Summary
Mimecast DKIM body hash failures are caused by a confluence of factors. Predominantly, Mimecast's content modification practices, including URL rewriting, adding footers/disclaimers, HTML to plain text conversion, and security scanning, invalidate DKIM signatures. Encoding discrepancies (MIME, character sets), potential issues with Mimecast's DKIM library, and incorrect Mimecast settings (DKIM verification, quarantine) also contribute. Proper signing practices and issues with ARC handling are other considerations. Thorough testing, configuration review, and contacting Mimecast support are recommended.
Key findings
- Content Modification: Mimecast's content alterations (URL rewriting, footers, etc.) break DKIM signatures.
- Encoding Issues: MIME and character encoding differences between sender and Mimecast cause DKIM failures.
- Configuration: Incorrect Mimecast configuration settings (DKIM, quarantine) cause false positives.
- Signing Practices: Incorrect signing process or early signing can affect the outcome.
- DKIM Library: Potentially flawed DKIM Library may cause failures
Key considerations
- Minimize Content Changes: Configure Mimecast to reduce alterations to email content post-DKIM signing.
- Encoding Consistency: Ensure sender and Mimecast use consistent MIME and character encoding.
- Configuration Review: Verify correct Mimecast settings for DKIM verification, quarantine, and policies.
- Testing & Support: Test thoroughly and engage Mimecast support for specific troubleshooting.
- Signing Best Practices: Sign message last to avoid tampering.
What email marketers say
10 marketer opinions
Mimecast DKIM body hash failures often stem from Mimecast altering email content after the DKIM signature has been applied. This can occur due to various factors, including MIME encoding differences, URL rewriting for tracking, addition of footers or disclaimers, incorrect character encoding conversions (e.g., UTF-8 to ASCII), issues with ARC signature handling, content modification for security scanning, and misconfigured DKIM verification settings. Addressing these issues requires careful configuration, testing, and collaboration with Mimecast support.
Key opinions
- Content Alteration: Mimecast modifies email content (URL rewriting, footers, disclaimers, content conversion), invalidating the DKIM signature.
- Encoding Issues: MIME encoding differences (line endings, character sets) between the sender and Mimecast can alter the body hash.
- Configuration Problems: Incorrect Mimecast settings (DKIM verification, quarantine, policies) can lead to DKIM failures.
- Security Scanning: Content manipulation for phishing/malware scanning can inadvertently break DKIM.
- ARC Handling: Improper handling of ARC signatures during forwarding can impact DKIM verification.
Key considerations
- Configuration Review: Carefully review and adjust Mimecast's configuration settings to minimize content alteration and ensure proper DKIM verification.
- Encoding Standardization: Ensure consistent MIME encoding (character sets, line endings) between your systems and Mimecast.
- Testing: Thoroughly test email flows with Mimecast enabled to identify specific causes of DKIM failures.
- Mimecast Support: Collaborate with Mimecast support to troubleshoot issues and obtain guidance on best practices.
- Quarantine Review: Monitor and adjust Mimecast's quarantine settings to prevent false positives due to DKIM failures.
Marketer view
Email marketer from MXToolbox suggests that Mimecast's handling of ARC (Authenticated Received Chain) signatures, when forwarding mail can sometimes cause problems. If Mimecast isn't properly preserving ARC signatures, it can impact DKIM verification.
27 Jun 2021 - MXToolbox
Marketer view
Email marketer from Stack Overflow suggests that differences in MIME encoding between the sender and Mimecast could lead to DKIM failures. Specifically, different line endings or character encodings can alter the body hash.
23 Dec 2023 - Stack Overflow
What the experts say
3 expert opinions
Mimecast DKIM body hash failures are often caused by Mimecast modifying email content. This can be due to URL rewriting, adding footers/disclaimers, or converting HTML to plain text, which invalidates the DKIM signature. It's also possible Mimecast uses the same DKIM library with inherent flaws causing failures.
Key opinions
- Content Modification: Mimecast modifies email content (URL rewriting, footers, disclaimers, HTML conversion), leading to DKIM signature invalidation.
- Shared DKIM Library: Mimecast may be using a DKIM library with internal failures that are causing generic DKIM failures
Key considerations
- Minimize Content Changes: Configure Mimecast to minimize changes to email content to preserve the DKIM signature.
- DKIM Library Investigation: Investigate the potential impact of the DKIM library being used and whether there is a different option.
Expert view
Expert from Word to the Wise, Laura Atkins, explains that Mimecast, being a security service, often modifies email content, which can inadvertently cause DKIM body hash failures. This includes actions such as URL rewriting, adding footers or disclaimers, or converting HTML to plain text. These alterations change the message body, invalidating the DKIM signature.
28 Mar 2024 - Word to the Wise
Expert view
Expert from Word to the Wise, Laura Atkins, explains that the most likely cause of a DKIM failure is because the body hash did not verify because the email was altered. Mimecast will at times alter the body of an email and this will lead to DKIM failure.
16 Nov 2021 - Word to the Wise
What the documentation says
5 technical articles
DKIM failures in Mimecast are primarily due to content modifications occurring after the DKIM signature is applied. These modifications, which include adding disclaimers, removing attachments, converting formats, or altering whitespace and character encoding, invalidate the original signature. Different DKIM implementations handling body hash calculations differently can also contribute to these failures. Ensuring messages are signed as the final step, after all processing is complete, is crucial to prevent tampering and maintain DKIM validity.
Key findings
- Content Modification Invalidation: Any modification to the email body after DKIM signing will cause the DKIM verification to fail. This includes changes to whitespace, line endings, or character encoding.
- Implementation Differences: Different DKIM implementations handle body hash calculations differently, leading to potential verification issues between sender and receiver.
- Post-Processing Changes: Actions like adding disclaimers, removing attachments, or converting formats after signing invalidate the signature.
- Signing Order: Signing messages as the last step ensures integrity.
Key considerations
- Minimize Content Alterations: Configure systems, including Mimecast, to minimize changes to email content after DKIM signing.
- Standardize Implementations: Ensure consistent DKIM implementations across sender and receiver to reduce hashing discrepancies.
- Signing Last: Message should be signed as the last step to avoid tampered data.
Technical article
Documentation from OpenDKIM explains that different DKIM implementations might handle body hash calculations differently (e.g., using different canonicalization algorithms or handling whitespace in different ways). This can lead to DKIM failures if the sender and Mimecast are using different implementations.
18 Jan 2025 - OpenDKIM.org
Technical article
Documentation from Mimecast explains that if Mimecast modifies the content of an email during processing (e.g., adding a disclaimer, removing attachments, or converting the format), it can cause the DKIM signature to fail verification. This is because the DKIM signature is calculated based on the original content of the email, and any changes will invalidate the signature.
13 Sep 2021 - Mimecast
Can email signatures, especially via Exclaimer, cause SPF or DKIM failures and impact email delivery?
Can linking to PDF files in email cause bounces due to Mimecast or other security filters?
Can URL parameters be captured without a question mark delimiter?
How can I test email deliverability to mailboxes protected by Mimecast?
How do I fix DKIM failing body hash verification?
How do Mimecast and Proofpoint scrutinize senders, and what best practices can improve inbox placement beyond whitelisting?
