Skip to content
More support
Open Ticket
  • There are no suggestions because the search field is empty.

Configuring Microsoft 365 to accept inbound emails only from Mimecast IP addresses: Microsoft 365 Mail Lockdown

If you’re using Microsoft 365 and have implemented a DMARC Reject policy, you might assume your domain is fully protected against spoofing. However, that’s not entirely the case. Due to Microsoft 365’s handling of DMARC, spoofed emails can still be sometimes accepted even when your policy is set to reject. In other words, DMARC enforcement alone is not sufficient on Microsoft 365.

Another solution is to configure Microsoft 365 to accept inbound emails only from Mimecast IP addresses, provided you’re already routing email through Mimecast MX records. This setup ensures that all external emails delivered to Microsoft 365 are validated by Mimecast first.

Step 1: Create a Connector in Microsoft 365

  1. Log in to the Exchange Admin Center.

  2. Go to Mail flow > Connectors.

  3. Click + Add a connector.

undefined-Sep-20-2025-08-24-50-0080-AM

  1. Under Connection from, choose Partner organization and click Next.

  2. Name the connector (e.g., Mimecast to Microsoft 365) and click Next.

  3. Choose By verifying that the sender domain matches one of the following domains, then enter * to allow all inbound domains.

undefined-Sep-20-2025-08-24-48-9768-AM


Important: Do not add IP ranges at this stage. IP validation will be configured later under Security restrictions.
Step 2: Apply Security Restrictions

  1. On the Security restrictions screen:

    • ✅ Select Reject email messages if they aren’t sent over TLS.

    • ✅ Select And require that the subject name on the certificate that the partner uses to authenticate with Office 365 matches this domain name, then enter:

      • *.mimecast.com (global)

      • *.mimecast.co.za (for ZA customers)

    • ✅ Select Reject email messages if they aren’t sent from within this IP address range, and enter the correct Mimecast IP ranges for your grid.

      Screenshot 2025-09-16 at 16.14.51


      2. Click Next, review your settings, and Create connector.undefined-Sep-20-2025-08-24-50-8565-AM

 

Step 3: Lock Down Your Firewall

Restrict inbound mail so that Microsoft 365 only accepts messages from Mimecast IP ranges. This ensures end-to-end enforcement.


Monitoring and Validation

  • Mimecast Console: Monitor the Bounced and Rejected Messages Queues to confirm that no legitimate traffic (e.g., Digest Sets) is being blocked.

  • Bounce error example:

    5.7.51 TenantInboundAttribution; Rejecting. Recipient has a partner connector with RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set.

  • Check Mimecast IPs: Make sure all applicable Mimecast IP ranges are included in your connector. See Administration → Data Centers & URLs.

  • Microsoft 365 Insights:

  • Use the Spoof Intelligence Insight Dashboard to check if spoofed messages are being delivered. (Requires Admin credentials.)

    Screenshot 2025-09-16 at 16.20.02

 

  • For E5 and Defender P2 subscribers, review the Spoof Detections Report for additional insights.

Optional: Disable Direct Send if it’s not required in your environment to further reduce attack surface.


✅ With this configuration, Microsoft 365 will only accept inbound mail that originates from Mimecast, closing the loophole created by Microsoft’s DMARC enforcement limitations.