> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Mimecast DMARC Analyzer

> Configure the Mimecast DMARC Analyzer integration with RAD Security to ingest DMARC domain posture, DNS record-change/issue events, and DMARC reports.

# Mimecast DMARC Analyzer Integration Setup

This guide walks you through integrating Mimecast DMARC Analyzer with RAD Security to ingest your DMARC posture and email-authentication telemetry for external attack-surface and email-security analysis.

Mimecast DMARC Analyzer is an email-authentication (DMARC/SPF/DKIM) platform. RAD Security connects to the Mimecast API 2.0 and pulls your monitored domains, DNS record-change/issue events, and DMARC reports on a scheduled basis. It complements the registration/DNS providers in Domain Security (CSC Global, DNS Made Easy) by adding DMARC posture and reporting on top of domain data.

<Info>
  **Read-only integration:** RAD Security only reads data from Mimecast DMARC Analyzer. It never creates, modifies, or deletes domains, DNS records, or reports in your account.
</Info>

<Note>
  **Beta:** This integration is in beta while DMARC report parsing is validated against live tenants. Domain posture and DNS record-change/issue events are the primary streams.
</Note>

## Prerequisites

Before you begin, ensure you have:

<Check>
  * A Mimecast account with access to the **Administration Console**
  * A Mimecast **API 2.0 Application** with the **DMARC Analyzer Product** entitlement
  * The application's **Client ID** and **Client Secret**
  * Access to a RAD Security workspace with integration permissions
</Check>

<Warning>
  **API access is entitlement-gated:** Mimecast API 2.0 Applications are scoped by immutable **Products**, and some endpoints additionally require an account-level product entitlement. The application must have the **DMARC Analyzer Product** added, or the integration cannot connect.
</Warning>

## Understanding Integration Components

<AccordionGroup>
  <Accordion title="Client ID + Client Secret" icon="key">
    RAD Security authenticates with a Mimecast API 2.0 **Client ID** and **Client Secret** using the OAuth2 client-credentials flow. You supply both; RAD exchanges them for a short-lived bearer token and refreshes it automatically.
  </Accordion>

  <Accordion title="DMARC Analyzer Product Entitlement" icon="shield-check">
    The API 2.0 Application must have the **DMARC Analyzer Product** associated with it. Without this entitlement Mimecast returns a `403`, and the integration reports that API access is not entitled.
  </Accordion>

  <Accordion title="Domain Posture" icon="globe">
    Your monitored domains and their DMARC/SPF/DKIM posture and enforcement policy, pulled as domain assets and refreshed each cycle.
  </Accordion>

  <Accordion title="DNS Record-Change / Issue Events" icon="clock-rotate-left">
    DMARC Analyzer events describing DNS record changes and detected issues on your monitored domains. These are ingested incrementally — only new events each cycle.
  </Accordion>

  <Accordion title="Aggregate (RUA) & Failure (RUF) Reports" icon="chart-column">
    DMARC aggregate (RUA) reports summarize who is sending on behalf of your domains and how that mail authenticated. Failure (RUF) reports describe individual failing messages and can contain **message-level personal data** (sender, recipient, subject). RUF ingestion is **opt-in** and off by default; when enabled, RAD hashes sender/recipient addresses and redacts the subject before storing anything.
  </Accordion>
</AccordionGroup>

***

## Step 1: Create an API 2.0 Application in Mimecast

<Steps>
  <Step title="Sign in to the Administration Console">
    Log in to the Mimecast Administration Console with an administrator.
  </Step>

  <Step title="Create an API 2.0 Application">
    Navigate to the API 2.0 application settings and create a new application. Associate the **DMARC Analyzer Product** with the application so it is entitled to the DMARC Analyzer endpoints.
  </Step>

  <Step title="Generate the Client ID and Client Secret">
    Generate the application's **Client ID** and **Client Secret**.

    <Warning>
      Copy the **Client Secret** immediately and store it securely in a password manager or secrets vault. You will need both values to configure the integration.
    </Warning>
  </Step>

  <Step title="Confirm the account entitlement">
    Confirm your Mimecast account is entitled to DMARC Analyzer. Some endpoints require an account-level product entitlement in addition to the application's Product.
  </Step>
</Steps>

<Note>
  Exact console navigation and labels may vary by Mimecast plan and region. See the [Mimecast API 2.0 documentation](https://developer.services.mimecast.com/) for the current steps to create an application, associate Products, and generate credentials.
</Note>

***

## Configure in RAD Security

Navigate to your RAD Security workspace and configure the Mimecast DMARC Analyzer integration with the following parameters:

### Required Parameters

| Parameter         | Description                                                                                 |
| ----------------- | ------------------------------------------------------------------------------------------- |
| **Client ID**     | Client ID of the Mimecast API 2.0 Application (with the DMARC Analyzer Product entitlement) |
| **Client Secret** | Client Secret paired with the Client ID, used to mint short-lived API tokens                |

### Optional Parameters

| Parameter                        | Description                                                                                                                                                                                                                 |
| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Ingest failure reports (RUF)** | Also ingest forensic failure reports once the Reports subsystem is enabled. These carry message-level PII (sender, recipient, subject); RAD hashes addresses and redacts subjects before storage. Boolean; **default off**. |

<Note>
  RAD Security handles token exchange and refresh automatically — you provide the Client ID and Client Secret.
</Note>

***

## Verify Integration

<Steps>
  <Step title="Check Connection Status">
    1. Navigate to **Data Sources > Integrations > Domain Security** in RAD Security
    2. Locate your Mimecast DMARC Analyzer integration
    3. Verify the connection status shows as **Connected**
  </Step>
</Steps>

<Check>
  Your Mimecast DMARC Analyzer integration is now configured! RAD Security will ingest your DMARC domain posture and DNS record-change/issue events on a scheduled basis (and DMARC reports as validated, including failure reports if you enabled them).
</Check>

## What Data is Synced

<AccordionGroup>
  <Accordion title="Domain Posture" icon="globe">
    * Monitored domains as domain assets
    * DMARC/SPF/DKIM presence and the DMARC enforcement policy (none/quarantine/reject)
  </Accordion>

  <Accordion title="DNS Record-Change / Issue Events" icon="clock-rotate-left">
    * DNS record changes and detected issues on your domains, as activity events
    * A finding is raised for issue events that indicate a posture problem
  </Accordion>

  <Accordion title="Aggregate (RUA) Reports" icon="chart-column">
    * Per-sending-source authentication outcomes (SPF/DKIM results, disposition, volume)
    * A finding is raised for authentication failures
  </Accordion>

  <Accordion title="Failure (RUF) Reports — opt-in" icon="triangle-exclamation">
    * Individual failed-message reports, with sender/recipient hashed and subject redacted
    * A finding is raised per failure report
  </Accordion>
</AccordionGroup>

<Note>
  On first connection RAD backfills recent events, then syncs **incrementally** (only new events each cycle). Domain posture is refreshed each cycle; the re-insert is skipped when the snapshot is unchanged.
</Note>

## Use Cases

<CardGroup cols={2}>
  <Card title="Email Authentication Posture" icon="envelope-circle-check">
    Track DMARC/SPF/DKIM coverage and enforcement policy across your domains.
  </Card>

  <Card title="DNS Change Monitoring" icon="clock-rotate-left">
    Surface DNS record changes and DMARC issues as they are detected.
  </Card>

  <Card title="Enforcement Rollout" icon="gauge-high">
    Monitor progress toward p=quarantine/reject without breaking legitimate mail.
  </Card>

  <Card title="Attack Surface Analysis" icon="diagram-project">
    Combine DMARC posture with domain and DNS data for a fuller external view.
  </Card>
</CardGroup>

<Note>
  Mimecast DMARC Analyzer focuses on email authentication. Pair it with [CSC Global](/rad-security/integrations/domain-security/csc-global-setup) and [DNS Made Easy](/rad-security/integrations/domain-security/dns-made-easy-setup) for registration, TLS, and operational DNS coverage.
</Note>

## Troubleshooting

<AccordionGroup>
  <Accordion title="API Access Not Entitled" icon="lock">
    **Possible causes:**

    * The API 2.0 Application does not have the **DMARC Analyzer Product** associated, or the account lacks the DMARC Analyzer entitlement (Mimecast returns `403`)

    **Solution:**

    * Add the **DMARC Analyzer Product** to the API 2.0 Application, confirm the account entitlement, then re-verify
  </Accordion>

  <Accordion title="Authentication Failed" icon="triangle-exclamation">
    **Possible causes:**

    * Incorrect Client ID or Client Secret (Mimecast returns `401`)

    **Solution:**

    * Verify both values are copied correctly (no extra spaces)
    * Regenerate the credentials in the Mimecast Administration Console and update them in RAD Security
  </Accordion>

  <Accordion title="No Failure Reports" icon="inbox">
    **Possible causes:**

    * RUF ingestion is off (default), or there are no failure reports in the window

    **Solution:**

    * Enable **Ingest failure reports (RUF)** in the integration settings if you want forensic reports
    * Confirm your Mimecast account is receiving RUF reports for the domains
  </Accordion>

  <Accordion title="Empty Results" icon="inbox">
    **Possible causes:**

    * The account has no monitored domains or no events in the recent window

    **Solution:**

    * Confirm the account has domains configured in DMARC Analyzer and is receiving DMARC data
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Use a Dedicated Application" icon="user-gear">
    Create a dedicated API 2.0 Application for RAD rather than reusing one scoped to other integrations.
  </Card>

  <Card title="Rotate Credentials" icon="rotate">
    Regenerate the Client ID and Client Secret periodically according to your security policy.
  </Card>

  <Card title="Secure Storage" icon="vault">
    Store the Client Secret in a secrets vault. Never commit it to version control.
  </Card>

  <Card title="Treat RUF as Sensitive" icon="user-shield">
    Enable failure-report (RUF) ingestion only when needed; RAD hashes addresses and redacts subjects, but RUF is inherently more sensitive than RUA.
  </Card>
</CardGroup>

## Additional Resources

<CardGroup cols={2}>
  <Card title="Mimecast API 2.0 Docs" icon="book" href="https://developer.services.mimecast.com/">
    Official Mimecast API developer documentation
  </Card>

  <Card title="Domain Security Overview" icon="globe" href="/rad-security/integrations/domain-security/overview">
    Learn about RAD's domain security integrations
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="EasyDMARC Setup" icon="envelope-circle-check" href="/rad-security/integrations/domain-security/easydmarc-setup">
    Add DMARC posture and reporting with EasyDMARC
  </Card>

  <Card title="CSC Global Setup" icon="globe" href="/rad-security/integrations/domain-security/csc-global-setup">
    Add domain registration and TLS coverage with CSC Global
  </Card>

  <Card title="DNS Made Easy Setup" icon="server" href="/rad-security/integrations/domain-security/dns-made-easy-setup">
    Add operational DNS coverage with DNS Made Easy
  </Card>
</CardGroup>
