Published · Last verified · Maintained by TamingDNS

🛡️ Mimecast Email Gateway SMTP Error Code Directory

Mimecast is one of the most common enterprise email security gateways. When a company routes inbound mail through Mimecast, their MX records resolve to mimecast.com servers. Mimecast uses standard SMTP enhanced codes, but adds its own policy and reputation filtering on top. Every company can configure their own rules, which means the same IP can be accepted by one Mimecast customer and blocked by another.

Gateway
Mimecast Email Security
MX Hostname Pattern
*.mimecast.com
NDR From Address
[email protected]

How to Identify a Mimecast Bounce

If the Remote-MTA in your bounce contains a hostname ending in mimecast.com (such as us-smtp-inbound-1.mimecast.com), the rejection came from Mimecast. Mimecast includes the string smtp; in its diagnostic codes, and often appends an IP address and a numeric identifier in square brackets. 

Remote-MTA: dns; us-smtp-inbound-1.mimecast.com
Diagnostic-Code: smtp; 550-5.7.1 [198.51.100.1 12] Message rejected.
  See https://www.mimecast.com/products/email-security/faq/ for more info.

The mimecast.com MX hostname is the key identifier. The numeric code in brackets (e.g. [198.51.100.1 12]) is an internal Mimecast reference. The IP is your sending IP and the number is Mimecast's rejection reason code.

Mimecast Rejection Reason Codes

Mimecast appends a numeric reason code in square brackets after the sending IP in rejection messages. These codes identify the category of rejection:

[IP 1]
Blocked sender (reputation)
[IP 2]
Content policy violation
[IP 3]
Anti-spam filter
[IP 5]
DMARC / authentication failure
[IP 10]
Rate limit exceeded
[IP 12]
IP reputation block

Mimecast Error Codes

The most common SMTP errors returned by Mimecast Email Security gateways.

🔴 550 5.7.1 CRITICAL
Message Rejected by Mimecast Policy
Mimecast's anti-spam or policy engine has rejected your message. This is the most common Mimecast hard bounce. It can be triggered by IP reputation, domain reputation, content filtering, or a custom policy rule set by the recipient organisation's Mimecast admin.
550 5.7.1 smtp; 550-5.7.1 [198.51.100.1 12] Message rejected. See https://www.mimecast.com/products/email-security/faq/ for more info.
🟡 421 4.7.1 CRITICAL
Greylisting: Retry Later
Mimecast is greylisting your message. Your mail server will retry automatically and the second attempt typically succeeds. This is a standard anti-spam technique that filters out bots that do not retry.
421 4.7.1 Service temporarily unavailable - please retry.
🔴 550 5.7.26 CRITICAL
DMARC Policy Violation
The recipient organisation's Mimecast gateway is enforcing DMARC. Your message failed SPF/DKIM alignment against the From domain. Fix your DKIM signing and SPF record.
550 5.7.26 This message fails to pass DMARC evaluation and the sending domain has a DMARC Reject policy.
🟡 421 4.7.0 CRITICAL
Rate Limited: Too Many Messages
Mimecast is rate-limiting your sending IP or domain. Reduce your sending rate and implement exponential back-off. Your mail server will retry automatically.
421 4.7.0 Too many connections from your IP.
🔴 550 5.1.1 CRITICAL
Recipient Does Not Exist
Mimecast's directory synchronisation with the recipient organisation confirmed this address does not exist. Remove from your list immediately.
550 5.1.1 smtp; User unknown

Getting Delisted from Mimecast

If Mimecast is blocking your IP or domain, follow these steps before requesting review:

  • Verify your SPF, DKIM, and DMARC records are correctly configured
  • Check your IP against major blocklists. Mimecast respects Spamhaus and similar feeds
  • Ensure your reverse DNS (PTR) record matches your sending hostname
  • Submit a sender review via the Mimecast Sender Reputation portal
📖 Mimecast Sender FAQ →

Frequently Asked Questions

Common questions about Mimecast gateway SMTP errors.

Look up the MX records for the recipient domain using our MX Inspector. If they resolve to hostnames ending in mimecast.com (like us-smtp-inbound-1.mimecast.com), Mimecast is handling their inbound mail. This tells you which filtering system you are dealing with and what delist steps are relevant.

This is what's known as a delayed bounce, and it happens because Mimecast accepted the message on behalf of the recipient at the SMTP level, but then a downstream system (usually the actual mail server like Exchange) rejected it during processing. The bounce email still comes from the Mimecast MX hostname, which can be confusing. Look at the enhanced status code inside the bounce for the real reason.

Yes, and this is the key thing to understand about Mimecast: every company that uses it gets to configure their own rules. That means your IP or domain might be perfectly fine for one Mimecast customer and blocked by another, not because of your reputation globally but because their IT admin has set a stricter policy. If you are being blocked by a specific organisation, the fastest fix is to ask the recipient's IT admin to whitelist your IP or domain directly in their Mimecast console.

Work through this in order. First, check your authentication: run your domain through our Domain Checker to confirm SPF, DKIM, and DMARC are correct. Second, check your IP reputation with our Blacklist Checker. Mimecast respects major IP blocklists like Spamhaus and Spamcop, so if you are listed there, get delisted first. Third, check your reverse DNS (PTR) record. Mimecast is known to reject senders that do not have a valid PTR matching their sending hostname.

Other Provider Directories

Google / Gmail
View directory →
Microsoft 365
View directory →
Yahoo / AOL
View directory →
Apple iCloud
View directory →
Comcast / Xfinity
View directory →
Proofpoint
View directory →
🔍

Got a Mimecast bounce to decode?

Paste your full NDR email or SMTP error line for an instant plain-English diagnosis.

Open the Bounce Decoder →