4 min read
A supported living provider operating three service brands - mental health support, learning disability services, and complex care - each with its own email domain. The organisation was running Microsoft 365 but relying on Mimecast as a third-party layer for email security, archiving, and mail flow, effectively paying for email protection twice.
Service: Managed IT Sector: Supported living
Mimecast had been the organisation's email security and archiving platform for years. All inbound and outbound email across the three brands routed through Mimecast before reaching Exchange Online, adding a layer of complexity to the mail flow and creating a dependency on a third-party service for something Microsoft already provided natively.
The overlap was significant. Microsoft 365 already included Exchange Online Protection, Defender for Office 365, data loss prevention, information governance, and email archiving. Most of what Mimecast was doing was already available within the Microsoft stack - paid for and unused.
The Mimecast archive held a substantial volume of historical email at a significant annual cost. Migrating away from it required careful planning to ensure nothing was lost and record-keeping obligations were still met.
The mail flow architecture added its own problems. Because Mimecast sat between the internet and Exchange Online, every MX record, every connector, and every authentication mechanism had to be configured to work through Mimecast first. That made troubleshooting delivery issues more complicated than it needed to be and introduced a single point of failure.
For a supported living provider, email is not just internal communication. It carries safeguarding referrals, local authority placement information, family updates, and CQC correspondence. Downtime or misconfiguration is not an option.
We planned the migration in stages, starting with a detailed analysis of which Mimecast features were already covered by the Microsoft stack and which, if any, genuinely required Mimecast to remain.
The first step was configuring Exchange Online Protection and Defender for Office 365 to handle inbound and outbound email security natively. This included setting up SPF, DKIM, and DMARC authentication for all three brand domains - essential for preventing spoofing of a care organisation's email addresses, which could have serious safeguarding implications if a fraudulent email appeared to come from a support worker or service manager.
Once the Microsoft security layer was fully configured and tested, we executed the mail flow cutover. MX records for all three domains were updated simultaneously to point directly to Exchange Online instead of routing through Mimecast. The cutover was scheduled for a window that minimised risk to care operations, with monitoring in place to catch any delivery issues immediately.
For the archive, we evaluated two options: continuing with Mimecast archiving at its current annual cost, or exporting the historical data to lower-cost cloud storage. The export route had a higher upfront cost but offered substantial long-term savings. Both options were presented with full cost projections so the management team could make an informed decision.
Email now flows directly through Microsoft's own security infrastructure without passing through a third-party intermediary. The architecture is simpler, troubleshooting is faster, and there is one fewer vendor in the chain.
The overlap between Mimecast and Microsoft licensing has been eliminated. SPF, DKIM, and DMARC are properly configured across all three brand domains, protecting the organisation's identity and ensuring that emails from support workers and managers to families, social workers, and commissioners can be trusted.
Communication with families, local authorities, and commissioners was uninterrupted throughout the transition. Staff noticed no change in their day-to-day email experience - the improvement was entirely behind the scenes, reducing cost and complexity without affecting the people who depend on reliable communication to deliver care.
Email security consolidated across three brands · Mimecast replaced with native Microsoft 365 security · Three domains migrated simultaneously · SPF, DKIM, and DMARC configured across all domains · Email archive evaluated for cost-effective migration · Duplicate licensing cost eliminated
Related service: Managed IT