Why would Mimecast alone report missing DKIM?

Google, Yahoo and IronPort DMARC reports all report SFP and DKIM alignment, Mimecast reports DKIM isn’t present at all.

I tried to use Mimecast’s DKIM lookup tool: Mimecast DKIM Check | Mimecast

But it only generates what appears to be an unrelated error message of: “Error: An exception occured”

MXToolbox (and dmarcian obviously) and every other tool I tried reports our DKIM record is valid.

The absolute only thing that comes to mind is that our mail vendor set the selector name as “default” rather than “selector#” five years ago or more. I don’t know if that matters but it is the only straw within reach.

There are a number of posts online going back many years reporting that Mimecast has issues with DKIM but none of the posts I could find explain how the issue was resolved. We don’t have any open lines of communication with the admin of the recipient and a previous email issue went unacknowledged when a point of contact there tried to escalate it.

This seems to be an issue internal to Mimecast.

It is only no-reply@ca-1.mimecastreport.com and no-reply@us-1.mimecastreport.com that are reporting DKIM to be missing. (ca-1 presumably referring to Canada)

no-reply@uk-1.mimecastreport.com reports full alignment.

I have a feeling intermittent issues with DMARC are going to drive me nuts.

Hi Fax_Machines_FTW and welcome to the forums.

There could be a few reasons why this is happening, and of course without seeing your seeing first hand I can only make some educated guesses.

The most common reason in my experience is the outbound signing in Gateway | PoliciesDNS Authentication - Outbound policy having the DKIM signing scope set settings called “Addresses Based On” set to return address only, which will cause messages that have a null MAIL FROM to not be signed.

I would start there. Ensure your signing policy uses “both” as a setting for the “Addresses Based On” drop down.

I hope it helps!

Thanks for the suggestion.

Having changed nothing yet the failure reports have stopped coming from Mimecast.

Beginning on March 18th reports from no-reply@us-1.mimecastreport.com report DKIM alignment. We haven’t received one from the Canadian reporting address recently.