Allowlisting steps in Mimecast
If you're using Mimecast's services, you can allowlist CanIPhish to allow our simulated phishing test emails and training notifications through to your end users.
Below you'll find instructions for several different policies you'll need to add to your Mimecast console to allow the use of CanIPhish. The policies below are in a suggested order for the highest probability of success for your phishing security tests.
Each Mimecast policy section has a description of the policy's purpose regarding CanIPhish's phishing simulation test features.
If you run into issues allowlisting CanIPhish in your Mimecast services, we recommend reaching out to Mimecast for specific instructions. You can also contact our Support team whenever you need assistance.
Jump to:
Attachment Protection Bypass Policy
Impersonation Protection Bypass Policy
Attachment Management Bypass Policy
Preventing Mimecast from Re-Writing Phishing Links (Optional)
DNS Authentication Bypass Policy (Optional)
Anti-Spoofing Policy (Optional)
Message Passthrough/Explosion Bypass (Only for non-English users)
Permitted Senders Policy
To successfully allowlist our phishing and training-related emails when using CanIPhish, you should Create a new Permitted Sender policy to allow our phishing and training-related emails through to your users' inbox.
Important:
Do not edit your default Permitted Sender policy. A new one must be created.
Follow the steps below to allow CanIPhish emails to arrive successfully in your users' inboxes.
- Log in to your Mimecast Administration Console.
- Click the Administration toolbar button.
- Select the Gateway | Policies menu item.
- Select Permitted Senders from the list of policies displayed.
- Select the New Policy button.
- Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings see Mimecast's Configuring a Permitted Senders Policy article (opens in a new window).
- In the Source IP Ranges field (shown below), enter the appropriate IP ranges for CanIPhish. For the most up-to-date list of our IP addresses, please see this article.
Be sure to save the policy. We suggest setting up a test campaign to yourself or a small group of people to ensure the policy works as intended, before sending a campaign to all of your users.
Attachment Protection Bypass Policy
If you'd like to use attachments in your simulated phishing tests, follow the steps below to increase the likelihood that emails with attachments from CanIPhish will successfully arrive in your users' inboxes. Mimecast may still prevent the delivery of attachments. Set up a test after creating this policy to ensure your desired attachment goes through.
- Log in to your Mimecast Administration Console.
- Click the Administration toolbar button.
- Select the Gateway | Policies menu item.
- Select Attachment Protection Bypass from the list of policies displayed.
- Select the New Policy button.
- Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings, see Mimecast's Configuring Attachment Protection Bypass Policies article (opens in a new window).
- In the Source IP Ranges field (shown below), enter our IP ranges. For the most up-to-date list of our IP addresses, please see this article.
Be sure to save this new policy. After allowing time for this new rule to propagate, we recommend setting up a phishing campaign to yourself, or a small group to test out the various attachment types.
URL Protection Bypass Policy
Mimecast's URL Protection service scans and checks links in emails upon delivery. This can sometimes result in false positives for your phishing security tests. Follow the steps below to create a URL Protection Bypass policy for accurate phishing security test results.
- Log in to your Mimecast Administration Console.
- Click the Administration toolbar button.
- Select the Gateway | Policies menu item.
- Select URL Protection Bypass from the list of policies displayed.
- Select the New Policy button.
- Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings, see Mimecast's Configuring a URL Protection Bypass Policy article (opens in a new window).
- In the Source IP Ranges field (shown below), enter our IP ranges. For the most up-to-date list of our IP addresses, please see this article.
Be sure to save the policy. We suggest setting up a test campaign to yourself or a small group of people to ensure the policy works as intended, before sending a campaign to all of your users.
Impersonation Protection Bypass Policy
If you’re sending whaling/phishing emails purporting to come from users/domains that look like they are internal to your organization, you'll want to create an Impersonation Protection Policy in your Mimecast console.
Impersonation Protection Bypass Policy
- Log in to your Mimecast Administration Console.
- Click the Administration toolbar button.
- Select the Gateway | Policies menu item.
- Select Impersonation Protection Bypass from the list of policies displayed.
- Select the New Policy button.
- Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings, see Mimecast's Configuring an Impersonation Protection Bypass Policy article (opens in a new window).
NOTE:In the Select Option field under Options, select the impersonation protection definition you want to be bypassed. If you have multiple definitions you would like to bypass, you will need to create a separate Impersonation Protection Bypass Policy for each one. - In the Source IP Ranges field (shown below), enter our IP ranges. For the most up-to-date list of our IP addresses, please see this article.
Be sure to save the policy. We suggest setting up a test campaign to yourself or a small group of people to ensure the policy works as intended, before sending a campaign to all of your users.
Attachment Management Bypass Policy
If you'd like to use attachments in your simulated phishing tests, follow the steps below to prevent attachments from being stripped from emails, potentially resulting in skewed test results.
- Log in to your Mimecast Administration Console.
- Click the Administration toolbar button.
- Select the Gateway | Policies menu item.
- Select Attachment Management Bypass from the list of policies displayed.
- Select the New Policy button.
- Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings, see Mimecast's Configuring Attachment Management Bypass Policies article (opens in a new window).
- In the Source IP Ranges field (shown below), enter our IP ranges. For the most up-to-date list of our IP addresses, please see this article.
Be sure to save the policy. We suggest setting up a test campaign to yourself or a small group of people to ensure the policy works as intended, before sending a campaign to all of your users.
Preventing Mimecast from Re-Writing Phishing Links
If you'd like to prevent Mimecast from re-writing the links in the Phishing tests you send, you can do so by adding CanIPhish's website domains as Permitted URLs in Mimecast. You can find a list of our phish link domains in our quick reference guide.
Keep in mind, we don't recommend creating an exception for this unless you also have exceptions for other senders already in place. Otherwise, seeing anything other than a rewritten Mimecast URL will be a red flag for users and may skew your results.
For more information on disabling link rewriting on permitted URLs, see Mimecast's Targeted Threat Protection: Managed URLs article (opens in a new window).
DNS Authentication Bypass Policy (Optional)
If you are having issues with our emails being sent to your spam folder or being quarantined, you may want to set up this additional policy. First, you'll need to set up the inbound definition and then you can create the policy. Below are instructions on how to add this policy.
DNS Authentication - Inbound Definition Setup
- Log in to your Mimecast Administration Console.
- Select the Gateway | Policies menu item.
- Click the Definitions drop-down menu and select the DNS Authentication - Inbound option.
- Select New DNS Authentication - Inbound Checks.
- Create a name for the definition and leave all options unchecked.
- Click Save and Exit to save your changes.
DNS Authentication - Inbound Policy Setup
- Log in to your Mimecast Administration Console.
- Select the Gateway | Policies menu item.
- Click the DNS Authentication - Inbound policy.
- Select New Policy.
- Specify the following settings listed in the image below:
- Enter the CanIPhish IP ranges into the Source IP ranges field.
- Check the Policy Override option.
- Click Save and Exit to save the changes.
Anti-Spoofing Policy
Follow the steps below to allow CanIPhish to send emails appearing to come from an email address at your domain, on your behalf.
- Log in to your Mimecast Administration Console.
- Click the Administration toolbar button.
- Select the Gateway | Policies menu item.
- Select Anti-Spoofing from the list of policies displayed.
- Select the New Policy button.
- Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings, see Mimecast's Configuring an Anti-Spoofing Policyarticle (opens in a new window).
- In the Source IP Ranges field (shown below), enter our IP ranges. For the most up-to-date list of our IP addresses, please see this article.
Be sure to save the policy. This should allow the simulated phishing templates appearing to come from your organization's domain, to successfully reach your users' inboxes. We suggest setting up a test campaign to yourself or a small group of people to ensure the policy works as intended, before sending a campaign to all of your users.
Greylisting Bypass Policy
You may want to set up this policy if want to prevent Mimecast from preventing emails from being deferred. Below are instructions on how to add this policy.
- Log in to your Mimecast Administration Console.
- Click the Administration toolbar button.
- Select the Gateway | Policies menu item.
- Select Greylisting from the list of policies displayed.
- Select the New Policy button.
- Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings, see Mimecast's Configuring Greylisting Policies article (opens in a new window).
- In the Source IP Ranges field (shown below), enter the appropriate IP ranges for CanIPhish. See here for the IP ranges, listed above.
- Click Save and Exit to save the changes.
Message Passthrough/Explosion Bypass (Only for non-English users)
Message Passthrough/Explosion policies can have the unintended effect of removing any non-English characters from an email and replacing them with a question mark. To avoid this, please implement the below bypass:
- Log in to your Mimecast Administration Console.
- Click the Administration toolbar button.
- Select the Gateway | Policies menu item.
- Select Message Passthrough from the list of policies displayed.
- Select the New Policy button.
- Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections (See the below screenshot).
- In the Source IP Ranges field (shown below), enter the appropriate IP ranges for CanIPhish. See here for the IP ranges, listed above.
- Click Save and Exit to save the changes.
Troubleshooting
If your allowlisting was unsuccessful, we recommend that you reach out to Mimecast for additional help.
If you're experiencing issues with false positives and the Journaling feature is enabled for your Mimecast account, you may need to add our phishing domains to your Managed URLs. For more information, see Mimecast's Targeted Threat Protection: Managed URLs article. For a list of our phishing domains, please see our quick reference article.
Note: If you're using Mimecast in front of M365, and still have M365 email security protections enabled, please contact the CanIPhish team for support. In this case, you may need to allowlist Mimecast IPs instead of CanIPhish. To ensure this is done correctly, the CanIPhish support team will lend a helping hand.
Comments
0 comments
Please sign in to leave a comment.