Setup

• Remove text on stationary ( HTML and plain text ) before sending emails via Mimecast
• Disable Office 365 Spam Filter
   
  

Maintenance

• Enabled Digest Sets every Hour ( not every 4 hour )
• Disable Device Enrollment
  
  1. Log on to the Administration Console.
  2. Click on the Administration menu item.
  3. Select the Account | Account Settings menu item.
  4. Expand the User Access and Permissions section.
  5. Select the Targeted Threat Protection Authentication option.
• SAML for Authentication SSO via a provider like Office 365 for 2fa and Brute Force protection. If not Fall back to LDAPS ( EWS basic Auth is not Secure ) 
• Disable Cloud Auth ( Or enable only for Continuity , and expire logins after 30 days ) 
• Service Monitoring Setup
• Acknowledge Disabled Users ( Make sure Receipt Validation is set to Known 
• Setup impersonation protection for VIP
• Restrict Administration Console to IP
• Continuity Test
• Confirm you have an account as Super Admin
• Enable Outbond DKIM\SPF\DMARC
• Inbound (  this we recommend a “Reject” setting. Out of the box we set it to ignore/managed permitted sender entries as some customers didn’t like that it was too aggressive. )