Why is Mimecast causing DKIM body hash failures?

Key findings

• Content modification: Mimecast's processes, such as URL rewriting or adding footers, can inadvertently alter the email body. These changes occur after the sending server has applied the DKIM signature, leading to a body hash mismatch. Such unintentional modifications are a common cause of DKIM body hash failures.
• Internal verification: Failures often occur at the relay.mimecast.com hop, indicating that Mimecast's internal processing is the point of failure for the DKIM signature, not a subsequent receiver.
• Impact on deliverability: When DKIM fails, it signals to receiving mail servers that the email's integrity has been compromised or that it might be a spoofed message, potentially leading to rejection or placement in the spam folder. This is a common challenge for email authentication at various ISPs.
• Historical precedence: There have been past instances where Mimecast's email repacking processes were known to break DKIM body hashes.

Key considerations

• Email content integrity: Ensure your sending infrastructure applies DKIM signatures before any potential content modification by intermediate gateways. This is crucial for maintaining email authentication validity.
• Canonicalization: Using 'relaxed' canonicalization for both header and body can offer more leniency to minor modifications by mail transfer agents or security solutions. However, even 'relaxed' mode might not tolerate significant content changes.
• Sender agreements: For critical emails, coordinate with recipients using Mimecast to ensure their Mimecast settings whitelist your sending domain or exclude it from content modification policies that impact DKIM.
• Monitoring DMARC reports: Regularly review DMARC aggregate reports to identify trends in DKIM failures attributed to Mimecast. This data can help pinpoint specific issues and domains experiencing problems.

Key opinions

• Suspected content garbling: Many marketers question if Mimecast invisibly alters email content enough to cause DKIM body hash failures, particularly when emails are otherwise perfectly signed.
• Proxy and content rewriting: A common theory is that Mimecast replaces URLs with a proxy or adds footers to emails, which could break DKIM signatures if done before validation. This type of modification impacts DKIM body hash mismatch failures.
• Specific point of failure: Observation of authentication results shows DKIM failing at relay.mimecast.com, suggesting the issue originates within Mimecast's processing.
• Impact of security products: Some note that similar issues arise with other security products, such as Barracuda refusing to implement ARC, leading to broader authentication problems.

Key considerations

• Diagnostic steps: Marketers are advised to obtain full message samples, not just headers, to identify specific content modifications that might be causing the DKIM failure. This helps in diagnosing DKIM failures across various ISPs.
• Communication with recipients: It is often necessary to work with recipients using Mimecast to adjust their settings, ensuring that Mimecast does not modify emails in a way that breaks DKIM for trusted senders.
• Library compatibility: Consider whether DKIM signing libraries used by senders are fully compatible and robust, as some tools have had recent issues with DKIM verification, requiring updates or switches. This relates to Mimecast's DKIM issues.
• Preventing unintended modifications: Sending platforms should be configured to avoid adding footers or making other changes after DKIM signing that could lead to hash mismatches.

Key opinions

• Post-signing modification: Many experts agree that security gateways modify emails post-signing for various reasons, such as adding disclaimers, removing malicious content, or URL rewriting, which causes the DKIM body hash to break. These unintentional alterations commonly trigger DKIM failures.
• Canonicalization impact: Even with 'relaxed' canonicalization, some modifications are too extensive to be ignored, leading to validation failures. Strict canonicalization is even more susceptible.
• Interception point: The issue typically occurs at the point of interception by the security gateway, confirming that their processing is the direct cause of the broken signature.
• Authentication standard conflicts: The core conflict lies between the need for email integrity (DKIM) and the need for security processing (gateways), highlighting the importance of solutions like ARC for preserving authentication chains. This often results in DKIM failing at some ISPs but not others.

Key considerations

• ARC implementation: Experts recommend advocating for the implementation of ARC by email security providers, as it allows mail servers to validate the original authentication status of an email even after it has been modified by intermediate relays.
• Sender policy enforcement: Senders should strive to have minimal content modification between their signing MTA and the receiving mail server. This means avoiding unnecessary additions like footers or tracking pixels after the DKIM signature is applied.
• Whitelist configuration: Advise recipients using Mimecast to configure internal policies that prevent content modification for trusted senders, or to whitelist specific sending domains to bypass certain scans.
• Regular testing: Periodically test email authentication with various recipients, especially those using enterprise-grade security solutions like Mimecast, to proactively identify and address potential DKIM body hash failures. This helps diagnose and reduce DKIM temporary error rates.

Key findings

• DKIM sensitivity: DKIM is designed to detect any alteration to the signed parts of an email. If the body is included in the signature (which it typically is), even minor changes invalidate the signature.
• RFC compliance: RFC 6376 dictates how DKIM body hashes are calculated. Any non-compliant modification by an intermediary will result in a body hash mismatch. This helps understand why DKIM may fail for specific providers.
• Canonicalization modes: While 'relaxed' canonicalization tolerates minor whitespace and header field casing changes, it does not permit content alterations like added footers, rewritten URLs, or re-encoding.
• ARC as a solution: The Authenticated Received Chain (ARC) standard was developed to allow intermediate mail servers and security gateways to re-sign emails after modification while preserving the original authentication results, mitigating issues with forwarded or modified mail.

Key considerations

• Security vs. integrity: Organizations using security gateways must balance the benefits of content scanning and modification against the need for valid email authentication. This often requires careful configuration.
• Gateway configuration: Documentation for security solutions like Mimecast often provides options to disable certain content modification features or to whitelist specific senders to prevent DKIM breakage.
• Sender responsibility: Senders are responsible for ensuring their DKIM signatures are applied correctly and that their outbound email path minimizes modifications that could impact authentication. For more details on common causes for DKIM body hash failures, see our guide.
• Reporting: DMARC reporting is crucial for identifying authentication failures caused by security gateways. The aggregate reports provide detailed insights into where and why DKIM is failing.