Request a Consultation

rspamd → Mimecast

rspamd ↔ Mimecast: integration to migration path.

Email security is load-bearing — break the gateway and every inbox stalls at once. So rspamd deploys alongside Mimecast at equal MX priority first, scoring real traffic until its verdicts agree, then takes over the path one phase at a time. No flag day, no mass re-credentialing, and every phase rolls back in minutes.

The honest end state is partial: URL Protect, Attachment Protect, Impersonation Protect and Cloud Archive stay on Mimecast. rspamd is excellent at SMTP-time scoring, DKIM signing and DMARC enforcement — it is not a drop-in for TTP or a SEC 17a-4 archive, and we say so up front.

Map my migration with an engineer →

The idea

Run them side by side first. Retire only what's portable.

The integration topology that makes this zero-outage is equal-priority split-MX: both Mimecast and an rspamd-fronted Postfix relay publish at MX preference 10, so senders distribute roughly 50/50 and both engines see comparable traffic with no Mimecast policy disabled. Once rspamd's verdicts hold up, it moves to the front as primary MX, ARC-sealing and relaying accepted mail to Mimecast's inbound smart host so URL Protect and Cloud Archive stay on the path mail actually travels. Only the portable controls cross to rspamd; TTP and the archive stay — each layer independent, each reversible.

The phases

Seven steps. Each one reversible.

0

Baseline & inventory

We document every Mimecast Policy (Anti-Spoofing, Spam Scanning, URL/Attachment/Impersonation Protect, Content Examination, Permitted/Blocked, Managed Senders, Outbound Routing), every Cloud Archive journaling rule, SIEM API consumers, DKIM selectors, DMARC posture and MTA-STS state. Read-only.

Users see: No user impact.

Rollback: N/A.

1

rspamd in shadow (split-MX)

rspamd-fronted Postfix stands up in HA and publishes at equal MX priority, so senders distribute ~50/50 and both quarantines fill with directly comparable verdicts. Bayes is pre-trained from a Cloud Archive sample labelled by Mimecast; neural stays off for 30 days. No Mimecast policy is disabled.

Users see: None.

Rollback: Drop the rspamd MX record; 300s TTL drains in minutes.

2

Verdict comparison + policy port

Every Mimecast policy with a rspamd equivalent is ported and PR-reviewed against the Phase 1 verdict log — Permitted/Blocked to multimap, Anti-Spoofing to spf/dkim/dmarc plus display-name checks. Policies with no equivalent (URL, Attachment, Impersonation Protect) are flagged Mimecast-retained.

Users see: None — Mimecast still inspects every message on its path.

Rollback: Per policy: revert config; rspamd reload is hot. Under 15 minutes.

3

Cut rspamd to primary MX

rspamd becomes the only public MX (relaying accepted, ARC-sealed mail to Mimecast's inbound smart host) or Mimecast stays MX while rspamd handles outbound plus second-opinion — chosen at Phase 2 exit. Mimecast's TTP and Cloud Archive stay on the path mail actually traverses.

Users see: None expected; roughly tens of milliseconds of delivery-latency change.

Rollback: Re-publish the Mimecast MX or revert the connector. DNS TTL bound, under 15 minutes.

4

Tune & tighten

We ratchet DMARC toward p=reject if the baseline was weaker, rotate DKIM to a new selector under rspamd-side key custody (old kept 30 days), and move MTA-STS to enforce once both MX hosts are clean in testing for 14 days.

Users see: None at the user layer; external senders with broken auth start failing — which is the goal.

Rollback: DMARC p= reverts at TTL; the old DKIM selector stays live ≥30 days; MTA-STS drops to testing. Under 15 minutes.

5

Retire portable Mimecast features

Spam Scanning, Anti-Spoofing, Content Examination, Permitted/Blocked, Managed Senders and Outbound Routing for the rspamd cohort are disabled or set log-only, watched in the SIEM for 14 days. URL/Attachment/Impersonation Protect and Cloud Archive stay. SKU bundle is renegotiated at renewal.

Users see: None — URLs are still rewritten, attachments still sandboxed, impersonation alerts still flow.

Rollback: Re-enable the disabled policies. Under 15 minutes.

6

Final retirement (partial)

This is deliberately partial. URL Protect, Attachment Protect, Impersonation Protect and Cloud Archive remain on Mimecast; Awareness Training is kept or repointed to a third-party tool. The SKU bundle is right-sized at renewal and SIEM ingestion of retained features continues. Big-bang retirement is explicitly not the target.

Users see: None.

Rollback: Per-feature reactivation is possible mid-contract; renewal-time SKU changes are procurement, not engineering.

Feature parity

Where rspamd matches Mimecast — and where it can't.

Capability rspamd Mimecast Parity
Spam scoring bayes + neural + symbols (X-Spamd-Result: per-rule weights) Mimecast Spam Scanning (multi-tenant model) At parity
SPF / DKIM verify spf, dkim modules Mimecast Anti-Spoofing At parity
DKIM signing dkim_signing (org key custody, selector swap) Mimecast outbound signing At parity
DMARC enforce + reporting dmarc + dmarc_reporting worker (rua) Mimecast Anti-Spoofing + DMARC Analyzer (separate SKU) At parity
ARC sealing arc module seals every accepted message Mimecast ARC at its hop At parity
URL defence (click-time/sandbox) surbl/phishing SMTP-time reputation only Mimecast URL Protect (click-time re-eval + sandbox) SaaS only
Attachment sandboxing none native (ClamAV + YARA + CAPE = heavy single-tenant ops, not equivalent) Mimecast Attachment Protect (Safe File / Pre-emptive / Dynamic) SaaS only
Impersonation / BEC detection reputation + replyto_mismatch + multimap cousin-domain lists Mimecast Impersonation Protect (newly-observed-domain feed + comms graph) Partial
Awareness training / phish sim none Mimecast Awareness Training SaaS only
Archive (WORM / SEC 17a-4) none (no archive function) Mimecast Cloud Archive (SEC 17a-4 attested WORM) SaaS only
Quarantine force_actions + web UI :11334 Mimecast Held queue / TRACE At parity
MTA integration Postfix milter (rspamd-proxy :11332), inbound smart-host relay Mimecast SaaS MTA (inbound smart host) At parity
Reporting / SIEM API /history, /scan, /checkv2, /symbols HTTP (push-friendly) Mimecast SIEM API /api/audit/get-siem-logs (polling, rate-limited) At parity
Deployment model self-hosted HA (Postfix + Redis + ClamAV) vendor-hosted cloud SaaS Partial
Cost model self-hosted compute + Redis + ops per-MAU + per-SKU bundle Partial
Compliance (SEC 17a-4 / SOC 2) rspamd ops in scope; no native WORM attestation Mimecast Cloud Archive carries SEC 17a-4 attestation SaaS only

What we're honest about

The caveats most vendors leave out.

URL Protect and Attachment Protect are SaaS-only

Mimecast URL Protect rewrites links and re-evaluates them at click time with a sandbox; rspamd's surbl/phishing modules are SMTP-time reputation only. Attachment Protect's Safe File, Pre-emptive and Dynamic sandboxing runs at vendor scale — ClamAV + YARA + CAPE is heavy single-tenant ops, not equivalent in breadth. Both stay on Mimecast; the chained topology preserves them.

Impersonation Protect is only partial parity

rspamd covers display-name spoofing and obvious cousin domains with reputation, replyto_mismatch, Lua and multimap lists. What it does not have is Mimecast's managed newly-observed-domain feed or internal comms graph. For regulated or BEC-targeted orgs we keep Impersonation Protect on Mimecast rather than overstate the rspamd coverage.

Cloud Archive WORM (SEC 17a-4) has no OSS parity

Mimecast Cloud Archive carries SEC 17a-4(f)(2)(ii) WORM attestation; rspamd has no archive function at all. For broker-dealers, RIAs and HIPAA-archive entities this is a dealbreaker for full retirement — a SEC-attested peer (Smarsh, Global Relay, MailArchiva) must be live before any flip that bypasses Mimecast. For most customers, Cloud Archive simply stays.

Awareness Training, managed BEC ML and 24×7 SOC stay with the vendor

rspamd does not address user education, its neural model is in-tenant and cold-starts (vs Mimecast's cross-tenant signal), and there is no Threat Center analyst backstop — your on-call becomes the SOC. Awareness Training stays on Mimecast or moves to KnowBe4/Hoxhunt as separate procurement, and Phase 5 only proceeds with quantified 24×7 coverage.

Why this beats a flag day

Reversible at every phase; soaked before anything is dropped.

Every phase carries an under-15-minute rollback — drop the rspamd MX behind a 300s TTL, revert a connector, or re-enable a disabled policy — so no single change can take mail down. And no phase advances on a hunch: each gate requires a soak, typically at least 30 days of agreeing verdicts and clean DMARC and TLS-RPT aggregates, before the next step. The Mimecast SKU bundle is only right-sized at renewal, after that soak proves the portable controls run cleanly on rspamd.

See which Mimecast features cross to rspamd — and which stay.

A 30-minute call with a senior email engineer. We map your Mimecast policies, archive obligations and SKU bundle, name what must stay (URL Protect, Cloud Archive, Impersonation Protect) and what's portable, and tell you honestly what the partial end state looks like — before you commit.

Map my migration →