DMARC
Why mail through Mimecast fails DMARC: broken DKIM body hash from URL rewriting, disclaimers, or MIME re-encoding, plus SPF alignment loss. Step-by-step fixes.
Updated Jul 1, 2026
The short answer
"DMARC Fail Mimecast" means an email passing through Mimecast no longer passes DMARC because neither SPF nor DKIM aligns with the From domain. Mimecast typically breaks the DKIM body hash by rewriting URLs, inserting disclaimers, or re-encoding MIME, and breaks SPF alignment by relaying from its own IPs. Fix it by authenticating before content modification, signing DKIM last, and aligning SPF/DKIM (or using ARC inbound).
DMARC passes only when at least one of SPF or DKIM both verifies and aligns with the domain in the visible From: header (RFC 7489 §3.1). When Mimecast sits in the mail path as an intermediary (inbound gateway, outbound relay, or forwarder), it can break both checks at once — that is why you see a DMARC fail even though the original message was correctly signed.
There are two distinct failure modes. Identify which one you have by reading the Authentication-Results header on a received message.
1. DKIM body hash is broken by message modification. DKIM signs a hash of the body (and selected headers) per RFC 6376. If any byte of the signed content changes after signing, the body hash no longer matches and DKIM returns fail. Mimecast commonly changes those bytes when it:
Relaxed body canonicalization (c=relaxed/relaxed, RFC 6376 §3.4.4) only collapses internal whitespace runs to a single space, trims trailing whitespace, and drops trailing empty lines — it does not forgive rewritten URLs, added text, new MIME boundaries, or re-encoded parts. So relaxed canonicalization helps with minor whitespace drift but will not save a message Mimecast has materially rewritten.
2. SPF and/or DKIM no longer align. When Mimecast relays a message, the SMTP envelope (MAIL FROM / Return-Path) and the connecting IP become Mimecast's, not yours. SPF may then pass for Mimecast's domain but is not aligned with your From: domain, so it does not satisfy DMARC. If DKIM is also broken (mode 1), DMARC has nothing left to pass on and fails.
ARC (Authenticated Received Chain) records that authentication was valid before the hop, but per its design it does not repair a broken DKIM body hash — it only lets a trusting downstream receiver honor the earlier result.
If Mimecast is your inbound gateway (protecting your own users, mail forwarded to you fails DMARC):
If Mimecast is your outbound relay (your domain's mail fails DMARC at recipients):
d=) with your From: domain — DKIM can verify yet still fail DMARC if the domains don't align (RFC 7489 §3.1.1).include: mechanism to your SPF record so SPF passes and aligns for mail sent under your domain.c=relaxed/relaxed canonicalization to absorb harmless whitespace changes.Read the Authentication-Results header (and your DMARC aggregate rua reports). dkim=fail (body hash did not verify) points to message modification (mode 1). spf=pass with dmarc=fail points to an alignment gap (mode 2). Fixing the wrong one wastes time, so diagnose before changing config.
The original "generate a key and trust the third party" advice is only half the story: it addresses outbound DKIM signing but ignores SPF alignment, inbound processing order, and ARC — the parts that actually cause most Mimecast DMARC failures.
References
FAQ
Mimecast modifies the signed content — rewriting URLs, adding a disclaimer, or re-encoding MIME — which breaks the DKIM body hash (RFC 6376). With DKIM broken and SPF unaligned (Mimecast relays from its own IPs/Return-Path), DMARC has nothing aligned left to pass on, so it fails.
One API, every provider
Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.
Reply-code definitions per RFC 7489 §3.1 (DMARC alignment); RFC 6376 §3.4 (DKIM canonicalization). Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.
© 2026 Courier. All rights reserved.