DMARC failure typically happens because either the DKIM fails or the SPF fails. A DKIM failure usually occurs when an interim third-party service has modified the message. For SPF, this happens when the message gets received from a third party instead of the original sender. So, this DMARC fail can most probably result from a DKIM fail as Mimecast may have changed the message body.
Mimecast breaks the message into components and reassembles them before sending it forward, possibly causing the DKIM verified signature to break. The solution is to trust the third party, in this case, Mimecast.
For this, you must generate a public and a private key in Mimecast, as DKIM needs to add a signature to the emails. To apply DKIM to outbound emails, you have to create an outbound signing definition and an outbound policy as given here.
View all errors