Anti-spoofing best practices
I've inherited a mimecast setup which hasn't been paid much attention to. We have a reasonable number of domains associated (> 20) due to acquisition.
An account review flagged up that the anti-spoofing policies for those domains weren't turned on.
We're now slowly turning them on one by one and have found valid outside senders are getting blocked.
The emails are valid - the SPF records are valid and DKIM is all setup - it all passes when we check manually. Mimecast don't seem to be checking this though and just block it because it's not come from the internal source.
To get around it - we created an SPF bypass for each domain to force mimecast to check the domain's SPF record for validity on arrival.
Mimecast's advice is to setup an SPF bypass which says "everyone to everyone - apply to all emails on all SPF records on all valid domains" (because only one rule can apply on any one transit)
But that means if service A is valid for domain Z, it'll also be valid for domain Y.
This doesn't feel logically sensible - why are we going through all this effort to setup SPF/DKIM for these external senders only to set up a bypass on them?