DKIM for Mimecast: Configuration Guide
Step-by-step guide to setting up DKIM signing in Mimecast. Configure outbound DKIM authentication, publish DNS records, and verify your setup.
Last updated: 2026-02-06
Mimecast acts as an email gateway, handling outbound email on behalf of your domain. When you route outbound mail through Mimecast, it can sign messages with DKIM before delivering them. This guide walks through the full setup.
Mimecast generates DKIM keys and signs outbound email for you. You need to publish the public key in DNS and enable the signing policy in the Mimecast Administration Console.
How Mimecast DKIM Works
When you configure DKIM in Mimecast:
- Mimecast generates a DKIM key pair for your domain
- You publish the public key as a TXT record in your DNS
- Mimecast signs all outbound emails with the private key
- Receiving servers verify the signature using your DNS record
Because Mimecast sits between your mail server and the internet, it adds the DKIM-Signature header to messages as they pass through the gateway.
Prerequisites
- A Mimecast account with administrator access
- Access to your domain's DNS management
- Outbound email routing through Mimecast already configured
Generate DKIM Keys in Mimecast
Open the Administration Console
Log in to the Mimecast Administration Console at admin.mimecast.com.
Navigate to DNS Authentication - Outbound
Go to Gateway, then Policies, then Definitions, and select DNS Authentication - Outbound.
Create a new DKIM definition
Click New DNS Authentication - Outbound Signing. Enter a descriptive name for this definition (e.g., "DKIM Signing - yourdomain.com").
Configure the signing details
Set the domain to your email domain. Choose a selector name (e.g., mimecast). Select your preferred key length — 2048-bit is recommended.
Generate the key pair
Click Generate. Mimecast creates the key pair and displays the DNS TXT record value you need to publish.
Copy the DNS record
Copy the TXT record value. You will need this for the next step.
Publish the DNS Record
Add a TXT record at your DNS provider:
| Field | Value |
|---|---|
| Host/Name | `mimecast._domainkey` (or your chosen selector) |
| Type | TXT |
| Value | The value copied from the Mimecast Administration Console |
| TTL | 3600 (or default) |
Example DNS record:
mimecast._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."
If the TXT record value is long, some DNS providers require you to split it into multiple strings enclosed in double quotes. Check your provider's documentation for TXT record length limits.
Verify DNS Propagation
Before enabling the signing policy, confirm your DNS record is live:
Wait for propagation
Allow up to 24-48 hours for DNS changes to propagate, though most providers are faster.
Check the record in Mimecast
In the Mimecast Administration Console, go back to DNS Authentication - Outbound and click "Check DNS" next to your definition. Mimecast verifies the record exists and matches.
Confirm status
The status should show as verified. If it fails, double-check the DNS record for typos or propagation delays.
Enable the DKIM Signing Policy
Once the DNS record is verified, you need to create a policy that tells Mimecast to sign outbound emails.
Navigate to Policies
In the Administration Console, go to Gateway, then Policies, and select DNS Authentication - Outbound.
Create a new policy
Click New Policy. Give it a descriptive name (e.g., "DKIM Outbound Signing Policy").
Link the definition
Under "Select Option," choose the DKIM signing definition you created earlier.
Set the scope
Configure which emails should be signed. For most setups, apply the policy to all outbound emails from your domain. Set the "From" condition to your domain.
Save and enable
Save the policy. It takes effect immediately for new outbound messages.
Need DKIM keys for other services?
Generate custom DKIM key pairs for services that send email alongside Mimecast.
Mimecast DKIM and Your Mail Server
When Mimecast signs outbound email, it replaces any existing DKIM signature from your origin mail server. This is because Mimecast may modify headers or apply content policies that would invalidate the original signature.
What this means:
- Your origin server's DKIM signature (if any) is removed
- Mimecast adds its own DKIM-Signature header
- The
d=domain in the signature matches your sending domain - The
s=selector points to the key you published in DNS
Multiple domains
If you send email from multiple domains through Mimecast, create a separate DKIM definition and DNS record for each domain. Each domain needs its own key pair and signing policy.
Testing Your Setup
After enabling DKIM signing, verify it works:
Method 1: Send a test email Send an email to an external address (e.g., a Gmail or Outlook account). Open the email headers and look for:
Authentication-Results: dkim=pass header.d=yourdomain.com
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=mimecast; ...
Method 2: Use Mimecast's built-in checker In the Administration Console, navigate to your DKIM definition and use the verification tool to confirm the signing is active.
Method 3: Online DKIM checkers
Use an online DKIM record lookup tool. Enter your domain and selector (e.g., mimecast) to verify the public key is published correctly.
Troubleshooting
"DNS record not found" in Mimecast
- Verify the TXT record hostname matches the selector you configured
- Check for propagation delays — wait and retry
- Ensure the record is a TXT type, not CNAME
DKIM signature fails verification at receiving end
- Confirm the DNS record value matches what Mimecast generated exactly
- Check for extra spaces or line breaks in the TXT record
- Verify no other system is modifying the message after Mimecast signs it
Policy not signing emails
- Confirm the policy is enabled and linked to the correct definition
- Check the policy scope — ensure it covers the correct sender domain
- Verify the policy order — higher priority policies may override your DKIM policy
Long TXT record issues
- Some DNS providers truncate long TXT values
- Split the value into 255-character strings if required
- Use 1024-bit keys as a fallback if 2048-bit records cause issues with your DNS provider
Mimecast DKIM with SPF and DMARC
For complete email authentication when using Mimecast:
| Protocol | Mimecast Consideration |
|---|---|
| SPF | Include Mimecast's IP ranges in your SPF record |
| DKIM | Configure signing in Mimecast as described above |
| DMARC | Ensure DKIM alignment — the d= domain must match your From domain |
Your SPF record should include Mimecast:
v=spf1 include:_netblocks.mimecast.com ~all
With both SPF and DKIM configured through Mimecast, your emails will pass DMARC alignment checks.
Related Articles
DKIM Creator generates custom key pairs for services that send email alongside Mimecast.
Generate DKIM keys for any service
Create DKIM key pairs for additional email services in your infrastructure. Free and instant.
Generate DKIM Keys