Listen to this Post
Introduction
Mimecast, a market-leading email security provider trusted by over 42,000 organisations including government entities and the Bank of England, has been operating with publicly observable infrastructure weaknesses for more than six years. An independent security assessment reveals persistent DNSSEC insecurity, repeated certificate trust failures, SSL Labs T ratings, and a Mozilla Observatory D+ score—conditions that fundamentally undermine the trust model upon which the company’s entire business proposition rests. When security researchers approached Mimecast’s leadership with evidence of these failures, CEO Marc van Zadelhoff reportedly disconnected rather than engage, while CISO Leslie Nielsen and the executive team retreated into silence, raising serious questions about governance, accountability, and the company’s commitment to customer protection.
Learning Objectives
- Understand the technical implications of DNSSEC INSECURE zones and certificate trust failures for enterprise email security
- Learn how to independently verify DNS integrity, SSL/TLS configuration, and security header implementations using open-source tools
- Master the step-by-step process for auditing certificate chains, HSTS deployment, and PKI governance
- Identify governance red flags in security vendor infrastructure and apply mitigation strategies
- Gain practical knowledge of Linux and Windows commands for DNS reconnaissance, TLS validation, and security header analysis
You Should Know
1. DNSSEC Insecurity: The Silent Trust Eroder
Domain Name System Security Extensions (DNSSEC) provides cryptographic authentication of DNS responses, protecting against cache poisoning, man-in-the-middle attacks, and domain redirection. When a DNSSEC zone is marked as “INSECURE,” it means the domain lacks proper cryptographic signatures, leaving all DNS lookups vulnerable to tampering. For a company like Mimecast—whose entire value proposition revolves around securing email communications—an INSECURE zone is not a minor oversight; it is a fundamental betrayal of the trust customers place in the platform【5†L6-L10】.
The assessment report reveals that Mimecast’s DNSSEC zone has remained in an INSECURE state since at least 2020—a six-year period during which threat actors could have exploited this weakness to impersonate Mimecast services, redirect customer traffic, or intercept sensitive communications【6†L4-L8】. The NCSC Secure DNS guidance and NIST SP 800-81r3 both mandate DNSSEC deployment for organisations handling sensitive data, yet Mimecast has consistently failed to meet these basic standards.
Step‑by‑Step Guide: Auditing DNSSEC Configuration
This guide walks you through verifying DNSSEC status for any domain using standard Linux tools. These commands are essential for security professionals conducting infrastructure assessments.
Linux/macOS Commands:
Check DNSSEC status using dig dig +dnssec mimecast.com Verify DNSKEY records dig +dnssec mimecast.com DNSKEY Check for RRSIG (signature) records dig +dnssec mimecast.com A Use delv for detailed DNSSEC validation delv @8.8.8.8 mimecast.com A Query with DNSSEC checking disabled (to compare) dig +cd mimecast.com A Check DS records at parent zone dig +dnssec com. DS | grep mimecast Use dnssec-trigger for ongoing validation dnssec-trigger -k Verify chain of trust using drill (alternative to dig) drill -D mimecast.com Check for NSEC/NSEC3 records dig +dnssec mimecast.com NSEC Validate using unbound's DNS checker unbound-host -v -d mimecast.com
Windows Commands (using PowerShell and nslookup):
Basic DNSSEC check using nslookup nslookup -type=DNSKEY mimecast.com Using Resolve-DnsName with DNSSEC options Resolve-DnsName -1ame mimecast.com -Type DNSKEY -DnsSecOk Check A record with DNSSEC validation Resolve-DnsName -1ame mimecast.com -Type A -DnsSecOk Install and use dnsdig (Windows DNS tools) dnsdig +dnssec mimecast.com A Check for RRSIG using PowerShell Resolve-DnsName -1ame mimecast.com -Type RRSIG Verify DS record chain Resolve-DnsName -1ame com -Type DS | Select-String "mimecast" Use nslookup with debug for detailed output nslookup -debug mimecast.com
Interpreting Results:
- If `dig +dnssec` returns `ad` (authenticated data) flag, DNSSEC is properly configured
- If RRSIG records are missing or the `ad` flag is absent, the zone is INSECURE
- The presence of `SERVFAIL` may indicate broken DNSSEC configuration
- For INSECURE zones, consider implementing DNSSEC using tools like `dnssec-keygen` and `dnssec-signzone`
2. Certificate Trust Failures: When the Padlock Lies
The assessment documented multiple browser certificate errors, including `NET::ERR_CERT_AUTHORITY_INVALID` and NET::ERR_CERT_COMMON_NAME_INVALID【5†L13-L17】. These errors indicate that the certificate presented by Mimecast’s infrastructure cannot be validated against trusted Certificate Authorities (CAs) or that the certificate’s Common Name does not match the requested domain. For an email security provider, these failures are catastrophic—they train users to ignore browser warnings, creating a habituation effect that phishing attackers exploit with impunity【4†L12-L16】.
SSL Labs rated Mimecast with a “T” (Trust) rating, meaning the certificate itself failed validation despite strong protocol, key exchange, and cipher scores【5†L10-L12】. This distinction is critical: cryptographic strength is meaningless if identity assurance cannot be trusted. The reproducibility of this T rating across multiple scans confirms a persistent governance issue rather than a transient technical glitch【5†L18-L22】.
Step‑by‑Step Guide: Certificate Chain and TLS Validation
This section provides comprehensive commands for auditing certificate chains, validating trust paths, and identifying misconfigurations.
Linux/macOS Commands:
Check certificate chain using openssl openssl s_client -connect mimecast.com:443 -showcerts Verify certificate against CA bundle openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt cert.pem Check certificate expiration and details openssl x509 -in cert.pem -text -1oout Test TLS 1.3 support openssl s_client -connect mimecast.com:443 -tls1_3 Check for weak ciphers openssl s_client -connect mimecast.com:443 -cipher 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4' Use testssl.sh for comprehensive TLS assessment git clone https://github.com/drwetter/testssl.sh.git cd testssl.sh ./testssl.sh --protocols mimecast.com Check HSTS header curl -I https://mimecast.com | grep -i strict-transport-security Verify certificate chain using certtool certtool --verify --load-ca-certificate=/etc/ssl/certs/ca-certificates.crt --infile cert.pem Check OCSP stapling openssl s_client -connect mimecast.com:443 -status -tlsextdebug 2>&1 | grep -i "OCSP" Validate certificate transparency logs curl -s https://crt.sh/?q=mimecast.com | grep -i "mimecast"
Windows Commands (PowerShell and .NET):
Check certificate using .NET
$cert = [System.Net.HttpWebRequest]::Create("https://mimecast.com").ServicePoint.Certificate
$cert | Format-List
Validate certificate chain
$cert | Select-Object -ExpandProperty Issuer
$cert | Select-Object -ExpandProperty Subject
Check certificate expiration
$cert.NotAfter
Use Invoke-WebRequest to check HSTS
(Invoke-WebRequest -Uri https://mimecast.com).Headers.'Strict-Transport-Security'
Test TLS using System.Net.Security
$request = [System.Net.HttpWebRequest]::Create("https://mimecast.com")
$request.GetResponse() | Out-1ull
Check SSL Labs API (requires internet)
Invoke-RestMethod -Uri "https://api.ssllabs.com/api/v4/analyze?host=mimecast.com"
Use Test-Connection for basic availability
Test-Connection mimecast.com
Check certificate using certutil
certutil -verify -urlfetch mimecast.com
- Mozilla Observatory D+ Score: Security Headers in Disarray
The Mozilla Observatory scan returned a D+ rating with only seven out of ten tests passing【5†L23-L26】. Key failures included an invalid certificate chain, HSTS deployment limitations, and missing Referrer-Policy implementation【4†L8-L12】. HSTS (HTTP Strict Transport Security) forces browsers to communicate exclusively over HTTPS, but its effectiveness depends entirely on a valid and trusted TLS certificate chain—a prerequisite that Mimecast fails to meet.
Step‑by‑Step Guide: Security Header Audit and Hardening
This guide provides commands to audit and implement critical security headers.
Linux/macOS Commands:
Comprehensive header check using curl curl -I -L https://mimecast.com Check all security headers curl -I https://mimecast.com | grep -E "Strict-Transport-Security|X-Frame-Options|X-Content-Type-Options|Referrer-Policy|Content-Security-Policy|X-XSS-Protection" Use httpie for cleaner output http https://mimecast.com Check CSP with csp-validator npm install -g csp-validator csp-validator https://mimecast.com Comprehensive scan using securityheaders.com API curl -s "https://securityheaders.com/?q=mimecast.com&followRedirects=on" | grep -i "grade" Check HSTS preload status curl -s https://hstspreload.org/api/v2/status?domain=mimecast.com Use nmap for SSL enumeration nmap --script ssl-enum-ciphers -p 443 mimecast.com Check certificate transparency with certspotter curl -s https://api.certspotter.com/v1/issuances?domain=mimecast.com Validate using SSLyze pip install sslyze sslyze --regular mimecast.com
Windows Commands (PowerShell):
Get all headers using Invoke-WebRequest
$response = Invoke-WebRequest -Uri https://mimecast.com
$response.Headers
Check specific security headers
$headers = @(
"Strict-Transport-Security",
"X-Frame-Options",
"X-Content-Type-Options",
"Referrer-Policy",
"Content-Security-Policy",
"X-XSS-Protection"
)
foreach ($h in $headers) {
$value = $response.Headers[$h]
Write-Host "$h : $value"
}
Test HSTS using .NET
$request = [System.Net.WebRequest]::Create("https://mimecast.com")
$request.GetResponse() | Out-1ull
$request.ServicePoint.Certificate | Format-List
Use SecurityHeaders.io API
Invoke-RestMethod -Uri "https://securityheaders.com/api/v2/scan?q=mimecast.com"
Check CSP using PowerShell
$csp = $response.Headers["Content-Security-Policy"]
if ($csp) { Write-Host "CSP: $csp" } else { Write-Host "CSP Missing" }
4. The SolarWinds Connection and CVE-2026-32305
Mimecast was directly implicated in the 2020/2021 SolarWinds-era cyber espionage campaign, where threat actors compromised a digital certificate used to authenticate Microsoft 365 connections【3†L16-L20】. The more recent disclosure of CVE-2026-32305—a Traefik mTLS bypass vulnerability disclosed in March 2026—further reinforces that certificate trust chains, reverse proxies, and mutual authentication infrastructure remain active attack surfaces【3†L20-L24】.
Step‑by‑Step Guide: mTLS and Certificate Governance
This section covers commands for implementing and auditing mutual TLS authentication.
Linux/macOS Commands:
Generate client certificate for mTLS openssl req -1ew -1ewkey rsa:2048 -1odes -keyout client.key -out client.csr openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 Test mTLS connection openssl s_client -connect mimecast.com:443 -cert client.crt -key client.key -CAfile ca.crt Verify certificate revocation lists curl -X POST https://mimecast.com -E cert.pem --key key.pem --cacert ca.crt Check for mTLS vulnerabilities (CVE-2026-32305) Verify Traefik version and configuration curl -s https://mimecast.com | grep -i "traefik" Audit certificate pinning openssl s_client -connect mimecast.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -fingerprint -1oout Check for weak certificate signatures openssl x509 -in cert.pem -text -1oout | grep "Signature Algorithm" Validate certificate chain depth openssl s_client -connect mimecast.com:443 -showcerts | grep "s:" | wc -l
Windows Commands (PowerShell):
Test mTLS using .NET
$clientCert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {$_.Subject -like "mimecast"}
if ($clientCert) {
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$request = [System.Net.HttpWebRequest]::Create("https://mimecast.com")
$request.ClientCertificates.Add($clientCert)
$request.GetResponse()
}
Check certificate pinning
$cert = [System.Net.HttpWebRequest]::Create("https://mimecast.com").ServicePoint.Certificate
$cert.GetCertHashString()
Verify certificate chain
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.Build($cert)
$chain.ChainStatus | Format-Table -AutoSize
- Governance Failures: Closing Ranks Instead of Closing Gaps
The most alarming aspect of this situation is not the technical failures themselves—vulnerabilities exist in every complex system—but the response from Mimecast’s leadership. When presented with independently verifiable evidence, CEO Marc van Zadelhoff disconnected rather than engage【3†L10-L14】. CISO Leslie Nielsen and the leadership team have retreated into silence, apparently hoping that ignoring security failures will make them disappear【3†L14-L18】.
For a company that markets itself as a “trusted guardian of enterprise communications,” this response constitutes gross negligence and a dereliction of duty【2†L4-L8】. Customers in regulated sectors—including government agencies and the Bank of England—rely upon Mimecast to protect communications, identity flows, and business continuity【3†L8-L12】. The persistence of these weaknesses materially amplifies governance significance【3†L12-L16】.
Step‑by‑Step Guide: Security Vendor Due Diligence
This guide provides commands and methodologies for assessing security vendor infrastructure.
Linux/macOS Commands:
Comprehensive vendor assessment script
!/bin/bash
DOMAIN="mimecast.com"
echo "=== DNSSEC Status ==="
dig +dnssec $DOMAIN A | grep -E "flags|RRSIG"
echo -e "\n=== Certificate Chain ==="
openssl s_client -connect $DOMAIN:443 -showcerts 2>/dev/null | openssl x509 -text -1oout | grep -E "Subject:|Issuer:|Not After"
echo -e "\n=== Security Headers ==="
curl -I https://$DOMAIN 2>/dev/null | grep -E "Strict-Transport-Security|X-Frame-Options|Content-Security-Policy"
echo -e "\n=== SSL Labs Rating ==="
curl -s https://api.ssllabs.com/api/v4/analyze?host=$DOMAIN | jq '.endpoints[].grade'
echo -e "\n=== Mozilla Observatory Score ==="
curl -s https://observatory.mozilla.org/analyze/$DOMAIN | grep -oP 'score":\s"\K[^"]+'
Check for exposed subdomains
subfinder -d $DOMAIN
amass enum -d $DOMAIN
Check for certificate transparency logs
curl -s https://crt.sh/?q=%25.$DOMAIN | grep -oP '([a-zA-Z0-9-]+.)+[a-zA-Z]{2,}' | sort -u
Check DNS records for misconfigurations
dig $DOMAIN A
dig $DOMAIN MX
dig $DOMAIN TXT
dig $DOMAIN NS
Check for open ports
nmap -sS -p- --min-rate 1000 $DOMAIN
Check for SPF and DMARC
dig $DOMAIN TXT | grep -i "spf"
dig _dmarc.$DOMAIN TXT
Windows Commands (PowerShell):
Comprehensive vendor assessment script
$domain = "mimecast.com"
Write-Host "=== DNSSEC Status ==="
Resolve-DnsName -1ame $domain -Type DNSKEY -DnsSecOk
Write-Host "`n=== Certificate Chain ==="
$cert = [System.Net.HttpWebRequest]::Create("https://$domain").ServicePoint.Certificate
$cert | Format-List Subject, Issuer, NotAfter
Write-Host "`n=== Security Headers ==="
$response = Invoke-WebRequest -Uri "https://$domain"
$response.Headers | Format-Table
Write-Host "`n=== SSL Labs Rating ==="
Invoke-RestMethod -Uri "https://api.ssllabs.com/api/v4/analyze?host=$domain" | Select-Object -ExpandProperty endpoints | Select-Object grade
Write-Host "`n=== DNS Records ==="
Resolve-DnsName -1ame $domain -Type A
Resolve-DnsName -1ame $domain -Type MX
Resolve-DnsName -1ame $domain -Type TXT
Resolve-DnsName -1ame $domain -Type NS
Check subdomains using Certificate Transparency
Invoke-RestMethod -Uri "https://crt.sh/?q=%25.$domain&output=json" | ForEach-Object { $_.name_value } | Sort-Object -Unique
Check SPF/DMARC
Resolve-DnsName -1ame $domain -Type TXT | Select-String "spf"
Resolve-DnsName -1ame "_dmarc.$domain" -Type TXT
6. Mitigation and Hardening Strategies for Mimecast Customers
For the 42,000 organisations relying on Mimecast, the exposure is real and immediate【4†L6-L8】. Attackers could exploit these weaknesses for phishing, impersonation, redirection, downgrade, or trust exploitation scenarios【3†L24-L28】. Customers should implement compensating controls immediately.
Step‑by‑Step Guide: Customer Mitigation Controls
Linux/macOS Commands:
Implement DNS monitoring for Mimecast domains !/bin/bash while true; do dig +short mimecast.com | while read ip; do echo "$(date): Mimecast resolved to $ip" Compare against known good IPs done sleep 300 done Monitor certificate changes while true; do echo | openssl s_client -connect mimecast.com:443 2>/dev/null | openssl x509 -fingerprint -1oout sleep 3600 done Implement email header validation Check DMARC reports curl -s https://mimecast.com/_dmarc | grep -i "dmarc" Monitor for DNS changes dnsrecon -d mimecast.com -t axfr 2>/dev/null || echo "AXFR not available" Check for typosquatting domains dnstwist mimecast.com Implement custom SPF checks dig mimecast.com TXT | grep "spf" | while read line; do echo "SPF Record: $line" Validate SPF syntax done
Windows Commands (PowerShell):
Monitor DNS resolution
while ($true) {
$ips = Resolve-DnsName -1ame mimecast.com -Type A
Write-Host "$(Get-Date): Mimecast resolved to $($ips.IPAddress)"
Start-Sleep -Seconds 300
}
Monitor certificate changes
while ($true) {
$cert = [System.Net.HttpWebRequest]::Create("https://mimecast.com").ServicePoint.Certificate
Write-Host "$(Get-Date): Certificate Thumbprint: $($cert.GetCertHashString())"
Start-Sleep -Seconds 3600
}
Check DMARC
Resolve-DnsName -1ame _dmarc.mimecast.com -Type TXT
Monitor for DNS changes
$dnsRecords = @("A", "MX", "TXT", "NS")
foreach ($record in $dnsRecords) {
Resolve-DnsName -1ame mimecast.com -Type $record
}
Implement email header validation
$headers = (Invoke-WebRequest -Uri https://mimecast.com).Headers
$headers | Where-Object { $_ -like "spf" -or $_ -like "dkim" -or $_ -like "dmarc" }
7. The Broader Implications for the Cybersecurity Industry
The Mimecast incident exposes a wider charade within the cybersecurity industry. Companies that market themselves as security leaders are often operating with decaying infrastructure, hoping that their reputation will shield them from scrutiny. The contradiction between Mimecast’s market positioning and its observable infrastructure is not just embarrassing—it poses real security risk and exposure to customers【2†L10-L14】.
An independent 25-year post-qualified professor of cyber security reviewed the report and described the findings as “exemplary” and “scary”【2†L8-L10】. The Information Commissioner’s Office, Financial Conduct Authority, Bank of England, National Cyber Security Centre, and National Crime Agency have all been notified【2†L16-L20】. Regulatory action may follow if Mimecast continues to ignore these verifiable security failures.
What Undercode Say
- Infrastructure Integrity is Non-1egotiable: For a company whose entire value proposition is security, observable infrastructure weaknesses spanning six years are not just technical failures—they are governance failures that demand board-level accountability. The persistence of DNSSEC insecurity and certificate trust failures suggests systemic issues in security operations, not isolated oversights.
-
Leadership Silence is Complicity: When presented with independently verifiable evidence, the decision to disconnect and retreat into silence is itself an admission. Security leaders who refuse to engage with legitimate findings are not protecting their organisations—they are exposing them to greater risk. Customers, shareholders, and regulators deserve transparent communication and remediation timelines.
The significance of these findings is materially amplified by Mimecast’s market position. With more than 42,000 organisations trusting Mimecast to protect their communications, the company has a heightened duty of care. The 2020/2021 SolarWinds-related certificate compromise and the recent CVE-2026-32305 Traefik mTLS bypass vulnerability demonstrate that certificate trust chains remain active attack surfaces. Closing ranks instead of closing gaps is not a strategy—it is a dereliction of duty. Customers should demand immediate remediation, independent third-party audits, and full disclosure of all findings. The Information Commissioner’s Office should take note, and regulators should consider whether Mimecast’s continued operation in regulated sectors is appropriate given these governance failures.
Prediction
- -1 Regulatory Scrutiny Will Intensify: With the Financial Conduct Authority, Bank of England, National Cyber Security Centre, and National Crime Agency all notified, Mimecast faces imminent regulatory investigations. The company may be subject to fines, mandatory audits, and restrictions on serving government and financial sector clients. The Information Commissioner’s Office could levy significant penalties under GDPR for failure to maintain adequate security measures.
-
-1 Customer Churn Will Accelerate: Enterprise customers in regulated sectors cannot afford to trust a security provider with observable infrastructure weaknesses. Major organisations will begin transitioning to competitors within the next 6–12 months, significantly impacting Mimecast’s revenue and market position. The reputational damage may be irreparable.
-
-1 Executive Liability Will Be Examined: The decision by CEO Marc van Zadelhoff and CISO Leslie Nielsen to ignore verifiable security findings may expose them to personal liability. Shareholder lawsuits, regulatory actions, and potential board-level changes are likely as the full extent of the governance failure becomes apparent.
-
+1 Industry-Wide Scrutiny Will Increase: This incident will trigger a wave of independent security assessments of major security vendors. Organisations will conduct more rigorous due diligence, demanding proof of infrastructure integrity rather than accepting marketing claims at face value. This is a positive development for the industry, driving greater transparency and accountability.
-
+1 DNSSEC and Certificate Governance Will Gain Priority: The Mimecast case will accelerate adoption of DNSSEC, certificate transparency, and automated certificate lifecycle management. Organisations will implement continuous monitoring of their security vendors’ infrastructure, using tools like SSL Labs, Mozilla Observatory, and custom scripts to verify compliance with security best practices.
▶️ Related Video (76% Match):
https://www.youtube.com/watch?v=8zEb0ilYWSs
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Andy Jenkinson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
