensuring they have both access to the
Administration Console and can Raise Support tickets for that account.

©2022 Mimecast. All Rights Reserved | 22

 Customer Use

• As a customer, if you are logged on as a Super or Full Administrator, you can see the
Manage External Administrator button.
• When you click the button, you can see a list of the 3rd party administrators that have access
to your Administration Console.

Partner Use
Managed Service Providers (MSPs) are added to this area by the original MSP that Mimecast
connected to this customer account. Mimecast does this so that MSPs can have SSO access to
customers through the Partner Portal. Mimecast will have given them special credentials for
accessing the customer account through the Partner Portal (e.g.,
[email protected])

If you are an MSP, you should know that when you log into the Partner Portal, there is a place where
you can see all the customers whose Administration Console you have access to. It is here where you
will click an Administration Console button next to their company name and be logged in with SSO.

Adding External Administrators

After logging into the customer Administration Console, MSPs will navigate to Administration |
Account | Roles if they wish to add any other partners from their organization to manage their
customer account. Note: They can also do this through the Portal.

1. To do this in the Administration Console, click the Manage External Administrators button
2. Click the Add External Admin button
3. Enter the External Admin Email Address of the partner you want to manage this account
and use the Select Role drop-down menu to assign them the Partner Administrator role
4. Click Save and Exit.

Things to be aware of:

• If you click on the Partner Admin Role at the home page of the Role Editor, you
will see the external admin you added is located here and listed as a member.
• If you click on any of the users listed as an External Administrator, you will notice
an External Admin Account Code. This is auto generated when you create a new
External Admin and Save.
• If adding multiple email addresses, you will add them one by one here or they
can be added via the MSP Portal. See article below.

More information on delegating access here. See also the Managed Service Providers (MSPs) Portal.

©2022 Mimecast. All Rights Reserved | 23

 Lesson 5: Connectivity
Connectivity is all about how your organization is connecting to Mimecast. Your basic connections
should be set up during your implementation process (e.g., Authorized Outbound IPs)

Integrating your Company’s Directory

Directory Synchronization allows you to securely automate the management of Mimecast users and
groups using your company directory, whether that be hosted on-premises or in the
cloud. Integrating your company's directory with Mimecast has several benefits, ranging from
feature enablement to reducing the administrative overhead of configuring and maintaining
Mimecast features.

If you want to integrate your Directory, the following options are available to you:

On-Premises Active Directory

• On-Premises Active Directory (LDAP): Using an inbound LDAP(S) connection, Active
Directory users and groups are automatically synchronized to Mimecast. This requires a
firewall change to allow connectivity from Mimecast to your Domain Controllers. See
the Enabling LDAP Directory Synchronization for Active Directory page for full details.
• On-Premises Active Directory (Synchronization Engine): Using the Mimecast
Synchronization Engine and a secure outbound connection from your internal network,
Active Directory users and groups are securely and automatically synchronized to Mimecast.
See the Mimecast Synchronization Engine: Enabling Active Directory Synchronization page
for full details.

Azure Active Directory

• Microsoft Azure - Standard: If your organization uses Microsoft 365 or is already
synchronizing an on-premises Active Directory to Microsoft Azure, Mimecast offers a cloud
to cloud Azure Active Directory Sync to allow you to automate the management of your
users and groups. See the Enabling Azure Active Directory Synchronization for Microsoft 365
page for full details. The same functionality is available for Microsoft Azure - GCC HIGH.

Google Workspace
• Google Directory: To configure a directory synchronization integration for Google
Workspace, you must perform external tasks in the Google API and Administration Console.
See the Configuring Google Workspace for Directory Synchronization page for full details.

Domino Directory
• Domino Directory (LDAP): If your organization uses Domino Directory Mimecast offers a
LDAP Sync feature to automate the management of your users and groups. See the Enable
LDAP Directory Sync for Domino Directory page for full details.

©2022 Mimecast. All Rights Reserved | 24

 Creating Directory Integrations
To create a new Directory Integration, you can either click the See more link next to Directory
Connectors on the home page of the Dashboard or you can:
1. Navigate to Administration | Services | Directory
Synchronization
2. Click on Create New Integration
3. Enter a Name, provide a Description, select your integration Type and click next:

4. Depending on your environment you

will be presented with different
options and information to fill out
(see links to the steps for the
different environments outlined on
the previous page).
5. Click Next when all information has
been entered. Mimecast will then
perform a test to validate whether
the Hostname or IP is both in a valid
format and publicly facing.
6. When finished, click the Create
Integration button in the lower
right.

Validating Your Configuration

To validate your settings:
1. Log on to the Administration Console.
2. Navigate to Administration | Services | Directory Synchronization menu item.
3. Select the Directory Integration you want to test. A panel will open.
4. Click on the Test Connection tab. The test will commence.

©2022 Mimecast. All Rights Reserved | 25

 5. A series of tests will be performed. They include:
• Connectivity tests
• Authentication test
• Authorization test
• Sample address test
A tooltip will display additional information, including possible solutions if a test fails.
The test option can be used while your settings haven't been saved. You can select the option before
saving your changes.

Verifying Your Integration

Once these steps are complete, we will synchronize with your Directory automatically three times
per day, at 8am, 1pm, and 11pm. The synchronization timing is taken from the region your account
is in. For the Europe region, the timing is in GMT. For the North American region, the timing is in EST.
To validate that your scheduled synchronizations are completing successfully, you can view the
status of your directory integration and request a synchronization:
1. Navigate to Administration | Services | Directory Synchronization.
2. Click on the Sync All button to trigger a synchronization.

When clicking on View

manual sync report users
will be presented with a
When selecting Sync All, Access to the legacy version will
summary of any errors, and
Mimecast will sync all be available for a limited time.
the ability to download the
enabled integrations.
full results in .TXT format.

Your list will provide the status of your

integration, when it was last synced and
the outcome of the last sync.

A common reason for manually synchronizing your directory data is when you have just added new
users to your environment, and you wish to sync them with Mimecast before the next
synchronization to ensure appropriate security and policies are applied.
If you need to completely remove a user’s access to Mimecast, the easiest way is to remove their
Active Directory account. Once the next directory synchronization is complete, they will be unable to
access any of our services.

Click the Ellipsis to view, edit, disable or delete an integration. Take note of the
search field in the upper left and the filter options on the right.

See Directory Synchronization for detail and links to configuring for different environments.

©2022 Mimecast. All Rights Reserved | 26

 Synchronization Issues
There are certain instances where the synchronization process fails resulting in potential end user
logons failing and permission issues.
The first place you would see an indication of an issue would be under the Directory Integrations
panel on the dashboard. Here you would see either an amber color which is an indicator of Partial
disruption or red which indicates there is a Service disruption. You will also see it under Services |
Directory Synchronization.
The first place you will begin to troubleshoot a directory connection issue is the point of entry,
where Mimecast connects, to obtain your directory information. Read Troubleshooting LDAP
Directory Synchronization for further detail.

Outbound Traffic
Once your Mimecast account has been created, your Technical Point of Contact (TPOC) should log
onto the account to confirm they can access it. If this is successful, your email server can be
configured to route outbound emails through Mimecast.
This requires that your:
• Public IP addresses are added to Mimecast's authorized outbounds. The Connect Team or
Mimecast Support will configure these. If utilizing a Cloud service (e.g., Office 365, GSuite),
the Connect Team or Support can add these.
• Firewall is configured to allow access to Mimecast Data Center IP Ranges for SMTP port 25.
See the Mimecast Data Centers and URLs page for more information. You will need to be
logged into Mimecaster Central to access this page.
Note: This step may not be applicable on Hosted Exchange (HEX) and Microsoft 365
implementations.
• Email server or cloud service is configured to deliver emails to Mimecast
See Connect Process: Setting up Your Outbound Email for further detail.

Authorized Outbounds
The goal is to configure your environment to ensure Mimecast is accepting email on behalf of your
company only over the IP ranges that your Technical Point of Contact tells us are authorized for your
company. If you are on-premises, you need to have a connection created. This is called an
Authorized Outbound.
We add at least one IP address to your authorized outbounds, based on the information you
provided when your Mimecast account was created. These IP addresses are the only ones that
Mimecast will accept outbound email from. You can have multiple authorized outbounds, but
networks cannot be added.
To check your Authorized Outbounds:
1. Navigate to Administration | Gateway | Authorized Outbounds
Note: The information here cannot be changed without the assistance of Mimecast.
On-Premises
If you have on-premises you would see the name of the connection, the IP address range and Mask.

©2022 Mimecast. All Rights Reserved | 27

 Microsoft 365 or Google Display
If you send email from a shared hosting provider (e.g., Microsoft 365 or Google Workspace) a
message will show at the top of the Authorized Outbounds page as follows: 'Your account is
configured to process traffic from Office 365’.
Other 3rd Party Hosting Service
If you are using another 3rd party hosting service, these IPs will not be listed on your account. You'll
need to contact Mimecast Support to ensure your account is provisioned appropriately for this
traffic.
If using Microsoft 365 and you do not see messages shortly after they are sent in
Message Center, this could indicate a configuration problem on your Microsoft
365 send connector. Double check your configuration using the Microsoft 365
Message Trace Tool in the Mail Flow | Message Trace menu of the Exchange
Admin Center to help identify the issue.

Journaling
The external email communications (inbound or outbound) for a business are automatically Archived
based on an organization’s compliance and global retention values, however some organizations
wish for internal email communication to also be retained. This can be achieved using a Journal
connector.

How Does Journaling Work?

Journal messages older than 30 days will not be processed and archived automatically. If you require
older messages to be part of your archive, contact your customer success manager for ingestion.
Journaling requires configuration in the customer environment and in the Mimecast platform. When
Journaling is enabled, it allows the internal mail server to send a copy of all emails to a journal
mailbox which is stored in a single Archive.
Once Journaling is configured, all emails will periodically be delivered/retrieved using either SMTP or
POP3 (or POP3S). These emails will then be archived in the customer's Mimecast account so that
ultimately a full archive of all internal and external emails is available.
See Journaling for more detail.

Inbound Email
Having previously set up your outbound email, messages should be successfully being routing
outbound. You are now ready to set up inbound email to be routed through Mimecast.
External messages destined for your organization must be directed to Mimecast, not left directed to
your email server or hosted email service. Once the messages reach Mimecast, they are processed
by Recipient Validation and other Mimecast security systems. Only once we are satisfied it is safe to
do so, is the message delivered to your organization's infrastructure or hosted service.
The first step you need to take to set up your inbound mail is to create a delivery route. This will
ensure you are connecting properly.
Our delivery routes are configured to deliver all inbound messages to a specified hostname. Take the
steps below to set up Delivery Routing.

©2022 Mimecast. All Rights Reserved | 28

 Delivery Routing - Microsoft 365, On-Premises or Hosted Exchange
Configure Delivery Routing Definition
1. Navigate to Administration | Gateway | Policies | Definitions | Delivery Routes
2. Click on New Route Definition button
3. Description: Enter a description to help you identify this delivery route
4. Hostname: Enter a public host name or IP address for the email server.
5. Port: Specify a Port Number (e.g., Port 25)
6. Pause: This will pause Inbound Mail Delivery for this delivery route
Start Date: This is only used if you are pausing inbound delivery
Expiry Date: This is only used if you are pausing inbound delivery
7. Alternate Routes (this is an automatic failover route if the primary route is unavailable)
Note: If are creating On-Premises routes we recommend you have multiple created and an
alternate route specified.
8. Optional SMTP Authentication Settings (select this option and configure if this is something
you need to enable)
9. Save and Exit
10. Click the Go Back button

A default delivery policy tied to a default definition will have been set during
implementation. For more information, read the Configuring Delivery Routing
Definitions and Policies article.

Test Delivery Routing Connectivity

Once you have everything configured, you will test your connection either with Strict TLS or Relaxed.
• Strict TLS means you have a Trusted CA SSL signed certificate installed on your internet
facing server that is accepting this connection from Mimecast.
• Relaxed TLS means you have a self-signed certificate created on your certificate server in
Windows.
Inbound SMTP Delivery Test
To perform an inbound SMTP delivery test:
1. Navigate to Administration | Gateway | Policies | Definitions | Delivery Routes
2. Click on the Delivery Route to be tested.
Either click on:
• Test Connection - Strict TLS
• Test Connection - Relaxed TLS
The task will run through a series of tests and generate a summary of results.
If the test is successful, you will take certain steps in your environment. Examples are
re-directing your MX Record and locking down your firewall or your server or hosted
email service to permit those inbound SMTP traffic connections coming from
Mimecast into your organization. Refer to the Knowledgebase for further instruction.

See the Testing Delivery Routing Connectivity article for full details.

©2022 Mimecast. All Rights Reserved | 29

 Managing Connectors
This section covers how to configure a connector from Mimecast to your Cloud Service Provider.
These connections are required by certain Mimecast services, including:
• Threat Remediation
• Continuity
• Exchange Sync & Recover
Note: For information on how to do this with Exchange Web Services (EWS) for on-premises
Exchange refer to the article at the end of this section.

Configuring a connector to a cloud service provider

Mimecast connectors use OAuth 2.0 for authentication, providing greater security and allowing
administrators to apply the cybersecurity Principle of Least Privilege (PoLP) to their service accounts.
A separate connector is required for each Mimecast product, replacing the previous practice of
sharing a single connector across all Mimecast services. Each connector takes approximately five
minutes to create.
You will need:
• The appropriate permissions to connect to your third-party provider
• An Administration Console role that provides access to the Administration | Services |
Connectors page
To configure a cloud connector:
1. Navigate to Administration | Services | Connectors
2. Click the Cloud Connectors tab
3. Click Create New Connector
4. Select the Mimecast product (e.g., Continuity) you want to connect to a third-party provider
5. Click Next
6. Select the third-party provider (e.g., Microsoft 0365) from the list
7. Click Next
8. Click Log In to begin the OAuth 2.0 authorization process with the third-party provider
9. Review and grant the requested permissions
10. Once the permissions have been successfully granted, click Next
11. Enter a connector Name and an optional Description and click Next
12. Review the connector summary and click Create Connector
Refer to the Managing Connectors article for more detail.

©2022 Mimecast. All Rights Reserved | 30

 Lesson 6: User and Group Management
Mimecast users are identified by their email address. Their addresses need to be added to your
organization’s Mimecast service before they can send, receive, and archive email with Mimecast.
Email addresses are then organized in groups.

Internal Directories
An internal domain is a domain that your organization has registered with Mimecast to send,
receive, and / or archive email for. This section details the domains you have under your Mimecast
account and are owned by your organization. You should have at least one domain already
populated here from your implementation process.

Add a New Domain or Sub-Domain

To add a domain, you must have already registered a domain name and have the sign-in credentials
needed for your domain registrar.
You will also need to validate that you own each of the domains you wish to connect, starting with
your primary domain. Once this has been validated, you can validate any others.
At least one internal domain was added when your Mimecast account was set up. You can add other
internal domains you own or add a subdomain (e.g., for journaling) if needed. Subdomains do not
require any additional verification.
To add a domain:
Navigate to Administration | Directories | Internal
Directories
1. Register a New Domain
1
• Click Register New Domain 2
• Type in the domain in the Domain Name field
• Click Get Verification Code
• Copy the Verification Code to your clipboard
(to be entered into one of the records below)
2. Add a DNS Record
• Select either Configure TXT or Configure
CNAME (depending on which you are creating)
• Log onto your DNS Domain registrar’s website or portal
• Create either a DNS TXT Record or CNAME record (details on the information to enter in
those records can be found here)
• Return to step 2 of the Register New Domain wizard and click on Validate
3. Validated Domains
• Select the Automatically Create Anti-Spoofing Policy for this Domain option

Note: This isn’t compulsory but is recommended to prevent spoofing messages from the
domain.

• Click Finish.

For further instruction on Adding a Domain through the Administration Console, read Configuring
Internal Domain / Subdomains. Read Connect Application: Validating Your Domains for detailed
instructions on how to do this with the Connect Application.

©2022 Mimecast. All Rights Reserved | 31

 Internal Domains
To access the domains, you have registered with us:
1. Navigate to Administration | Directories | Internal Directories
The domains that you have registered whether through the implementation process or manually
after implementation are listed.

Working With Domains

Actions
Export Data The export data button will allow you to export in CSV or XLS.
Register a A domain registration wizard guides you through verifying the domain's
New Domain ownership and requires you to enter the domain, add a DNS record, validating the
domain.
Add Once an internal domain has been validated, you can add one or more
Subdomain subdomains.
Advanced Allows an export of your domains and their addresses
Address
Export
View • Internal Domains: Allows you to see only your Internal Domains.
• External Domains: Allows you to see only your External Domains.
• Local Domains: Allows you to see only your Local Domains.
• Pending Domains: Allows you to see only your Pending Domains.
• All Domains: Allows you to see All Domains.
• Registered Applications: Allows you to see only your Registered Applications.
• Address Purge List: This will show a list of addresses that you have set to
purge.
• Delegate Mailbox Access: This will show you a list of who has delegate
Mailbox Access

Recipient Validation
Recipient Validation is the process of checking the recipients(s) of an inbound email to one of your
Internal Domains from an external sender.
For us to accept your inbound email, recipient validation must be configured. To do this, we must
have a complete list of all internal users.

©2022 Mimecast. All Rights Reserved | 32

 This will have been set during your implementation when the domains you are authoritative for
were registered. This is something that can be changed. If you need to add domains in the future,
you will need to consider the type of validation method you wish apply.
To view what type of validity check is set for either an existing domain or sub-domain, right-click and
choose Edit Domain.
1. Navigate to Administration | Directories
| Internal Directories
2. Right click the Domain
3. Click Edit Domain
4. Under Domain Options view the Inbound
Checks drop-down
5. Choose Accept Recipients for known
recipients only
6. Save and Exit

Note: Click here for more information on directory

synchronization and click here for more
information on Recipient Validation.

How do Directories get populated?

Email Addresses / Aliases
If you click on a domain, you will see a list of the email addresses associated with that domain.
The color indicators in the Alias column show if an email address is an alias for another address. If
the "Alias" column shows a green indicator, the address is an alias. This means it inherits its
permissions from the primary address. If you click on one of these it will show you the primary and
the alias address.

Address Types
When viewing the email addresses associated with one of your internal domains, you will notice to
the left of each email address is an icon indicating how the user was created in the directory. See
explanations for each below.

©2022 Mimecast. All Rights Reserved | 33

 Address Types
Manually Imported These are address created by a spreadsheet import.

These are addresses that are synchronized SMTP objects from

Extracted from Directory the domain controller. You will have added these from a
Mimecast Directory Synchronization.
These are addresses that have been added manually using
Manually Created
the New Address button at the top of Internal Directories.
These are addresses that form part of a synchronized
Distribution List distribution list (DL) or security group with SMTP addresses
from the domain controller.
These are addresses that can be created because:
• A new Mimecast user sends an outbound message, and
their sending address has not been synchronized with the
customer’s directory.
Created by message in • A synchronized address has been deleted from the
transit customer’s directory. This changes the address type from
"Extracted From Directory" to “Created by message in
transit’ to help administrators identify that users are
being synchronized with the customer’s directory.
• An internal domain's recipient validation is set to "Accept
all Inbounds for this Domain".
Working with Email Addresses
Actions
At the top of the list of email addresses are buttons with actions you can take that provide additional
functionality:

Actions
New Address Allows you to create an email address.
Purge Selected Addresses Deletes the selected email addresses including linked aliases. This
can be performed by any administrator who has the ability to read
and edit Internal Directories. A warning will be displayed to
confirm the removal of the address and all list entries. Addresses
will not be purged while emails are still being processed for the
address (e.g., if related emails are held). Administrators can
prevent the purge from taking place by removing the address from
the purge list under View | Address Purge list in your domain view
with a right-click Remove Item. This has to be done before
housekeeping runs (which generally occurs overnight).
Import Delegate Mailboxes Allows you to import delegated mailboxes. Note: This button is
only available when logged on as an Administrator with protected
permissions.
Export Data Export a list of email addresses to a .XLS, or CSV file.
View Filters the list of email addresses displayed by:

©2022 Mimecast. All Rights Reserved | 34

 • Show Message Generated – this shows email addresses
that came in via message in transit
• Show Directory Generated – this shows email addresses
that came in via directory synchronization
• Show All

Email Address Properties

To view individual email properties:
1. Navigate to Administration | Directories |
Internal Directories
2. Click the appropriate Domain
3. Right-click the desired user and choose Edit
Address
4. Take note of the various fields in the
following table.
5. Make your changes and choose Save and
Exit when finished.

Email Address Properties

Email Address
Global Name
Internal Address
Administration Console Role
Address Alias For
Password / Confirm Password
Force Change at Logon
Password Never Expires
Maximum Reset Attempts Made
Unique identifier for a user and their associated email
archive. The address cannot be modified once it has been
created.
The full name (display name) of the email address user.
This is normally displayed in the recipient's FROM field in
their mail client.
Shows whether the email address is internal or external.
Displays the administrator role the user is assigned to or
"None" if the user account does not belong to a role. Click
on the Role Edit button to change the user's role.
A primary email address can have any number of alias
addresses
Creates a cloud password for the email address. This
password can only be authenticated in Mimecast, and
does not affect the network password in the organization's
infrastructure
This option forces the cloud password to expire. This is
helpful if setting similar cloud passwords for end users,
that they are required to change when they first log in.
Prevents the expiration of the user account’s cloud
password. This is useful for administrator or system
accounts.
Should a user request their cloud password to be reset, a
password reset code is sent to them. If they fail to enter
this code successfully ten times, the password reset
functionality is locked for their account. This option shows
as selected in this scenario. Click on the Reset Count
button to unlock the password reset functionality on their
account.

©2022 Mimecast. All Rights Reserved | 35

 Account Locked Indicates if the user account is locked and users will not be
able to log in to Mimecast. Click on the Unlock Account
button to unlock an account.
Account Disabled If selected, users are prevented from logging in to
Mimecast applications using cloud passwords. This does
not affect email delivery to the address.
Archive Start Date Ensures that Mimecast end-user applications will only
display items to the end user from the selected date
onwards. This can specifically be used when a new end
user starts but has the same email address as a previous
employee.
Allow STMP Email Submission Allows users to submit emails directly to Mimecast. This is
generally useful for remote users and applies to TCP/IP
port 25 and 587.
Allow POP Access This option permits a user to retrieve email from a
Mimecast mailbox directly, as opposed to retrieving emails
from a mail server.
Force Registration This option allows reregistering a device with TOTP
functionality by removing the previous TOTP code and
creating a new one to be added upon the next successful
web authentication by the user.
Effective Group Application Settings This option permits a user to retrieve email from a
Mimecast mailbox directly, as opposed to retrieving emails
from a mail server.

Delegate Mailbox Permissions

There are a few reasons why you would need to set up Delegate Mailbox permissions:
Example 1: If a user needs to look at another user’s archive, manage their on-hold messages or their
permitted senders list.
Example 2: Another example would be if a user gets married and their email address changes when
their name changes. Once a delegate mailbox has been configured, the end user would be able to
search for all the messages associated with their new and old account.
How to Add a Delegate Mailbox
Within the email address properties there is an Add Delegate Mailboxes option at the top. This can
be used to give delegate rights to a mailbox.
In the example of an Executive Assistant needing to review their manager’s held messages. Steps are
as follows:
1. Open the email address properties of the Executive Assistant
2. Click Add Delegate Mailboxes button at the top
3. Click Add Delegate Mailbox
4. Click Lookup to find the Manager
5. Select the email address from this list
6. Save and Exit
To see delegates, navigate to the domain listing and choose View | Delegate Mailbox Access. The
person who is the delegate is listed on the left and the mailbox they have access to is on the right.
Refer to the End User Applications: Configuring Delegate Mailbox Access article for more detail.

©2022 Mimecast. All Rights Reserved | 36

 More detail on Managing User Email Addresses can also be found here.

External Directories
A domain is considered external if it is not one of your Mimecast registered Internal Domains. These
are automatically added to your service as email is sent or received by an internal user.
To list your external domains:
1. Navigate to Administration | Directories | External Directories
2. Select the relevant external domains
3. Select a user to see options for purging the address, creating new or exporting

If your subscription includes Secure Messaging and an external sender needs to reset
their Secure Messaging Portal password, you will come here.

For more information on Directories, read Mimecast Domain Types.

Groups
Groups are internal Mimecast folders containing email addresses and/or email domains. It is
important to use good naming conventions and be organized in the way that your structure your
groups to ensure proper policy application.
There are two types of Groups: Profile and Directory.
• Profile Groups – These groups are local to Mimecast and are manually created and
maintained within the Administration Console by your Administrators.
• Default Groups – Please be aware that some groups are created by default during your
initial implementation and will be attached to “out-of-the-box” policies and services, also
created during your implementation. For example, Administrator Alerts, Blocked Senders
and Permitted Senders are some of the default groups you’ll find under your Profile groups.
• Directory Groups – These groups are visible in
Mimecast after syncing with your organization’s
directory environment (e.g., Active Directory,
Azure, etc.) These groups are read-only and can
only be added, removed, renamed or have their
contents altered by first making those changes in
your directory service and then running a directory
synchronization (Administration | Services |
Directory Synchronization.) To view the Directory
groups that have been synchronized with
Mimecast, navigate to Administration | Directories | Directory Groups, while also being
aware of any folder with a + sign next to it, which will allow you to delve deeper into the
synchronized directory structure.

Groups are used primarily to be referenced in policies or end user applications to control mail flow
for specific user groups. This has the following benefits:
• Mail routing can be specified for users in different regional locations with different mail
servers.

©2022 Mimecast. All Rights Reserved | 37

 • Used in Permitted Senders / Blocked Sender policies
• Any address changes are automatically applied to policies.
• Collecting email addresses (e.g., click actions in Stationery Layouts).
Read the Out of the Box Settings for Mimecast Email Security for detail on our out of the box policies
that you would configure to apply to these groups.

Creating a Group
All groups are displayed in a hierarchy, linked to a root group. This allows changes made to one
group, to also apply to all other sub-groups in that group.
Note: You cannot create a group inside the Root folder. A sub-folder must be created inside it to
enable a group to be created.
1. Navigate to Administration | Directories | Profile Groups
2. Either:
• Select the Folder into which the group is to be created.
• Create a Sub-Folder as follows:
a) Click on the + Icon in the bottom right-hand corner of the folder where you want the
group created. A folder called "New Folder" is created in the group's hierarchy in a
collapsed state.
b) Rename the group:
o Expand the Group's Hierarchy
o Click on the "New Folder" Group
o Type the Group Name in the Edit Group field at the top of the hierarchy
o Press the Enter key
3. See the "Adding Group Entities" section below for details of how to add email addresses or
domains to the group.
Adding Group Entities
You can add email addresses or domain names to a group using one of the following methods:
• Add Email Addresses
• Add Email Domains
• Group List Imports (email addresses only)

Wildcard characters are not supported for groups. See the Using Wildcards in Policies
page for full details.

To add one or more email addresses or domains to a group:

1. Select the required Group in the hierarchy
2. Hover over Build
3. Click one of the following menu items:
• Add Email Addresses to add email addresses
• Add Email Domains to add domains
• Group List Imports to use an import file to add multiple email addresses
4. If using the Add Email Addresses or Add Email Domains option:
• Each email address must be entered in standard address format (e.g.,
[email protected]).

©2022 Mimecast. All Rights Reserved | 38

 •
Each domain must be entered in standard domain format omitting the @ symbol (e.g.,
domain.com).
• Add each Email Address / Domain on a separate line.
• Enter a Note up to 100 characters. If entering multiple email addresses or domains, this
note is associated with all of them.
5. Save and Exit

After the group is made you will see a number next to the folder in the hierarchy. This
is an indicator of how many entries are in that group.

For more information on Group List Imports, click here.

Delete a Group’s Entries
Clear Selected Links will delete the selected entries or right-clicking on entries allows you delete
(unlink) individual entries. Once the group folder is empty, select the red X to delete the folder.

WARNING: Prior to deleting a group’s entities, you should consider using the Export
Data option, as unlinking cannot be undone, and the export would be the only record
of the entities in this group.

Deleting a Group
When deleting a group, the following must be considered:
• A default group located in the Root folder cannot be deleted.
• Only empty groups or sub-groups can be deleted. If a group contains an empty sub-group,
this must be deleted before the other group or sub-group can be deleted.
• Only groups or sub-groups not used in any policy can be deleted.
• The number displayed in brackets to the right of a folder shows how many email addresses
or domain names are in the group.
To delete a group:
1. Navigate to Administration | Directories | Profile Groups
2. Select the Group to be deleted
3. Click on the Red Cross Icon to the left of the folder

Moving a Group
You can either move the group or all its entries, as well as copy any entry into another group of your
choosing. In any group or subgroup, you can add domains or email addresses.
Note: A default profile group located in the Root folder cannot be moved.
To move a group to a new location in the hierarchy:
1. Navigate to Administration | Directories | Profile Groups
2. Select the Group to be moved in the hierarchy.
3. Click on the Move Group button.
4. Select the Group in the hierarchy into which the group being moved is to be placed. The
group is moved to the chosen location.

©2022 Mimecast. All Rights Reserved | 39

 Moving Group Entities
To move email addresses or domains to another group:
1. Navigate to Administration | Directories | Profile Groups
2. Click on the Group in the hierarchy
3. Select the Entries to be moved using the check boxes
4. Click on the Move Selected Links button
5. Select the Group in the hierarchy that you would like to move the entries to. The group
name is displayed in bold signifying that the entries have been moved.
Copying Group Entities
To copy an entity to one or more group:
1. Navigate to Administration | Directories | Profile Groups
2. Click on the Group in the hierarchy to display the entities
3. Right-click on the Entity to be copied.
4. Select the Group Allocations menu item.
5. Click on the Group that you would like to add the entity to. The group name is bolded
signifying that the entity has been added.
6. Repeat Step 5-7 for other groups.

Exporting Group Data

Exporting a group will collect the addresses and details of the group into a .xls or .cvs format file for
download.
You can export group address entries into a spreadsheet. It is currently not possible to export
domains. You can select the data that is exported and choose how the exported file is delivered.
To export a group's data:
1. Navigate to Administration | Directories | Profile Groups
2. Click on the Group in the hierarchy
3. Click the Export button
4. Select the Columns that will be added to the spreadsheet [Address, Domain, Details, Int.]
5. Select the file format you wish the exported file to be in [.CSV or .XLS]
6. Select how you want the exported file to be delivered [Send Email, Download]

©2022 Mimecast. All Rights Reserved | 40

 Lesson 7: Attributes
Directory attributes correlate to named fields within your directory which are linked to user
accounts. (e.g., names, titles, email addresses, and telephone numbers). When they are created,
they are applied to internal email domain users.
They can be used in many ways, for example populating a business card component in a stationery
layout by allowing administrators to select which attributes are assigned to the email signature.

Active Directory Synced Attributes

There are several attributes that can be synced with Mimecast from your Active Directory. For a
complete list, review the Managing Directory Attributes Knowledge Base article. Below are just a few
examples.
• Name
• Title
• Department
• Telephone Number

Create a Directory Attribute

1. Navigate to Administration | Directory | Attributes
2. Click Add Attribute
3. Enter a Name [e.g., For a manual attribute, enter a name that best describes the attribute
you are creating. For LDAP directory linked attributes, enter the defined attribute name in
the directory. For this example, enter Department.
4. Group: This is the group the Attribute belongs to. Keep this General Attribute unless you are
creating a Manual Attribute not linked to your Active Directory.
5. Type: This defines both the type and appearance of the attribute field.
Choose Directory Linked. This creates a directory linked attribute which synchronizes the
data from your directory to Mimecast.
6. Order. This determines the order. If no order is entered, the attributes are listed in
alphabetic order. No order for this example.
7. Options: This determines the values displayed in the Simple Selection and Complex Selection
fields under type. We did not choose this type above, so skip this field.
8. Click Save when finished.
For more information, read the Managing Directory Attributes article.

©2022 Mimecast. All Rights Reserved | 41

 Lesson 8: Application Settings
Application Settings allows you to control End User Application behavior and the levels of access
your end users have to Mimecast Services.

Components of an Application Setting

The three different components of an application setting are as follows:
• Authentication Profile
• Application Settings Definition
• Group

Authentication Profile Application Settings Authentication

Profile
Because all users must authenticate their logons when they
use our applications, we must create an Authentication
Profile. This needs to be done before creating an
application settings definition.
An Authentication Profile, which is referenced within an
Application Setting, allows you to define the methods users
in your organization can use to authenticate with our
applications (e.g., Cloud Authentication).

Application Settings Definition

Application Settings
An Application Settings Definition allows you to give
access to Mimecast applications for all internal users.
Applying the authentication profile to the application
settings definition will apply it to the group you select in
the definition.

Group
Each definition is specific to a group of users, including
any sub-groups. This requires a group to be created that
can consist of individual users or entire domains.

Propagation
It may take up to 15 minutes for application settings definition to propagate. For example, if you
made a change relating to Mimecast for Outlook, it will take about 15 minutes to apply. Users will
have to exit Outlook and go back in to see the change.

Default Authentication Profile and By default, all Administrators are

Application Settings Definition
Every Mimecast account contains a default authentication
profile, referenced by a default application setting.
The default definition is applied to all end users when a user
connects to us and is not part of a group referenced by a specific
application setting. The defaults can be used to apply the same
settings to all users in your organization.
assigned the
Account_Administrators_Authentication
_Profile, which is the default profile,
featuring 2-step authentication enforced
and cannot be disabled for security
purposes. This does not impact non-
admin users.

©2022 Mimecast. All Rights Reserved | 42

 The default definition cannot be changed, but administrators can create new
definitions to accommodate customized application settings.

Customizing Application Settings

If you need to provide different levels of access to applications and / or specific application features,
you can configure different application settings. It is also possible to reference the same
authentication profile in different application settings.

Customizing Authentication Profiles

Authentication profiles can be customized and determine whether the users will have access to
resetting their password, domain authentication mechanisms, SAML authentication for Mimecast
Apps, and Permitted IP ranges.
Configuring an Authentication Profile
1. Navigate to Administration | Services | Applications
2. Click Authentication Profiles | New Authentication Profile Specify the authentication provider we
3. Complete the dialog according to your needs: will use to verify a user’s credentials
• Description: Provide a good description [e.g., Microsoft 365]
If you don’t use
2-Step • Allow Cloud Authentication: Always allow
Authentication, • Password Reset Options 2-Step Authentication is highly
you can use
• Domain Authentication Mechanisms recommended
Authentication
TTL • 2-Step Authentication
• Authentication TTL
• Enforce SAML Authentication for Administration Console
Administrators / • Enforce SAML Authentication for Mimecast Personal
Users must log Portal
on using an Mimecast for Outlook will use the currently
Identity Provider • Enforce SAML for End User Applications logged in users’ credentials to authenticate
that offers 2- • Allow Integrated Windows Authentication (Mimecast the connection
Factor Auth or for Outlook Only)
SSO
• Enable JSON Web Token Authentication (Mimecast
Essentials for Outlook only)
• Permitted Application Login IP Ranges Enabling JSON Web Token Authentication
• Permitted Gateway IP Ranges within the Authentication Profile allows us
to verify your identity using a one-time
4. Save and Exit verification and accept the token as an
authorization for future requests
Refer to Configuring an Authentication Profile article for further
detail on the settings above.
Creating a Custom Group
After creating the Authentication Profile to decide how your users will authenticate, you need to
make sure you have a group created that consists of the individual users or an entire domain that
you wish to have access to Mimecast applications.
1. Navigate to Administration | Directories | Profile Groups
2. Click the + at the Root and name the New Folder the name of the Group you wish to create
(e.g., Finance Group)
3. Add the email addresses (or domain) of the desired users

©2022 Mimecast. All Rights Reserved | 43

 Note: Our suggestion is to use a pilot group when first testing this. After, you would roll this out to
one of your Active Directory Groups.

Customizing Application Settings Definitions

When creating an Application Settings definition, you can alter an existing definition or create a new
one. We will clone an existing definition for this example. This definition will reference the custom
group and authentication profiles you just created.
Start by focusing on the settings in the Common Application Settings section of the definitions page,
then continue to Outlook, Web, Mobile, Mac OS X, and LFS Settings.
1. Navigate to Administration | Services | Applications
2. Right-click on an existing Application Settings Definition and choose Clone Configuration
3. Configure the definition's settings as required:
Note: Cloning is useful if you need to provide a user group with access that is very similar
to, but not the same as, an existing definition.

Application Settings Groupings

The application settings are separated into groups, displayed in a collapsible / expandable menu. As
you click on one of the groups, it expands and collapses the others. The groups are:
• Common Application Settings: Settings that apply across all Mimecast application
settings (General, Archive, Gateway, Continuity, Turbo)
o Note: Under the Archive Settings grouping, enabling Full View allows viewing of
total history of archive folders, even if message deleted. Live View allows viewing of
current archive folders.
• Outlook: A group of settings that apply to Mimecast for Outlook
• Web: A group of settings that apply to the Mimecast Personal Portal
• Mobile: A group of settings that apply to the various Mimecast Mobile operating systems
(e.g., Blackberry, iOS, Android and Windows Phone)
• Mac OS X: A group of settings that apply to the Mac operating system
• LFS: A group of settings that apply to Mimecast’s Large File Send
4. Save and Exit
It can take up to 15 minutes for changes to a definition to propagate between all the
Mimecast applications. When an application (e.g., Mimecast for Outlook) is opened
for the first time, all functionality is disabled. You are required to authenticate with
Mimecast to retrieve the user's settings and capabilities and enable the appropriate
options.
Details for every option can be found under Configuring Application Settings.
For information about which Application Settings a particular user is assigned, administrators can
review what is assigned in the Effective Group Application Settings field of the Application Settings
section of the user profile

Registered Applications
For troubleshooting purposes, the Registered Applications view displays filterable information
related to active users and applications.
1. Navigate to Administration | Services | Applications and select the Registered Applications
button.

©2022 Mimecast. All Rights Reserved | 44

 See the Registered Applications View Knowledge Base article for additional information.

Lesson 9: Reporting
Mimecast Reporting provides Administrators with a view of what is happening in their email
environment. This includes detailed statistics on:
• How many messages are being sent or rejected
• The data volumes being transmitted
• These reports can assist with infrastructure planning through data load analysis, show spam,
virus trends, and supply usage reports on a per user basis
• Administrators can also schedule reports to be emailed out or download the reports from
the Administration Console. These reports can then be analyzed, and any necessary changes
made.

Access Reporting
To access the reporting functionality, navigate to Administration | Reporting:
The following menu items are displayed:
• Account Assessment: A report created for your account by Mimecast at the end of each
reporting period. The report is available for one week from Monday to Sunday, and over
each calendar month. See the Account Assessment Report Overview page for more details.
• PDF Reports: Schedule weekly or monthly reports to be emailed to specific recipients or
made available for download. See the Reporting: PDF Reports page for more details.
• CSV Data: Download and view the daily CSV data for certain account logs, including
rejections. See the Reporting: CSV Data page for more details.
• Overview: Provides graphs that show email volumes, bandwidth, and statistics for your
account. This includes outbound, inbound, and internal emails, and rejected email traffic.
See the Reporting Overview page for more details.

Account Assessment Report

The Account Assessment Report is created for your account by Mimecast at the end of each
reporting period. The report is available for one week from Monday to Sunday, and over each
calendar month. It provides a full report of every facet of your Mimecast services.

Download the Report

To download the Account Assessment Report:
1. Navigate to Administration | Reporting | Account Assessment
2. Click Download Account Assessment PDF Reports
3. Download the required report (e.g., weekly or monthly)
The report includes data on the following if you use the service:
• Secure Email Gateway
• Large File Send
• Secure Messaging
• Attachment Protect
• URL Protect
• Impersonation Protect
• User Activity

©2022 Mimecast. All Rights Reserved | 45

 • Web Security
For more information, review the Accessing the Mimecast Account Assessment article in our
knowledgebase. You will find articles at the bottom that pertain to all the items above.

Scheduling a Report
If you wish certain individuals to have
weekly or monthly reports delivered to
their mailbox, follow the steps below.
1. Navigate to Administration |
Reporting | Account Assessment
2. Select the Weekly Report or
Monthly Report heading
3. Expand the Email Schedule
Section: Choose Send Report.
When you select Send Report,
the ‘Report Recipients’ section
displays (send up to 5 recipients).
4. Use the Lookup buttons to look up the recipients you wish to receive the weekly report
5. Click Save.

PDF Reports
The PDF Reports function allows you to schedule reports to be run on either a weekly or monthly
schedule and save the output to a PDF file. You can also download reports directly.
Administrators with read only access to the Reporting module will not have access to edit Reporting
Schedules.
You can select:
• Whether the report should be emailed or saved locally on Mimecast.
• Whether you want a PDF of a standard report or a custom report of your choice of data
• Which graphs should be saved / sent
• How often these graphs should be run (weekly or monthly).
• The email addresses where the PDFs should be sent (up to 5 individuals)

Administrators with read only access to the Reporting module will not have access to
edit Reporting Schedules.

©2022 Mimecast. All Rights Reserved | 46

 Scheduling the PDF Reports
1. Navigate to Administration | Reporting | PDF Reports
2. Select Weekly Report or Monthly Report
3. Select Report Type:

Standard: If Standard is chosen the graphs selected under the

Select Graphs area will be greyed out and those items checked
by default will be in your report.

Custom: If you select Custom Selection of Graphs, the Select

Graphs area is open for changing what you will see in the
exported report.
4. Expand the Email Schedule Sections:
Options here are Do Not Send Report
and Send Report. When you select Send
Report, the ‘Report Recipients’ section
displays (send up to 5 recipients).
5. Use the Lookup buttons to look up the
recipients you wish to get the weekly
report
6. Click Save.

The PDF and Overview reports are focused on email traffic data, while the Account
Assessment provides a full report of every facet of your Mimecast services.

Download PDF Reports

If you wish to download a report, click the Download PDF
Reports button at the top.
Choose View PDF Reports and select either Show Weekly or
Show Monthly at the top, depending on what you are looking for and then click the Download PDF
button next to the desired report.

CSV Data
The CSV reports consist of daily rejection data. Administrators can download the report data in a
comma separated (.CSV) format. This has many uses, including sharing it with colleagues who do not
have access to the Mimecast Administration Console.
For data that is not retained on Mimecast eternally (e.g., Rejection Viewer logs) Administrators can
access this data, even after it is no longer visible in the Administration Console.

©2022 Mimecast. All Rights Reserved | 47

 More information on this here.

Accessing and Downloading CSV Data

To access the CSV Data:
1. Navigate to Administration |Reporting | CSV Data
Note: Information regarding the report start/end dates, generation date, and report interval
is displayed. By default, a month's worth of reports is available for download, however, you
can click on the calendar control to amend this.
2. Click Download CSV next to the date range desired
3. Specify a Location for the download [change the name of the file as desired]
4. Click Save
For more information, read the Reporting: CSV Data article.

Overview Reports
These reports provide a graphical representation of email volumes and flows. These default reports
give Administrators a quick view of their environment, showing different aspects of their email data
volumes and bandwidth usage. Administrators can also determine which users in the company are
sending large volumes of emails and analyze what is causing inbound emails to be rejected.
To access, navigate to Administration | Reporting | Overview:
Reporting Overview shows groups of graphs as follows:
• Summary Graphs - display the volumes of email split into Outbound, Inbound, and Internal
messages, as well as Rejected volumes
• Outbound Email - displays email communication from internal users to external users and
domains
• Inbound Email - displays email communication from external users to internal users and
domains
• Internal Email - displays email communication between internal users
• Custom Reports - displays any Custom Report Definitions that have been configured

View the Reporting Definitions page for a detailed breakdown of what each of the
different graph data types represent. Reporting data is available for a year, although
scheduled reports can be stored in PDF for a longer period.

Custom Report Definitions

Although Mimecast provides a default set of graphs and reports, Administrators may also be
interested in viewing the company's email usage with different filters. Custom Report Definitions
allow Administrators to specify the following:
• Report type
• Report filters such as domain, email address or groups
• How the data is displayed
• Number of results returned

©2022 Mimecast. All Rights Reserved | 48

 Reports can also be downloaded for review in CSV format or emailed out in PDF format. Custom
Report Definitions allow control over the report filters and how the data is displayed. By creating
customized reports, Administrators can view data relevant to the email environment quickly and
easily.
Similar to other groups of graphs, Administrators are also able to schedule custom reports to be
emailed out or downloaded.

Using Custom Report Definitions

To create a custom report:
1. Navigate to Administration | Reporting | Overview
2. Select Custom Report Definitions
3. Select New Custom Report
4. Enter a Report Title and Description
5. Select a Report Type (Email Volume, Email Bandwidth, Rejection, Email Statistics)
6. Group Totals By: Select how you want the data grouped (domain, email address, date,
rejection type for rejection reports only)
7. Limit results To (top 10, top 20, top 30 (default), top 40, top 50, show all)
8. Filter Results on (domains, profile / AD groups, email addresses, none)
9. Domain Name (select an internal domain, group, or email address – dependent on filter
selected above)
10. Save and Exit

View Custom Reports

To view the Custom Reports, find them listed in the menu group called Custom Reports on the
Reporting Overview page.
Click on the report and the updated results will be displayed in the right-hand pane. The results are
displayed in a table format and can be downloaded by clicking on the Download as csv button.

Delete a Custom Report

To delete a custom report, click on the Custom Report Definitions button in the upper left corner of
the Overview page shown in image above, select the report definition you wish to delete and click
the Remove Definition button.

©2022 Mimecast. All Rights Reserved | 49

 Lesson 10: Service Monitor
As an administrator, it is important for you to be able to monitor the Mimecast services for which
you are responsible. Doing so allows you to proactively solve problems with your service as they
arise (e.g., breached queue thresholds, synchronization service failures).
The Service Monitor takes a snapshot of your services every 15 minutes, allowing you to monitor the
status of your:
• Outbound, Inbound and Journaled (Inbound) email delivery
• Journaling and Active Directory Services
Additionally, the monitor allows you to:
• Configure alerts sent to subscribers by email and / or SMS when a problem exists.
• Manage the list of subscribers set to receive early notification of potential issues.
• List recent alerts up to 90 days in the past.

Access and Navigation

You can access the service monitor two ways:
1. My Apps
2. Administration Console
Via My Apps:
• Use this link and log in using the same credentials you
use to log into the Administration Console.
Via Administration Console:
• Login into the Administration Console, navigate to the
Application Switcher and choose Service Monitor

Functionality
The Service Monitor displays information in one of the
following tabs:
• Dashboard: The dashboard displays a graphical representation of your outbound delivery,
inbound delivery, and journaling queues. Access to the status of your Journaling and Active
Directory (AD) services is also available.
• Alerts: Enables you to set the thresholds for each alert type.
• Subscribers: Enables you to set up users to receive alert messages for Mimecast services.
• Notifications: Displays a list of any recent alerts issued to subscribers.

Dashboard
Queue and Service Meters
The meters on the dashboard display the number of messages in each respective queue (outbound,
inbound, journal) as well as the recommended threshold for the queue at the max level of the
meter.

©2022 Mimecast. All Rights Reserved | 50

 Current Level – Inbound and Outbound
For the Outbound Queue, the Current Level displays the number of messages on the Mimecast
platform that we are currently trying to deliver outbound.
For the Inbound Queue, the Current Level is the number of messages in the delivery queue on retry
to be delivered to your environment.

Recommended Thresholds – Inbound and Outbound

The Recommended Thresholds displays the value set in the Configure Alerts page which will be
discussed in another section. This is an auto generated threshold based on the recent history of your
account. It is intended as a starting point, based on the account's profile.

Queue History Data

Selecting the History links under the meters will expand the information on the queues and services.
History links will show you the previous queue numbers, which is helpful for viewing trends and
forecasting your email traffic.

1. Click the History link underneath

the queue's meter display to
access a queue's history data.
The data is displayed in a graphical format
in the following time frames:
• 15 Minutes
• Hourly
• Daily
The queue history graphical information
and data displays.
• Graph: Displays a visual of the average message count versus the alert threshold, in selected
time intervals. The "15 Minute" interval tab displays by default.
• Data Columns: Displays the:
o Date and time when the data was collected.
o Number of messages in the queue at the time the data was collected.
o Threshold for the queue as configured in the Configure Alerts page.

©2022 Mimecast. All Rights Reserved | 51

 • Show / Entries: Click the drop-down arrow and select to display 10, 25, 50, or 100 entries
per page.
• Search: Use the Search field to show certain data and updates the queue’s graphical display.
• Time Zone: Select a time zone to apply to the data from the drop-down menu.
• Next / Previous: Use these buttons to switch between the pages displayed.

Service Status Meters

The service status indicators display the status of the Active Directory and Journal synchronization
services connected to your account. The meter allows you to quickly monitor the connection of your
services by displaying the following:
• The total number of service connections
• The current number of active services
• The current number of inactive services

View Service Detail

1. Click the View Services
link click on the tab of
the desired service. For
example:
• AD Services tab
• Journal Services tab

The service detail display differs depending on the service type. The status of each service can be
viewed as follows:

• Indicates that the service is connected and running OK.

• Indicates there is an issue with the service. See the "Last Error" message for further
information.

Service History
From the Services page, you can access a view of all the configured service's history. This allows you
to analyze the service to determine if there are any ongoing issues. The history is displayed in a
graphical format in the following time frames:
• 15 minutes with history up to 2 days
• Hourly with history up to 7 days
• Daily with history up to 60 days

©2022 Mimecast. All Rights Reserved | 52

 1. Click the History link in the top right corner of the service to get to the history of that
service. The service's graphical information and data displays as outlined below:

• Graph: Displays an interactive graph of the average number of "OK" service connections
versus the average number of "Error" connections, in selected time intervals. The "15
Minute" tab displays by default. Optionally click on the "Hourly" or "Daily" tab to update the
graph's data on display.

Note: Hover your mouse over the graph to display the number of "OK" or "Error" service statuses
during the selected interval.
• Date / Time: Displays the date and time when the data was collected.
• Status: Displays an icon of the service's status when the data was collected. This can be
either:
• The service's status was OK at the time of the data entry.
• The service's status has an error at the time of entry, and an alert has been sent to
subscribers (if configured).
• Show / Entries: Click on the drop-down arrow and select to display 10, 25, 50, or 100 entries
per page. This will also update the graph.
• Time Zone: Select a specific time zone to apply to the data from the drop-down menu.
• Next / Previous: Use the buttons to switch between the pages displayed. This will also
update the queues graphical display.

©2022 Mimecast. All Rights Reserved | 53

 Alerts
Alerts can be set up to send notifications to designated users when problems occur in email queues
or services that they are responsible for.
After clicking Alerts in the upper right corner, you have
the following information presented to you for
configuration:

Queues
1. Escalation Level – Specifies the number of sequential alerts that must be sent to subscribers
before the escalation point is reached. Once reached, subscribers configured to receive
escalation notifications receive notifications in addition to regular subscribers. This is
defaulted to 5.
2. Alert Level – How many problems (service disruptions/items in queue) have to occur before
an alert is sent. Once the number of items in a queue goes beyond this threshold an alert is
generated. A minimum value of 50 should be specified. If a value less than 50 is specified, it
is ignored and a value of 50 is used instead.
3. Recommended Threshold - This is an auto generated threshold based on the recent history
of your account. It is intended as a starting point, based on the account's profile.
4. Acknowledge the alerts – Once this option is checked, no further notifications for this alert
are sent until another threshold is reached. Once the queue is no longer in alert this flag is
re-set.

5. Click Save Queues

Journal Services

1. Escalation Level - How many alerts are reached before escalation notifications are sent out.
This is defaulted to 5.

©2022 Mimecast. All Rights Reserved | 54

 2. Acknowledge - Once this option is checked, no further notifications for this alert are sent
until another threshold is reached. Once the queue is no longer in alert this flag is re-set.
3. Enabled – enable or disable this
4. Click Save Journal Services
AD Services Tab

1. Escalation Level - How many alerts are reached before escalation notifications are sent out.
This is defaulted to 5.
2. Acknowledge - Once this option is checked, no further notifications for this alert are sent
until another threshold is reached. Once the queue is no longer in alert this flag is re-set.
3. Enabled – enable or disable this
4. Click Save AD Services

Refer to the Service Monitor: Managing Alert Notifications article for more detail.

Subscribers
The Subscribers page will allow you to set up who will
receive notifications on alerts and escalations via
email or SMS. These users are typically administrators responsible for the efficient running of the
Mimecast account and internal email systems.
Click Subscribers in the upper right corner to get to the Subscribers page.
The Subscribers page will allow you to set up who will receive notifications on alerts and escalations.
1. Enter in a user’s credentials
Note: The password is a local password which should be used to login to Service Monitor if
your Directory server is unavailable. The password will only be accepted when used with the
configured email address.

©2022 Mimecast. All Rights Reserved | 55

 2. Select the alerts you want the user to receive.
Note: “Only After Escalation” in each of the queues sends the user a notification once the
escalation threshold has been reached for the specified queue or service. This determines
who is primary and who is secondary on call. Not checking it means you are the primary and
want to receive all alerts and checking it means you want to be the secondary person
notified – meaning you want to be notified only after escalation.

Alert notifications can be sent out as emails, SMS messages, or both. The distribution schedule for
delivery of email and SMS alerts differs.
Note: All specific service details regarding the IP address and email address, are automatically
populated based on your journal / directory connection configuration in the Administration Console.
• Email alerts are sent to subscribers every 15 minutes when a queue / service reaches its
threshold
• One SMS message per alert type is sent to each subscriber when a queue / service reaches
its threshold. When the alert reaches the escalation point, all subscribers to that alert type
get one further SMS message.
Note: It is highly recommended to create two or more subscribers.

Notifications
Notifications are a record of all alerts sent out up to the past 90 days.
1. Click Notifications in the upper right corner to
get to the Notifications page.
You can display alert notifications for up to three months in the past in the Service Monitor. These
can be used to determine:
• What triggered an alert
• Who the alert was sent to
• The date and time the alert was sent
You can filter the alert notifications by selecting / deselecting:
• Queues and / or services

©2022 Mimecast. All Rights Reserved | 56

 • All subscribers, or a specific subscriber
• A time frame of 7, 14, 30, 60, or 90 days
2. Click the Update button when finished with setting the filter.

Lesson 11: Message Center

The Message Center is collection of monitoring tools for all your email traffic, from accepted emails
to full rejected emails. Using these tools, you can search for emails and diagnose traffic issues if
emails are being held, bounced, delayed, deferred, or rejected.

Message Center Status Queues

Navigate to Administration | Message Center to find the following message status queues:
• Message Tracking
• Accepted Messages
• Held Messages
• Rejected and Deferred messages
• Bounced Messages
• Message Delivery
• Processing

Queue Retention Periods

Queue
Message Tracking
Accepted Messages
Message Delivery
Bounced Messages
Retention Period
30 days
2-6 hours
Up to a maximum of 30 attempts (four days). After 6 attempts (one
hour) a delivery warning notification is issued. After 30 attempts the
message is bounced and a delivery failure notification is issued.
30 days

©2022 Mimecast. All Rights Reserved | 57

 Queue Retention Period
Held Messages 14 days (30 days for customers provisioned before October 2014).
Note: If a message is bounced or rejected from the Held queue and is
within the maximum retention, it is still present in the archive and
available for eDiscovery searches but won't be accessible to the original
recipient.
Rejected and Deferred 7 days
For more information on Queue Retention Periods, read this article.

Message Tracking
Message tracking allows you to search across all email queues to find specific messages that may
have been delayed in delivery (inbound or outbound) or that were never delivered.
You can search by any of the following:
• Data or Message ID
• Partial email address or domain name (minimum of 3 characters)
Note: Wildcards are not supported and may return unpredictable results
Using Search by Data allows you to search using content that could be in the To and From fields, the
subject, or IP address.

Search by Data
1. Enter a From Address: This can be an email address or domain
2. Enter a To Address: This can be email address or domain
3. Enter Date Range: Drop-down will give you between 24 hours and 30 days
Note: After 30 days, you need to search the archive
4. Show More will allow you to do a search via subject or IP address to help you narrow down
the search

Search by ID
This allows you to search for a Message ID so you find the specific message in case the same sender
has sent 100 messages for example. The Message ID is a unique ID for that message and can be
found in the header.

Viewing Message Details

The Message Center allows administrators to access the metadata and transmission information of
recently sent and received messages via the Message Details panel. This is useful for analyzing
message information in depth to troubleshoot delivery issues.
The Message Details panel allows administrators to:
• Access metadata and SMTP transmission information
• Compare sender and recipient message views side by side
• Report messages as spam, malware, or phishing
• Forward or Print
• Release held messages upon investigation
• Permit or block message delivery for the recipient (only in the Held Queue)

©2022 Mimecast. All Rights Reserved | 58

 • Show Message Content if you have an Administrator role with these permissions and the
message is in a queue that has this capability

The actions you are able to perform have to do with the Queue that the message is
sitting in.

More information on your possible actions here.

Accepted Messages
The Accepted messages queue is where you would go to troubleshoot mail flow after configuration.
These messages can be found by navigating to Administration | Message Center | Accepted
Messages.
Administrators come here to review recently sent and received messages that are awaiting indexing.
Once indexing is complete, messages are moved to the Mimecast Archive.
Before being archived, administrators can access the metadata and SMTP transmission information,
which is useful for troubleshooting message delivery.
Click here for more information on Accepted Messages.

Held Messages
Messages are held when policies are triggered: such as content examination, spam scanning,
attachment management, and attachment protection. Messages are held for 14 days until moving
to the archive, unless it has been released, permitted, or blocked.
These messages can be found by navigating to Administration | Message Center | Held Messages.
On the page, you will see three tabs: Overview, Held Queue, and Release Logs.

Overview Tab
The Overview tab provides an overview of all held messages split into the following sections:
• Held Reason: Lists all held reasons and the number of messages held for each one.
Note: Use the Search box to filter the list by entering a held reason.
• Top Ten Held Reasons: Lists the top ten reasons why a message is held.
• Messages Held by Group: Displays a graphical pie chart of the held messages.

Held Queue Tab

The Held Queue displays a list of held messages, and allows you to release, reject, or report
messages to the Mimecast Security Team for investigation. You can also export results.

©2022 Mimecast. All Rights Reserved | 59

 Message Details
Click on a message to see the message details panel. These details will help you in investigating why
a message was held.
• Details: Displays the message's transmission details
(e.g., held reason, the sending server's IP address, DKIM
signature, and sender / recipient details).
• Message: Displays details of the message's body.
• Analysis: This is where you will see spam scanning
details, processing details such as graymail, managed
senders, permitted senders, SPF result, DKIM, DMARC
and RBL.
• Header: Displays details of the message's header.
• Transmission Data: Displays details of the message's
envelope and transmission components.
• Policies: Displays the policies that were considered to
be applied to the message.
Note: Policies here will only be applied if it matches the
definition, so if it warrants greylisting, for example, that policy will be applied.
Release Logs Tab
In this tab, this groups all held messages by their held reason. When organized in this fashion, you
can gauge whether a specific policy may be causing a series of held messages.
Displays a list of the messages that have been released, rejected, or reported to the Mimecast
Security Team for investigation.

Rejected and Deferred Messages

If a message is rejected by Mimecast, its data cannot be retrieved. Mimecast will log the rejection
reason and send a rejection code to the sender’s email server, which should send a non-delivery
report to the sender.
If a message is deferred by Mimecast, the data can be read and an administrator or the intended
recipient, depending on permissions provided, can release or reject the message.
These messages can be found by navigating to Administration | Message Center | Rejected and
Deferred Messages. On the page, you will see two tabs: Rejected and Deferred. Here you can search
using standard parameters.

Common Rejection Reasons

Common rejection reasons are Anti-Spoofing Lockout or Anti-Spoofing Header Lockout, both which
can be resolved by configuring Anti-Spoofing policies to exclude the sender’s address. Other
common rejection reasons include IP and Spam Signature Detected, which can be resolved by
setting up a permitted sender policy. IP Found in RBL (Real Time Block List) is also a common
rejection that is resolved by adding the sender to a Permitted Senders list.

Common Deferred Reason

The most common reason for a deferred message would be Greylisting and should be resolved if the
sending server retries the connection. Greylisting occurs when Mimecast does not recognize the
triplet which consists of the envelope from address, the to: address and the source IP address. We
will discuss greylisting in more detail in another course.

©2022 Mimecast. All Rights Reserved | 60

 Bounced Messages
You can view messages that have been accepted by the Mimecast Gateway but could not be
delivered to their recipients. These messages are displayed in the Bounced Messages viewer.
Messages are bounced for a number of reasons. When a bounce occurs, we send a Non-Delivery
Report (NDR) to the message's originator informing them that the delivery failed.

Bounced messages (both inbound and outbound) are still available in the archive, as
the message was originally accepted by Mimecast before being bounced.

These messages can be found by navigating to Administration | Message Center | Bounced

Messages.
The Bounced Messages page will display the message data, route, bounce info and bounce type.
The bounce type will either be a soft bounce or a hard bounce.
• Soft Bounce – Message could not be delivered within Mimecast’s retry schedule (30
attempts over 4 days)
• Hard Bounce – Receiving email server rejected the connection.
Messages added to the end user’s block list will also be logged in Bounced Messages. Bounce
reasons and further actions can be found here.

Message Details
To troubleshoot failed delivery, you can view information about the message through the details
panel. Here you will see the Bounce Properties and much more.

Message Delivery
The Message Delivery page shows you the delivery and bulk queues of messages that passed the
processing queue. The Bulk Queue tab includes messages that are subject to the bulk sender's
policy. These messages can be found by navigating to Administration | Message Center | Message
Delivery.
We attempt to deliver messages to the recipient for up to four days (96 hours) or 30 retry attempts
by default, with the Delivery Queue displaying all inbound and outbound messages waiting to be
delivered. The time between the retry attempts increase incrementally. The longer the message is in
the queue, the longer the interval between retries.
The delivery queue is used to troubleshoot or investigate delayed email delivery. You can also:
• Force an immediate retry
• Reject the message for delivery
• Perform an early (hard) bounce

Processing Queue
Before Mimecast can deliver emails, certain checks are performed, and the applicable policies need
to be applied. While these activities are being performed, emails are temporarily queued in the
Processing Queue. Once completed, emails are moved into the Delivery Queue awaiting delivery.

©2022 Mimecast. All Rights Reserved | 61

 Typically, an Administrator will not need to monitor the Processing Queue. Emails should only be
displayed in the queue for a short time as they are processed immediately on receipt, and then
moved to the Delivery Queue. Sometimes, if larger mailshots are being sent out, emails can be
queued in the Processing Queue due to the increased processing required.
Note: Mimecast will not process more than 10 identical emails coming from the same sender
going outbound to different recipients at one time, as this would resemble a mailshot, and the
priority of these emails is automatically lowered.
These messages can be found by navigating to Administration | Message Center | Processing Queue.
With the messages listed, you can take action on one or more message to:
• Retry delivery
• Reject delivery
• Bounce delivery

©2022 Mimecast. All Rights Reserved | 62

 © 2022 by Mimecast Services Ltd. The information posted in this guide is for use by
Mimecast customers only. Use of the guide is governed by the terms contained in the
user’s agreement with Mimecast. Information in this guide is subject to change
without notice. The Mimecast name and logo are owned by Mimecast Services Ltd
and its affiliates. All other names and marks are the property of their respective
owners.

©2022 Mimecast. All Rights Reserved | 63