Email authentication protocols like DKIM (DomainKeys Identified Mail) are crucial for verifying sender identity and ensuring email deliverability. They help mailbox providers trust incoming messages and protect against phishing and spoofing. However, it can be incredibly frustrating when these authentications fail, especially when you are using a reputable email security service like Mimecast.
Many organizations use Mimecast as their primary email security gateway, routing all inbound and outbound mail through it for various checks, including spam and virus protection, archiving, and data loss prevention. While Mimecast offers robust security, a common issue some senders encounter is DKIM body hash failures. This specific failure indicates that the content of the email body, or parts of it, changed after the original DKIM signature was applied.
The core of the problem lies in how Mimecast processes emails. To perform its security functions, Mimecast often unpacks and re-packs email messages. This necessary processing can inadvertently alter the email's body content, even slightly, leading to a mismatch with the original DKIM body hash calculated by the sender's server. When the receiving server, or Mimecast itself, attempts to verify the DKIM signature, the hash no longer matches, resulting in a "dkim=fail (body hash did not verify)" authentication result.
Mimecast's primary function as an email security gateway involves deep scanning and analysis of email traffic. This often means that messages are temporarily disassembled and then reassembled. During this process, various modifications can occur, such as:
URL rewriting: Mimecast may rewrite URLs in the email body to perform URL protection, sandboxing, or tracking. Even slight changes to URLs can alter the body's hash.
Content modification: For spam detection or data loss prevention, Mimecast might insert disclaimers, footers, or modify certain characters, which changes the original body hash. Mimecast unpacks and repacks every email for spam identification.
Character set adjustments: Differences in how Mimecast handles character sets or encoding can subtly alter the message body.
When an email is signed with DKIM, a cryptographic hash of the email's content (including headers and body) is generated and included in the DKIM signature. If any part of the signed content changes even slightly after the signature is applied, the receiving server's re-calculated hash will not match the one in the signature, causing the DKIM validation to fail. This is a security feature, preventing tampering, but it can be problematic with intermediate mail filters.
You might see an authentication result in your email headers similar to this:
Example DKIM body hash failure in headersemail-header
Authentication-Results: relay.mimecast.com; dkim=fail ("body hash did not verify")
Canonicalization and its role
Canonicalization refers to the process of standardizing various parts of an email message before calculating the DKIM hash. There are two main canonicalization algorithms: relaxed and simple. The choice of algorithm significantly impacts how tolerant the DKIM verification process is to minor changes in the email. Simple canonicalization is very strict, while relaxed is more forgiving.
If your DKIM failures are specific to Mimecast, you may need to adjust your DKIM signing policy to use relaxed body canonicalization. This makes the body hash more tolerant of minor modifications like changes in whitespace, blank lines at the end of the body, or wrapping of long lines, which Mimecast's processing might introduce. Many senders find that setting canonicalization values to "Relaxed" can resolve these issues, especially with recipient mailbox providers like Microsoft.
It's a delicate balance. While relaxed canonicalization helps prevent legitimate mail from failing DKIM, it also slightly reduces the strictness of the signature, making it marginally more susceptible to subtle tampering. However, for most environments with intermediate security gateways, this trade-off is often necessary for reliable email delivery.
Simple canonicalization
Strict adherence: Any change to whitespace, empty lines, or header folding will break the DKIM signature.
Ideal for: Direct mail flows without intermediate modifications.
Risk with Mimecast: High likelihood of DKIM body hash failure due to Mimecast's content processing.
Relaxed canonicalization
Flexible adherence: Tolerates minor changes to whitespace, blank lines, and header folding.
Ideal for: Mail flows involving security gateways or other intermediaries that modify messages.
Mitigation with Mimecast: Significantly reduces the chance of DKIM body hash failures.
Troubleshooting and mitigating failures
When you encounter DKIM body hash failures with Mimecast, the first step is to confirm the exact point of failure. Examining the full email headers (specifically the Authentication-Results header) can reveal whether Mimecast itself is reporting the failure or if it's occurring downstream. If it's Mimecast, the solutions often involve adjustments to your DKIM configuration.
Check Mimecast policies: Review your Mimecast inbound mail policies to see if there are any settings related to DKIM, content modification, or URL rewriting that might be impacting the message body before validation.
Adjust canonicalization: If possible, configure your sending system (MTA or email service provider) to use relaxed body canonicalization. This is often the most effective solution.
Contact Mimecast support: Mimecast support can provide specific guidance on how their system interacts with DKIM and if there are any recommended configurations or known issues that apply to your setup.
Implement ARC: Authenticated Received Chain (ARC) is a protocol that preserves email authentication results across multiple hops, even if intermediaries like Mimecast modify the message. While primarily for forwarded mail, its principles can apply to complex inbound flows.
It's also important to differentiate between inbound and outbound email flows. For outbound emails, where your organization is the sender, ensuring your DKIM signing aligns with Mimecast's processing is key. For inbound emails, where Mimecast is receiving messages from external senders, you might need to adjust Mimecast's policies to be more lenient with DKIM validation, or understand that some external senders may experience issues due to their own DKIM settings.
Remember, the goal is to balance robust email security with optimal deliverability. Adjusting canonicalization settings is often the simplest and most effective way to resolve Mimecast-related DKIM body hash failures without compromising overall email security.
Impact on email deliverability
DKIM failures, even if caused by an intermediary like Mimecast, can have significant repercussions for email deliverability. When a receiving mail server sees a DKIM failure, especially a body hash mismatch, it signals that the email might have been tampered with or is illegitimate. This can lead to your emails being marked as spam or even rejected outright.
For domains with DMARC policies set to quarantine or reject, a DKIM failure will directly result in non-delivery, unless SPF passes and aligns. This is why monitoring your DMARC reports is essential; they will highlight authentication failures and help pinpoint the cause. Consistent failures can also negatively impact your sender reputation, leading to broader deliverability issues, even if you’re not on a public blacklist (or blocklist).
In addition to DKIM, other authentication methods such as SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) work together to build trust. If DKIM fails, SPF can still provide authentication, but for DMARC alignment, at least one of them must pass and align with the email's From domain. A body hash failure makes this more challenging.
Ensuring all your authentication methods are correctly configured and pass consistently is critical for maximizing inbox placement and avoiding the spam folder. Understanding how intermediaries like Mimecast interact with these protocols is a key part of maintaining robust email deliverability.
Views from the trenches
Best practices
Ensure your sending infrastructure supports relaxed DKIM canonicalization for both header and body.
Regularly monitor DMARC reports to identify authentication failures and pinpoint their source.
Coordinate with your Mimecast administrator to review and adjust inbound/outbound email policies.
Consider implementing ARC if your email flow involves multiple intermediaries that modify messages.
Common pitfalls
Using simple DKIM canonicalization when sending through Mimecast or other security gateways.
Ignoring DKIM failures in email headers or DMARC reports, assuming Mimecast will handle it.
Not understanding that Mimecast's processing inherently changes email content, impacting hashes.
Failing to communicate with Mimecast support regarding specific authentication challenges.
Expert tips
Always get full email headers to properly diagnose DKIM body hash failures and see the full mail path.
A DKIM body hash failure at Mimecast’s relay suggests Mimecast is the cause of the modification.
When troubleshooting, check if the issue is unique to Mimecast or affects other mail servers too.
Look for evidence of Mimecast adding footers or making other visible changes to the email body.
Marketer view
Marketer from Email Geeks says that some senders experienced DKIM body hash failures only with Mimecast recipients, suggesting Mimecast might be modifying content.
2022-08-08 - Email Geeks
Expert view
Expert from Email Geeks suggested examining the full message body to determine if Mimecast is modifying URLs with a proxy before performing DKIM verification.
2022-08-08 - Email Geeks
Ensuring smooth email flow
DKIM body hash failures caused by Mimecast are a common challenge for organizations that prioritize both email security and deliverability. The root cause lies in the necessary modifications Mimecast makes to email content as part of its security processing.
While this can seem like a complex problem, understanding canonicalization, diligently analyzing email headers, and consulting with Mimecast support are essential steps toward resolution. Implementing relaxed canonicalization for your DKIM signatures is often the most direct solution.
By proactively addressing these issues, you can ensure that your emails continue to be authenticated correctly, maintaining trust with recipient mail servers and achieving optimal inbox placement. Don't let these technical hiccups derail your email deliverability efforts.
Microsoft.
