How to Create an SPF Record for Mimecast
Learn how to create an SPF record for Mimecast. Includes the correct include value, gateway setup tips, and common combinations with email providers.
Mimecast is an email security gateway that sits between your organization and the outside world. It filters inbound threats, enforces compliance policies, and routes outbound email through its own servers for scanning and delivery. Because Mimecast handles your outgoing email, its sending servers must be included in your SPF record -- otherwise, receiving mail servers won't recognize your messages as legitimate.
This makes Mimecast's SPF setup a little different from typical email providers. With services like Google Workspace or Microsoft 365, you usually only need one provider in your SPF record. With Mimecast, you need both -- the gateway and the underlying email platform. This guide explains exactly how to set it up.
The SPF Include Value for Mimecast
According to Mimecast's SPF configuration guide, the standard Mimecast SPF include is:
include:_netblocks.mimecast.com
This covers Mimecast's global sending infrastructure. A complete SPF record with only Mimecast would look like this:
v=spf1 include:_netblocks.mimecast.com -all
However, you'll almost never use Mimecast alone. Since Mimecast is a gateway -- not a mailbox provider -- you'll also need an include for the email platform behind it.
Mimecast may assign you a region-specific include during onboarding. Check your Mimecast administration console under Gateway > Policies > Definitions > DNS Authentication - Outbound for the exact value assigned to your account. The global _netblocks.mimecast.com is the most common default.
Why Mimecast SPF Is Different
Most email services are straightforward: you add one include for the service that sends your email, and you're done. Mimecast works differently because it's a relay -- an intermediary between your email provider and the recipient.
Here's the typical flow with Mimecast:
- A user sends an email from Google Workspace or Microsoft 365
- The message routes to Mimecast's servers for security scanning
- Mimecast delivers the message to the recipient from its own IP addresses
Because Mimecast's servers are the last hop before the recipient, their IP addresses are what the receiving server sees. That's why _netblocks.mimecast.com must be in your SPF record. But depending on your configuration, your underlying email provider's include may also be needed -- especially if some mail can bypass the gateway or if you use direct delivery for certain services.
When Mimecast is your outbound gateway, forgetting to include _netblocks.mimecast.com in your SPF record means every outgoing email routed through Mimecast will fail SPF. This can cause widespread delivery failures across your entire organization.
Step-by-Step: Creating Your Mimecast SPF Record
Confirm your Mimecast include value
Log in to the Mimecast Administration Console. Navigate to Gateway > Policies > Definitions > DNS Authentication - Outbound to find the exact SPF include assigned to your account. For most accounts, this is _netblocks.mimecast.com, but it may vary by region.
Identify your email provider
Determine which email platform sits behind Mimecast. This is typically Google Workspace (_spf.google.com) or Microsoft 365 (spf.protection.outlook.com). You'll need both includes in your record.
Generate your SPF record
Use the free SPF record generator to build your record. Select Mimecast and your email provider from the list. The tool generates the correct combined record with proper syntax.
Log in to your DNS provider
Go to your DNS management dashboard -- this could be Cloudflare, GoDaddy, Route 53, or wherever your domain's DNS is hosted.
Check for an existing SPF record
Look through your TXT records for any entry starting with v=spf1. Your domain must have exactly one SPF record. If one already exists, you'll edit it rather than creating a new one.
Add or update the TXT record
Create a new TXT record (or edit the existing one). Set the Name to @ for your root domain. Set the Value to your complete SPF record including both Mimecast and your email provider. Save the changes.
Verify the record
After DNS propagation (a few minutes to 48 hours depending on your provider), check your record at SPF Record Check. Confirm both includes are present and no errors are flagged.
Common SPF Record Combinations With Mimecast
Because Mimecast is a gateway, nearly every Mimecast SPF record includes at least one other provider. Here are the most common setups:
| Setup | SPF Record | Est. Lookups |
|---|---|---|
| Mimecast + Google Workspace | v=spf1 include:_netblocks.mimecast.com include:_spf.google.com -all | ~5 |
| Mimecast + Microsoft 365 | v=spf1 include:_netblocks.mimecast.com include:spf.protection.outlook.com -all | ~4 |
| Mimecast + Google + Mailchimp | v=spf1 include:_netblocks.mimecast.com include:_spf.google.com include:spf.mandrillapp.com -all | ~7 |
| Mimecast + M365 + SendGrid | v=spf1 include:_netblocks.mimecast.com include:spf.protection.outlook.com include:sendgrid.net -all | ~5 |
| Mimecast + Google + SES | v=spf1 include:_netblocks.mimecast.com include:_spf.google.com include:amazonses.com -all | ~5 |
Gateway setups consume more DNS lookups because you need at least two includes (the gateway plus the email provider). Keep a close eye on the 10-lookup limit defined in RFC 7208. Use SPF Record Check to count your total lookups after any changes.
Build your SPF record in seconds
Select your email providers and generate a valid SPF record -- no DNS expertise needed.
Verifying Your Mimecast SPF Record
After saving your DNS changes and waiting for propagation, verify your setup.
Visit SPF Record Check and enter your domain. The tool will display your published SPF record, validate the syntax, count DNS lookups, and identify any errors. Confirm that include:_netblocks.mimecast.com appears alongside your email provider's include, and that no issues are flagged.
For a practical test, send an email through Mimecast and inspect the headers on the receiving end. Look for Authentication-Results: spf=pass to confirm that Mimecast's sending servers are authorized by your SPF record. If you see spf=fail, double-check that the Mimecast include is present and that the email actually routed through the gateway.
Common Mimecast SPF Mistakes
Forgetting Your Email Provider's Include
The most common Mimecast-specific mistake is adding _netblocks.mimecast.com but leaving out the include for Google Workspace or Microsoft 365. While Mimecast handles outbound routing, some email flows -- like calendar invitations or internal notifications -- may bypass the gateway. Include both providers to cover all scenarios.
Creating a Second SPF Record
When setting up Mimecast, you might already have an SPF record for your email provider. Don't create a new TXT record for Mimecast alongside the existing one. Two v=spf1 records on the same domain cause a permerror per RFC 7208 that breaks SPF for every message. Edit your existing record and add the Mimecast include to it.
Using the Wrong Region-Specific Include
Mimecast has region-specific infrastructure, and some accounts are assigned a region-specific include rather than the global _netblocks.mimecast.com. If Mimecast assigned you a different value during onboarding, use that one. Check the Mimecast admin console to confirm which include applies to your account.
Hitting the 10-Lookup Limit
Because gateway setups require more includes, Mimecast deployments are more likely to run into the SPF 10-lookup limit. If you're combining Mimecast, an email provider, and one or two marketing platforms, you could be at 7-9 lookups easily. Adding another service might push you over the limit. Consider SPF flattening if you're running out of room.
Complete Your Email Authentication
SPF authorizes your sending servers, but full email authentication requires all three protocols:
- DKIM adds a cryptographic signature to each message. Mimecast can sign outbound messages with DKIM on your behalf -- configure this in the Mimecast admin console. Use DKIM Creator to generate and manage your DKIM records.
- DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Use DMARC Creator to build your DMARC policy.
With Mimecast as your gateway, make sure DKIM signing is enabled in Mimecast so that messages passing through the gateway maintain a valid DKIM signature. This is especially important for DMARC alignment.
Related Articles
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring