Fix guide

How to Fix DMARC Alignment for Mimecast

Mimecast + DMARC means: turn on signing in their admin console, then publish the DKIM TXT they give you.

Why Mimecast + DMARC argue

Gateway path is weird — you still publish Mimecast’s DKIM TXT and keep SPF truthful or alignment drifts.

Exact DNS records

DKIM TXT at selector._domainkey from Mimecast SPF: include:_netblocks.mimecast.com (verify for your tenant/region)

Step-by-step fix

Step 1 Mimecast Admin → Administration → Gateway → Policies → DNS Authentication
Step 2 Generate DKIM key for your domain in Mimecast
Step 3 Add DKIM TXT at selector Mimecast specifies
Step 4 Include include:_netblocks.mimecast.com in SPF as required
Step 5 Wait for verification in Mimecast
Step 6 Confirm public records with DNS Preflight

Run your domain through DNS Preflight

Open DNS Preflight →
Related glossary: DMARC · DMARC alignment · DKIM · SPF record

FAQ

Where is Mimecast DKIM configured?

Typically Administration → Gateway → Policies → DNS Authentication — exact labels may vary by console version.

How do I generate a Mimecast DKIM key?

Use the DKIM wizard in Mimecast Admin; publish the TXT record at the given selector._domainkey hostname.

What SPF include does Mimecast use?

Often include:_netblocks.mimecast.com — confirm in Mimecast documentation for your region.

How do I verify Mimecast DKIM?

Mimecast shows status when DNS is correct. DNS Preflight can read the published TXT.

Does Mimecast support DMARC p=reject?

Yes when alignment passes — monitor aggregate reports.

← All DMARC fix guides

Open DNS Preflight and re-check your zone →