We use Mimecast, but I think the behavior can be replicated across different email gateway platforms.  The issue is that when Mimecast "explodes" message contents to scan for spam, etc., the DKIM signature is broken after repackaging.  Mimecast will show that the DKIM signature is valid, but Google's message header shows the following:

dkim=neutral (body hash did not verify) header.i=@go.fierceeducation.com header.s=dkim header.b=HsIfxztM;
arc=pass (i=1 spf=pass spfdomain=go.fierceeducation.com dkim=pass dkdomain=go.fierceeducation.com dmarc=pass fromdomain=go.fierceeducation.com);
spf=pass (google.com: domain of marketing@go.fierceeducation.com designates 205.162.46.95 as permitted sender) smtp.mailfrom=marketing@go.fierceeducation.com

Has anyone else run into this, and is there a workaround?  I've already added the Mimecast IP addresses into Google's inbound gateway settings.  So far, Google Support hasn't been able to help.

Thank you