But it only generates what appears to be an unrelated error message of: “Error: An exception occured”
MXToolbox (and dmarcian obviously) and every other tool I tried reports our DKIM record is valid.
The absolute only thing that comes to mind is that our mail vendor set the selector name as “default” rather than “selector#” five years ago or more. I don’t know if that matters but it is the only straw within reach.
There are a number of posts online going back many years reporting that Mimecast has issues with DKIM but none of the posts I could find explain how the issue was resolved. We don’t have any open lines of communication with the admin of the recipient and a previous email issue went unacknowledged when a point of contact there tried to escalate it.
There could be a few reasons why this is happening, and of course without seeing your seeing first hand I can only make some educated guesses.
The most common reason in my experience is the outbound signing in Gateway | Policies → DNS Authentication - Outbound policy having the DKIM signing scope set settings called “Addresses Based On” set to return address only, which will cause messages that have a null MAIL FROM to not be signed.
I would start there. Ensure your signing policy uses “both” as a setting for the “Addresses Based On” drop down.
Having changed nothing yet the failure reports have stopped coming from Mimecast.
Beginning on March 18th reports from no-reply@us-1.mimecastreport.com report DKIM alignment. We haven’t received one from the Canadian reporting address recently.