When you have a gateway like Mimecast, you may see a number of emails, or the majority of the emails showing up in the Authenticate Platform as originating from Mimecast, even though the emails are initially being sent from your corporate email service (Microsoft Office 365 or Google Workspace). 


This is because all emails sent out from the company's corporate email service are being relayed through Mimecast and therefore Mimecast becomes the sender as far as the external receivers are concerned as they are the last hop out in most configurations..


We recommend having outbound DKIM signing active in Mimecast (or your other SEG) to make sure all emails will pass DMARC authentication. Enable DKIM on the last hop out.


As for emails that are being sent to the organization from external senders, we strongly recommend having the SEG ( in this case Mimecast) run the DMARC check and not the actual email provider (Microsoft Office 365, Google Workspace) that receives the emails from Mimecast. 


 Otherwise, the emails may fail DMARC authentication checks and show as failing in the reports since Mimecast is forwarding them to the end-users mailboxes and possibly breaking SPF/DKIM alignment. 


In conclusion, when using and SEG in front of your corporate mail app, please make sure to have all sent emails DKIM signed at the last hop before leaving your environment (SEG)  and to have the SEG do the DMARC check for all emails that are being received by the end-users.