As part of the Broadcom Transition of the Symantec Enterprise Division, all renewals of root certificates on our mail towers will be under the 'Broadcom Inc' organization and under SHA-2 root.

What does this mean?

This means that all renewed certificates will eventually be signed by DigiCert Global Root G2 instead of the previous DigiCert Global Root CA.
At present some of our mail towers already have the new root certificate. During this temporary period however, specific mail towers within a cluster could have either root certificate. The changes to renew all certificates are taking place gradually in a phased approach.

What is the Impact?

In most cases, this will not cause any issues. However, some customers and business partners may have configured their mail server to only trust a specific root CA such as DigiCert Global Root CA.
These customers/business partners could face TLS email delivery failures with some Email Security.Cloud mail towers which have been updated to use the new DigiCert Global Root G2 cert.

We recommend that you install both certificates, especially if you're enforcing TLS to our infrastructure.

For more information on the current certificate chains, please consult the KB: Certificate Authority used by the Email Security.cloud infrastructure