Skip to main content

Mimecast DMARC Analyzer Integration Setup

This guide walks you through integrating Mimecast DMARC Analyzer with RAD Security to ingest your DMARC posture and email-authentication telemetry for external attack-surface and email-security analysis. Mimecast DMARC Analyzer is an email-authentication (DMARC/SPF/DKIM) platform. RAD Security connects to the Mimecast API 2.0 and pulls your monitored domains, DNS record-change/issue events, and DMARC reports on a scheduled basis. It complements the registration/DNS providers in Domain Security (CSC Global, DNS Made Easy) by adding DMARC posture and reporting on top of domain data.
Read-only integration: RAD Security only reads data from Mimecast DMARC Analyzer. It never creates, modifies, or deletes domains, DNS records, or reports in your account.
Beta: This integration is in beta while DMARC report parsing is validated against live tenants. Domain posture and DNS record-change/issue events are the primary streams.

Prerequisites

Before you begin, ensure you have:
  • A Mimecast account with access to the Administration Console
  • A Mimecast API 2.0 Application with the DMARC Analyzer Product entitlement
  • The application’s Client ID and Client Secret
  • Access to a RAD Security workspace with integration permissions
API access is entitlement-gated: Mimecast API 2.0 Applications are scoped by immutable Products, and some endpoints additionally require an account-level product entitlement. The application must have the DMARC Analyzer Product added, or the integration cannot connect.

Understanding Integration Components

RAD Security authenticates with a Mimecast API 2.0 Client ID and Client Secret using the OAuth2 client-credentials flow. You supply both; RAD exchanges them for a short-lived bearer token and refreshes it automatically.
The API 2.0 Application must have the DMARC Analyzer Product associated with it. Without this entitlement Mimecast returns a 403, and the integration reports that API access is not entitled.
Your monitored domains and their DMARC/SPF/DKIM posture and enforcement policy, pulled as domain assets and refreshed each cycle.
DMARC Analyzer events describing DNS record changes and detected issues on your monitored domains. These are ingested incrementally — only new events each cycle.
DMARC aggregate (RUA) reports summarize who is sending on behalf of your domains and how that mail authenticated. Failure (RUF) reports describe individual failing messages and can contain message-level personal data (sender, recipient, subject). RUF ingestion is opt-in and off by default; when enabled, RAD hashes sender/recipient addresses and redacts the subject before storing anything.

Step 1: Create an API 2.0 Application in Mimecast

1

Sign in to the Administration Console

Log in to the Mimecast Administration Console with an administrator.
2

Create an API 2.0 Application

Navigate to the API 2.0 application settings and create a new application. Associate the DMARC Analyzer Product with the application so it is entitled to the DMARC Analyzer endpoints.
3

Generate the Client ID and Client Secret

Generate the application’s Client ID and Client Secret.
Copy the Client Secret immediately and store it securely in a password manager or secrets vault. You will need both values to configure the integration.
4

Confirm the account entitlement

Confirm your Mimecast account is entitled to DMARC Analyzer. Some endpoints require an account-level product entitlement in addition to the application’s Product.
Exact console navigation and labels may vary by Mimecast plan and region. See the Mimecast API 2.0 documentation for the current steps to create an application, associate Products, and generate credentials.

Configure in RAD Security

Navigate to your RAD Security workspace and configure the Mimecast DMARC Analyzer integration with the following parameters:

Required Parameters

ParameterDescription
Client IDClient ID of the Mimecast API 2.0 Application (with the DMARC Analyzer Product entitlement)
Client SecretClient Secret paired with the Client ID, used to mint short-lived API tokens

Optional Parameters

ParameterDescription
Ingest failure reports (RUF)Also ingest forensic failure reports once the Reports subsystem is enabled. These carry message-level PII (sender, recipient, subject); RAD hashes addresses and redacts subjects before storage. Boolean; default off.
RAD Security handles token exchange and refresh automatically — you provide the Client ID and Client Secret.

Verify Integration

1

Check Connection Status

  1. Navigate to Data Sources > Integrations > Domain Security in RAD Security
  2. Locate your Mimecast DMARC Analyzer integration
  3. Verify the connection status shows as Connected
Your Mimecast DMARC Analyzer integration is now configured! RAD Security will ingest your DMARC domain posture and DNS record-change/issue events on a scheduled basis (and DMARC reports as validated, including failure reports if you enabled them).

What Data is Synced

  • Monitored domains as domain assets
  • DMARC/SPF/DKIM presence and the DMARC enforcement policy (none/quarantine/reject)
  • DNS record changes and detected issues on your domains, as activity events
  • A finding is raised for issue events that indicate a posture problem
  • Per-sending-source authentication outcomes (SPF/DKIM results, disposition, volume)
  • A finding is raised for authentication failures
  • Individual failed-message reports, with sender/recipient hashed and subject redacted
  • A finding is raised per failure report
On first connection RAD backfills recent events, then syncs incrementally (only new events each cycle). Domain posture is refreshed each cycle; the re-insert is skipped when the snapshot is unchanged.

Use Cases

Email Authentication Posture

Track DMARC/SPF/DKIM coverage and enforcement policy across your domains.

DNS Change Monitoring

Surface DNS record changes and DMARC issues as they are detected.

Enforcement Rollout

Monitor progress toward p=quarantine/reject without breaking legitimate mail.

Attack Surface Analysis

Combine DMARC posture with domain and DNS data for a fuller external view.
Mimecast DMARC Analyzer focuses on email authentication. Pair it with CSC Global and DNS Made Easy for registration, TLS, and operational DNS coverage.

Troubleshooting

Possible causes:
  • The API 2.0 Application does not have the DMARC Analyzer Product associated, or the account lacks the DMARC Analyzer entitlement (Mimecast returns 403)
Solution:
  • Add the DMARC Analyzer Product to the API 2.0 Application, confirm the account entitlement, then re-verify
Possible causes:
  • Incorrect Client ID or Client Secret (Mimecast returns 401)
Solution:
  • Verify both values are copied correctly (no extra spaces)
  • Regenerate the credentials in the Mimecast Administration Console and update them in RAD Security
Possible causes:
  • RUF ingestion is off (default), or there are no failure reports in the window
Solution:
  • Enable Ingest failure reports (RUF) in the integration settings if you want forensic reports
  • Confirm your Mimecast account is receiving RUF reports for the domains
Possible causes:
  • The account has no monitored domains or no events in the recent window
Solution:
  • Confirm the account has domains configured in DMARC Analyzer and is receiving DMARC data

Security Best Practices

Use a Dedicated Application

Create a dedicated API 2.0 Application for RAD rather than reusing one scoped to other integrations.

Rotate Credentials

Regenerate the Client ID and Client Secret periodically according to your security policy.

Secure Storage

Store the Client Secret in a secrets vault. Never commit it to version control.

Treat RUF as Sensitive

Enable failure-report (RUF) ingestion only when needed; RAD hashes addresses and redacts subjects, but RUF is inherently more sensitive than RUA.

Additional Resources

Mimecast API 2.0 Docs

Official Mimecast API developer documentation

Domain Security Overview

Learn about RAD’s domain security integrations

Next Steps

EasyDMARC Setup

Add DMARC posture and reporting with EasyDMARC

CSC Global Setup

Add domain registration and TLS coverage with CSC Global

DNS Made Easy Setup

Add operational DNS coverage with DNS Made Easy