Summary
DKIM body hash verification failures are primarily caused by alterations to the email content after the DKIM signature has been applied. These modifications can be due to various factors, including text encoding issues (particularly with Outlook), line wrapping, character set conversions, and the addition of footers, disclaimers, or content by auto-responders, forwarding systems, list servers, or even the receiving mail server. Experts advise ensuring the DKIM signing process occurs after all intended modifications, and that consistent encoding and line endings are used. Troubleshooting involves identifying the source of the modification through header analysis, and considering regenerating DKIM keys or comparing results with Gmail as a benchmark.
Key findings
- Post-Signature Modifications: Email content is being altered after the DKIM signature is applied.
- Diverse Modification Sources: Modifications can arise from MTAs, mail clients, intermediate servers, automated systems, or even the recipient's server.
- Encoding and Line Endings: Inconsistent character encoding and line endings contribute to body hash mismatches.
- Microsoft Outlook: Outlook-specific issues with text encoding can trigger DKIM failures.
Key considerations
- Signing Process Timing: Ensure the DKIM signing occurs after all intended modifications (footers, disclaimers, etc.).
- Encoding Consistency: Maintain consistent character encoding (UTF-8) and line endings (LF).
- Header Analysis: Examine email headers to trace the path and pinpoint where content is altered.
- DKIM Key Regeneration: Consider regenerating DKIM keys if the signer is suspected to be faulty.
- Benchmark Testing: Use Gmail as a benchmark to identify if the issue is widespread or specific to certain recipients.
- Tamper Detection: Check for tampering during transit.
What email marketers say
7 marketer opinions
The primary cause of DKIM body hash verification failures is modification of the email content after the DKIM signature has been applied. These modifications can be introduced by various sources, including the sending mail server, intermediate servers, receiving email clients, or automated processes like auto-responders or footer insertion. Troubleshooting involves identifying where and how the message content is being altered and ensuring the DKIM signing process occurs after all modifications.
Key opinions
- Content Modification: Email content is being altered after DKIM signing, causing the body hash to fail verification.
- Source of Changes: Modifications can originate from the sending server, intermediary servers, receiving email clients, or automated processes.
- Common Culprits: Common culprits include adding footers, disclaimers, or auto-responder content, as well as changes to line endings or character encoding.
Key considerations
- Signing Process Timing: Ensure the DKIM signing process occurs *after* all automated modifications or content additions.
- Consistency Checks: Ensure consistent line endings (LF) and character encoding (UTF-8) to prevent alterations.
- Header Analysis: Examine email headers to track the message's path and identify potential modification points.
- Key Verification: Verify that the correct DKIM key is being used for signing.
- Transit Tampering: Check for potential tampering during transit.
- Monitoring: Implement monitoring to detect content alterations.
Marketer view
Email marketer from Mailhardener responds that if the DKIM signature fails due to body hash mismatch, verify if the sender is correctly signing the email using the correct DKIM key. It also advises to check for possible tampering during transit.
29 Apr 2023 - Mailhardener
Marketer view
Email marketer from Super User responds that the 'body hash did not verify' error indicates the message body changed after DKIM signing. This can be due to modifications by mail servers or email clients. Examine the message headers to track the path and identify any potential modification points.
9 Nov 2024 - Super User
What the experts say
5 expert opinions
DKIM body hash verification failures primarily stem from content modifications occurring after the DKIM signature is applied. These changes can be due to various factors, including text encoding issues (specifically with Microsoft Outlook), modifications by auto-responders, forwarding systems, list servers, or even the receiving mail server. Troubleshooting involves identifying the source of the modification and ensuring that the signing process occurs after any content alterations. Utilizing Google as a benchmark can help isolate issues specific to certain email providers like Microsoft.
Key opinions
- Post-Signature Modification: Email content is being modified after the DKIM signature is applied, leading to body hash mismatches.
- Encoding Issues: Text encoding problems, particularly with Microsoft Outlook, can cause body hash verification to fail.
- Source Identification: Modifications can occur due to auto-responders, forwarding systems, list servers, or the receiving mail server.
- Signer Problems: The signer itself might be broken, requiring regeneration of the public/private key pair.
Key considerations
- Signing Timing: Ensure the DKIM signing process happens *after* all content modifications.
- Encoding Consistency: Investigate and address potential text encoding issues, especially if problems are isolated to Microsoft Outlook.
- Header Examination: Examine email headers to trace the message's path and pinpoint where content is being altered.
- Benchmark Testing: Use Google as a benchmark to determine if the issue is widespread or specific to certain email providers.
- Key Regeneration: Consider regenerating the public/private key pair if the signer is suspected to be broken.
Expert view
Expert from Email Geeks explains that if DKIM body hash verification is failing in both Gmail and Outlook, the signer is likely broken or the message is being modified in transit. Regenerating the public/private key pair is the first suggestion.
15 Dec 2023 - Email Geeks
Expert view
Expert from Email Geeks shares that Google is a good benchmark for checking email authentication due to its robust system and easy result retrieval. Problems at Microsoft should be verified against Google first.
19 Jul 2023 - Email Geeks
What the documentation says
3 technical articles
DKIM body hash verification failures are primarily caused by alterations to the email body after the DKIM signature has been applied. These changes, even minor ones like whitespace, character set conversions, line wrapping by MTAs, or the addition of disclaimers, invalidate the signature. The core issue is the sensitivity of DKIM signatures to any modification of the message content after signing.
Key findings
- Post-Signing Alteration: The message body is being modified in transit after DKIM signing.
- Sensitivity to Changes: DKIM signatures are highly sensitive to even minor changes in the email body.
- Common Causes: Common causes of alteration include line wrapping, character set conversion, and the addition of disclaimers.
Key considerations
- Prevent Alterations: Ensure that the message content is not modified by intermediate servers, MTAs, or mail clients after signing.
- Content Review: Review the message content for any transformations, such as added footers, changed character encoding, or altered line breaks.
- Signing Process Timing: Confirm that the DKIM signing process takes place after all intended modifications to the message body.
Technical article
Documentation from RFC 6376 specifies that DKIM signatures are sensitive to even minor changes in the message body. Any modification, including whitespace changes, character encoding differences, or the addition of content, will cause the body hash verification to fail.
2 Feb 2025 - RFC Editor
Technical article
Documentation from OpenDKIM Project suggests that if a DKIM signature verification fails due to body hash mismatch, ensure that the message content hasn't been modified by intermediate servers or mail clients. Check for any transformations like adding footers, changing character encoding, or altering line breaks.
12 Mar 2023 - OpenDKIM.org
Can email signatures, especially via Exclaimer, cause SPF or DKIM failures and impact email delivery?
How can a phishing email pass SPF and DKIM authentication checks?
How do I align SPF and DKIM in Salesforce Service Cloud, and is it necessary if DKIM is already aligned?
How do I fix DKIM alignment errors and configure DKIM signing for a custom domain in Microsoft 365 and is include:spf.mtasv.net required for mailchimp?
How do I fix DMARC failures with OpenAir due to lack of DKIM signing?
How do I generate an a=rsa-sha256 key for DKIM?
How do I interpret SpamAssassin DKIM test results and troubleshoot DKIM signature issues?
How do you analyze DMARC reports using report-uri.com?
What is DKIM oversigning, how does it work, and why is it important for email authentication?
