How to Set Up DKIM for Mimecast
Step-by-step guide to configure DKIM signing in Mimecast. Learn how to generate DKIM keys, add DNS records, and create signing policies for authenticated outbound email.
Last updated: 2026-05-17
Mimecast is an email security gateway that sits between your mail server and the internet. Every outbound email passes through Mimecast before reaching recipients, which means Mimecast needs to be the one signing your emails with DKIM (DomainKeys Identified Mail). If your origin mail server signs emails before they reach Mimecast, the gateway may modify headers or content during scanning, breaking the original DKIM signature.
Why Mimecast Should Handle DKIM Signing
Because Mimecast is the last system to touch your email before delivery, it is the correct place for DKIM signing. Mimecast may modify headers during scanning, add disclaimers, or alter content. If your origin server signs the email first and Mimecast then modifies it, the receiving server sees an invalid signature. This is worse than no signature at all.
Important: Mimecast replaces your origin DKIM
When Mimecast is your outbound gateway, configure DKIM signing in Mimecast, not in your origin mail server. If you have existing DKIM signing on your mail server, it will be overridden or broken by Mimecast's processing.
Before You Start
You will need:
- Mimecast administrator access
- Access to your domain's DNS management panel
- The domain you send email from
Step-by-Step Mimecast DKIM Setup
Setting up DKIM in Mimecast involves three main phases: generating the DKIM key, publishing it in DNS, and creating a signing policy.
Navigate to DKIM settings in Mimecast
Log into the Mimecast Administration Console.
Go to Administration → Gateway → Policies → Definitions → DNS Authentication - Outbound.
This is where you manage DKIM signing configurations.
Create a new DKIM signing definition
Click New DNS Authentication - Outbound Definition.
Enter a descriptive name for this configuration (e.g., "DKIM Signing - yourcompany.com").
Select your domain from the list, or enter it manually.
Generate the DKIM key pair
Mimecast will generate a key pair. Configure:
- Domain: Your sending domain (e.g.,
yourcompany.com) - Selector: A name like
mimecastormimecast20260716 - Key Length: 2048-bit (recommended)
Click Generate. Mimecast displays the DNS TXT record you need to publish.
Add the TXT record to your DNS
Log into your DNS provider and create a new TXT record:
- Type: TXT
- Host/Name:
mimecast._domainkey(your selector followed by._domainkey) - Value: The full DKIM record value from Mimecast
Copy the value exactly. For 2048-bit keys, this is a long string. Most modern DNS providers handle long TXT records automatically.
Verify the DNS record in Mimecast
Return to the Mimecast console and click Verify or Check DNS. Mimecast will query your DNS to confirm the TXT record is published and matches the generated key.
Wait at least 15-30 minutes after adding the record before verifying.
Create a DKIM signing policy
After verification, create a policy to sign outbound emails. Go to Administration → Gateway → Policies → DNS Authentication - Outbound.
Click New Policy and select the DKIM definition you created. Set it to apply to all outbound email from your domain to external recipients. Save and enable the policy.
Verify Your Mimecast DKIM Setup
After the policy is active, verify that DKIM is working by checking the DNS record and sending a test email.
Test: mimecast._domainkey.yourdomain.com (or whatever selector you chose).
After confirming the DNS record exists, send a test email to an external address and check the headers for dkim=pass. If you see it, Mimecast is signing correctly.
Understanding Mimecast DKIM Policies
Mimecast's policy system controls which emails get signed, unlike most services where DKIM is a simple toggle.
| Policy Setting | What It Controls | Recommendation |
|---|---|---|
| Definition | Which DKIM key to use | One per domain |
| Applies To | Which senders are covered | All outbound senders on the domain |
| From | Source email addresses | Your entire domain |
| To | Destination addresses | External recipients only |
| Policy Order | Priority when multiple policies exist | Place DKIM policy high in the order |
Use a broad policy
Start with a policy covering all outbound email for your domain. Most organizations want every outbound email signed with DKIM.
Common Mimecast DKIM Issues and Solutions
Policy not applied to emails
Cause: The signing policy is not matching the email flow correctly.
Solutions:
- Check the policy order (first match wins in Mimecast)
- Verify "Applies To" and "From" settings include the sending addresses
- Ensure the policy is enabled and not overridden by a higher-priority policy
Key format issues in DNS
Cause: The 2048-bit key is too long for your DNS provider's TXT record field.
Solutions:
- Split the value into two quoted strings (many providers do this automatically)
- Ensure no line breaks were introduced when pasting
- Verify the entire key was copied, as truncated keys fail validation
DKIM fails after Mimecast processes email
Cause: Your origin mail server's DKIM signature is invalidated by Mimecast's processing.
Solution: Disable DKIM signing on your origin server and let Mimecast handle all signing as the final hop before delivery.
Verification fails in Mimecast
Cause: DNS record has not propagated or was entered incorrectly.
Solutions:
- Wait at least 30 minutes and retry
- Verify the TXT record exists using our DKIM checker
- Ensure the selector and domain match exactly what Mimecast expects
Key Rotation in Mimecast
Rotate DKIM keys periodically by generating a new key with a new selector (e.g., mimecast20260716), publishing it in DNS, verifying in Mimecast, updating the signing policy, and then removing the old record. Dated selectors make it easy to track when keys were created.
Complete Your Mimecast Email Authentication
DKIM signing is one part of Mimecast's email authentication capabilities. For complete protection, also configure:
SPF (Sender Policy Framework): Ensure your SPF record includes Mimecast's sending IPs. Mimecast provides the correct SPF include statement in their admin console. Check your SPF at spfrecordcheck.com.
DMARC (Domain-based Message Authentication, Reporting and Conformance): Set up a DMARC policy to instruct receiving servers on how to handle authentication failures. Check yours at dmarcrecordchecker.com.
If you need to generate a DKIM key outside of Mimecast's console, dkimcreator.com can help.
Related Articles
Monitor Your DKIM Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DKIM issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring