Mimecast will actually let you send from another domain you do not own ( will need to open a Support ticket and give a business reason ) 

Mimecast Production IP ranges (This IP range when you have a registered internal domain)
include:au._netblocks.mimecast.com

Mimecast Non-Production IP Ranges (This IP range is used for non-internal domains)
include:au._extnetblocks.mimecast.com

If customers wish to impersonate a domain you do not own, for example with address rewriting, use the DNS Authorization Code found in Your Mimecast Account Settings. The Mimecast Secure Email Gateway checks messages that are sent from each account. If the sending domain doesn’t match a domain listed as internal to the account, it will then check the TXT record of the sending domain for the presence of the DNS Authorization Code. If this code isn’t present, messages will be sent using these IP blocks instead of the normal route.

https://community.mimecast.com/s/article/Connect-Application-Implementing-SPF-for-Outbound-Email-Delivery-731048977

You can also tighten down SPF to only allow specific email address to send from third party services instead of whole domain : https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-challenges-of-spf/