Whitelisting Marketo Instance and Mimecast | Community
Skip to main content
Andrew_Walker
Andrew_Walker
Level 2
October 9, 2020
Question

Whitelisting Marketo Instance and Mimecast

  • October 9, 2020
  • 1 reply
  • 5395 views

I have been unable to whitelist Marketo emails from our instance so that they can be received internally.

The main causes for the Marketo emails being rejected include ‘Rejected by header based Anti-Spoofing policy’, or that the shared IP was on a blacklist.

 

During implementation, I provided our company’s IT admin with the whitelisting instructions in the documentation, however nearly all Marketo emails and notifications are still being blocked internally by Mimecast. IT would prefer to whitelist without using these IPs to avoid whitelisting all other Marketo subscribers sharing these IPs.   

 

Subsequently I sent the instructions for using Regex for whitelisting, but IT and Mimecast says this won’t work. Here is response from Mimecast regarding this:

"For Anti-Spoofing, there is no way you can use expression phrases to bypass the system. DKIM would not work as it work different to Anti-Spoofing. The only way is if make a list of the External IP addresses you see on messages blocked by Anti-Spoofing and allow those on Everyone to Everyone Take no Action Anti-Spoofing Policy."

Marketo Support says that other Marketo customers using Mimecast have been able to use regex to whitelist, though.

We are not eligible for Unique IP because we do not send over 100,000 emails monthly. I believe we are eligible for Trusted IP, which I believe would help solve the problem by providing a branded envelope for free. 

 

It's important to note that our IT team has not setup DKIM yet but is planning to do so within the next month or two. Before applying to Trusted IP / enabling the branded return-path / branded envelope sender, I’m curious if anyone can provide some advice, especially if you’re using Mimecast with your Marketo instance.  

  • Has anyone using Mimecast successfully used regular expressions for whitelisting their Marketo instance? If so, how does this work and how would a Mimecast user set it up?
  • Another option would be for me to wait for DKIM to be finally setup, and then have IT whitelist DKIM-signed email from: our domain with the selector "m1" (m1._domainkey.example.com). It was pointed out in another post that this may be technically difficult as IT may not have a way of treating signed mail from certain domains differently. Again, looking for any Marketo customers who’ve successfully done this with Mimecast to provide some guidance.

1 reply

SanfordWhiteman
SanfordWhiteman
Level 10
October 9, 2020

What exactly is the anti-spoofing rule that's being triggered?

 

I work with lots of non-branded, standard shared-instance Marketo users and while Mimecast is frustrating — mostly because the everyday users on both sides don't realize how strict the Mimecast layer is — haven't had a problem with an anti-spoofing rule kicking in broadly.

Andrew_Walker
Andrew_WalkerAuthor
Level 2
October 12, 2020

Sanford - 

 

Under email suspended cause I'm seeing "550 Rejected by header based Anti-Spoofing policy: myemail@mycompany.com - https://community.mimecast.com/docs/DOC-1369#550 [8jrT4lbqOSisnWzmg8akqQ.uk64]"

 

I asked IT your questions and they said this is the rule that's being triggered for anti-spoofing, although this looks like a help article on how to setup the policy, not what exactly the emails are failing for: 

community.mimecast.com/s/article/Configuring-Anti-Spoofing-SPF-Based-Bypass-Policies-947404756

 

My understanding is that the whitelist - whether it's via IP range, regex or via DKIM - should prevent Mimecast for failing these emails for both anti-spoofing or the IP blacklists. I can't find any instructions on how to go about implementing either of those whitelist approaches within Mimecast itself. IT isn't understanding how the whitelisting can be done, and I don't have access to the admin side of Mimecast. 

SanfordWhiteman
SanfordWhiteman
Level 10
October 12, 2020

I believe Mimecast's SPF-based bypass policies only look up the IP, checking to see if it's allowed by a certain domain's SPF record.

 

In essence, it uses SPF TXT records & mechanisms as a database and query language for whitelisting information. But it's slightly off-kilter from the usual use of SPF since it's not looking up the MAIL FROM: domain itself. Another way of looking at it is a custom include: mechanism dictated by the receiver.

 

In any case I want to see how one of these messages looks on the wire. I'm going to PM you a test address now.

    Terms & ConditionsAccessibility statement

    Loading footer...