Why are Microsoft Office 365 DKIM signatures failing and how to fix it?
Matthew Whittaker
Co-founder & CTO, Suped
Published 14 Jun 2025
Updated 15 Aug 2025
8 min read
Dealing with failing DKIM signatures from Microsoft Office 365 can be incredibly frustrating. DKIM, or DomainKeys Identified Mail, is a critical email authentication standard that helps verify the sender of an email and ensures the message hasn't been tampered with in transit. When DKIM signatures fail, it signals to recipient mail servers that something might be amiss, potentially leading to your emails landing in the spam folder or being rejected outright. This impacts your deliverability and, ultimately, your communication.
The challenge with Office 365 often stems from its unique email routing and processing, which can sometimes interfere with DKIM signing, leading to unexpected failures even when everything seems configured correctly. Many organizations encounter issues where their DKIM passes with other email providers like Gmail but fails specifically when sending to or through Microsoft's ecosystem. This behavior can be confusing and hard to diagnose without knowing the specific quirks of Microsoft's implementation.
I’ve seen this problem countless times, and it often boils down to a few common culprits within the Microsoft 365 environment or how external systems interact with it. Understanding these specific issues and how to troubleshoot them is key to maintaining a healthy email sending reputation and ensuring your messages reach their intended recipients.
Common causes of DKIM failures in Microsoft Office 365
One of the most frequent reasons for DKIM failures in Microsoft Office 365 environments relates to misconfigured DNS records. Microsoft requires specific CNAME records for DKIM to function correctly with your custom domain. If these records are missing, incorrect, or haven't propagated fully, DKIM signatures won't validate. It's not uncommon for users to enable DKIM in the Microsoft 365 Defender portal but then overlook the critical step of adding or verifying the corresponding CNAME entries in their domain's DNS.
Another common issue is that Microsoft Office 365, particularly when forwarding emails or processing messages from shared mailboxes, can modify the email body or headers in ways that invalidate the original DKIM signature. This often results in a DKIM body hash did not verify error. Such modifications, even a simple newline character, change the message content, causing the recipient server's DKIM verification to fail the hash comparison. This is a common problem when messages are relayed through external connectors or distribution lists.
I also frequently see problems with DKIM alignment. DKIM alignment means that the domain in the d= tag of the DKIM signature matches the organizational domain in the From header of the email. If Microsoft is signing with a default onmicrosoft.com domain instead of your custom domain, or if there's any discrepancy, DKIM can technically pass but still fail DMARC alignment, leading to delivery issues.
Occasionally, the issue might be due to a specific key size (e.g., n=1024) used by Microsoft Office 365 not interoperating well with older or specific implementations of DKIM verification software, like OpenDKIM, used by some receiving mail servers. This isn't a problem with your configuration but rather an interoperability challenge that only Microsoft can fully address. Still, identifying this is crucial for accurate troubleshooting.
Diagnosing DKIM signature problems
To effectively fix DKIM failures, you first need to properly diagnose the problem. My first step is always to check the email headers of a failed message. Look for the Authentication-Results header, which provides details on the DKIM check outcome. You might see dkim=fail with a specific reason like (no key for signature), (body hash did not verify), or (signature did not verify). Each message indicates a different root cause.
For no key for signature, it typically means the public key in your DNS is either missing or inaccessible to the verifying server. This usually points to DNS misconfiguration or propagation delays. For body hash did not verify, it strongly suggests that the email content was altered after the DKIM signature was applied, often by an intermediate server or forwarding service. The signature did not verify error can be more general, indicating issues with the signature itself, key problems, or even cryptographic incompatibility between sending and receiving systems.
I also recommend using a free online email testing tool to send a test email and review its comprehensive authentication results. This can often highlight subtle issues not immediately apparent from raw headers. Pay close attention to the DKIM and DMARC results specifically related to Microsoft's authentication checks, as their systems can sometimes flag issues that other providers might overlook.
Fixing DKIM signature failures
Once you've diagnosed the likely cause, the next step is to apply the appropriate fix. Many issues stem from incorrect DNS records. Ensure that the CNAME records provided by Microsoft Office 365 are accurately entered into your domain's DNS settings. These typically look like selector1._domainkey and selector2._domainkey pointing to the appropriate onmicrosoft.com hostnames. Always allow sufficient time for DNS propagation, which can take up to 48 hours.
DNS verification steps
Access your DNS provider's portal to confirm the CNAME records for your domain match what Microsoft Office 365 expects. Refer to Microsoft's official documentation for precise record values.
Check for propagation delays. Use a DKIM record lookup tool to confirm your selectors are publicly visible and correct.
Ensure there are no conflicting DKIM records or multiple entries for the same selector, which can cause intermittent failures.
For body hash failures, especially when messages are forwarded, the core problem is that something in the mail path is modifying the message after Microsoft has signed it. While you might not be able to prevent all modifications, especially for forwarded emails, configuring Microsoft 365 to handle mail flow correctly can mitigate many issues. Sometimes, simply disabling and re-enabling DKIM in the Microsoft 365 Defender portal can force a key rotation and refresh the configuration, resolving transient issues.
If Microsoft is signing with onmicrosoft.com instead of your custom domain, it usually means DKIM isn't fully enabled or configured for your custom domain. Double-check that your domain is added and verified in Microsoft 365, and then specifically enable DKIM signing for it via the Defender portal. For advanced troubleshooting, PowerShell commands can confirm the DKIM status and rotation, as well as manually enable or disable DKIM for a domain.
Advanced considerations and prevention
Beyond immediate fixes, ensuring the long-term health of your DKIM setup with Microsoft 365 involves regular monitoring and understanding their system's behavior. DKIM is just one part of a robust email authentication strategy that includes SPF and DMARC. A misconfigured DKIM record can significantly impact your DMARC compliance, leading to increased email rejection or quarantine rates.
It’s vital to ensure your DMARC policy is set up correctly and that your emails are achieving alignment. If DKIM fails alignment, DMARC will also fail, even if SPF passes. This is where DMARC monitoring becomes indispensable. By analyzing DMARC reports, you can gain insights into how your emails are being authenticated by various receivers, including Microsoft Office 365, and quickly identify any persistent DKIM issues.
Regularly monitor your blocklist status and DMARC reports to catch any authentication failures early.
Be aware of Microsoft's specific handling of email headers and body content, especially for forwarded messages.
Ensure your custom domain is fully verified and DKIM-enabled in the Microsoft 365 Defender portal.
Views from the trenches
Best practices
Always verify the CNAME records for your domain in your DNS after enabling DKIM in Microsoft 365.
Consider a short TTL for DKIM DNS records during initial setup to speed up propagation and troubleshooting.
Regularly check your DMARC reports to identify any ongoing DKIM authentication failures.
Ensure your sending infrastructure does not modify email headers or body after DKIM signing.
Common pitfalls
Forgetting to add or incorrectly configuring the required CNAME records in your DNS.
Ignoring body hash verification failures, which indicate email content modification.
Not understanding the difference between DKIM passing and DKIM alignment for DMARC.
Assuming that DKIM is automatically configured correctly without verification.
Expert tips
If DKIM fails with OpenDKIM but passes elsewhere, the issue might be interoperability, not your setup.
Microsoft sometimes adds an 'authentication-results' header based on the recipient's address, which can confuse verification.
A specific `n=1024` tag in Office 365 DKIM signatures has been known to cause intermittent failures.
When troubleshooting, check the full email headers for clues about where the signature failed validation.
Expert view
Expert from Email Geeks says OpenDKIM consistently fails to verify DKIM signatures from Microsoft, pointing to an interoperability issue with Microsoft's cryptographic algorithm.
2020-11-20 - Email Geeks
Marketer view
Marketer from Email Geeks says a bad signature error, such as `d=MuMbLe.onmicrosoft.com SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature`, suggests poor interoperability.
2020-11-20 - Email Geeks
Enhancing email deliverability with DKIM
Dealing with DKIM signature failures from Microsoft Office 365 can be intricate, often requiring a deep dive into DNS records, email headers, and sometimes even PowerShell commands. The key is methodical troubleshooting and a clear understanding of how Microsoft processes and signs outgoing emails. Many issues are related to DNS misconfiguration, while others stem from modifications during transit or interoperability quirks.
By proactively verifying your DKIM setup, monitoring authentication results, and staying informed about Microsoft's practices, you can significantly improve your email deliverability and ensure your messages consistently reach the inbox. Proper email authentication is fundamental to building and maintaining a strong sender reputation.
Microsoft Office 365 can be incredibly frustrating. DKIM, or DomainKeys Identified Mail, is a critical email authentication standard that helps verify the sender of an email and ensures the message hasn't been tampered with in transit. When DKIM signatures fail, it signals to recipient mail servers that something might be amiss, potentially leading to your emails landing in the spam folder or being rejected outright. This impacts your deliverability and, ultimately, your communication.
