Loading
Salesforce now sends email only from verified domains. Read More

Mimecast emails fail with the error: (Undelivered): 550 Anti-Spoofing policy - Inbound not allowed ......... after Migration to Hyperforce

Publish Date: Dec 13, 2024
Description
After a Hyperforce migration emails sent from organizations that have used IP Access lists in Mimecast can fail with an error similar to: (Undelivered): 550 Anti-Spoofing policy - Inbound not allowed - https://community.mimecast.com/docs/DOC-1369#550 [lF0zU5HRO02z4T4VPAUrCQ.usb23]

The emails that fail are email sent from the organization to email addresses with the same domain.
Resolution

Salesforce recommends SPF/DKIM/DMARC to obtain the highest deliverability  
Organizations that use a Mimecast email front end (MX record) can leverage the functionality described by Mimecast here to address emails sent to their own domain from Salesforce that get filtered by Mimecast Anti Spoofing policies with errors similar to the above.
As a best practice organizations should also setup DKIM for Salesforce.  When setting up SPF and DKIM also be aware of alignment best practices mentioned here

Mimecast Anti-Spoofing SPF Based Bypass policy underscore limitation
NOTE: Salesforce recommends and supports the use of the SPF record mentioned previously in this article _spf.salesforce.com.  However, an SPF record spf.salesforce.com also exists. This record is not the officially recommended and supported for use in DNS.  As the Mimecast SPF policy mentioned doesn't allow the use of the underscore this entry can be used as workaround to this limitation in the Mimecast policy only.  For more information on this Policy contact Mimecast.

Knowledge Article Number

000396202

 
Loading
Salesforce Help | Article