Why is Microsoft DKIM failing when Gmail passes, and how to fix it?
Michael Ko
Co-founder & CEO, Suped
Published 28 Jun 2025
Updated 17 Aug 2025
8 min read
It can be incredibly frustrating to see your emails pass Gmail's DKIM checks perfectly, yet consistently fail when sending to Microsoft (Outlook.com, Hotmail.com, Office 365) recipients. This discrepancy often leaves senders puzzled, wondering if their setup is truly correct or if there's a hidden issue only Microsoft is detecting. You are not alone in encountering this challenge, as it is a common point of confusion for many email administrators and marketers. Understanding the nuances of how different mail providers, especially Microsoft, handle DKIM validation is key to resolving these persistent failures.
The core of the problem usually lies in subtle differences in how email authentication protocols are interpreted and enforced by various receiving mail servers. While DKIM is a global standard, its implementation and the strictness of validation checks can vary. This article will explore why Microsoft might report a DKIM failure even when other providers like Gmail show a pass, and what steps you can take to diagnose and rectify these issues.
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claiming to come from a specific domain was indeed authorized by the owner of that domain. This is achieved by adding a digital signature to the email header, which is then verified against a public key published in the sender's DNS records.
When an email server sends a message, it generates a unique cryptographic signature based on certain parts of the email, such as the headers and body. This signature is then appended to the email's DKIM-Signature header. The receiving server then looks up the corresponding public key in the sending domain's DNS (Domain Name System) records using a specific DKIM selector. If the signature verifies, it confirms the message's integrity and authenticity.
A crucial aspect of DKIM is alignment, especially when DMARC policies are in place. For DMARC to pass based on DKIM, the domain in the d= tag of the DKIM signature must match the organization domain in the From: header (RFC5322.From) either exactly (strict alignment) or as a subdomain (relaxed alignment). If this alignment fails, even a cryptographically valid DKIM signature might not result in a DMARC pass.
Why Microsoft's DKIM validation differs
While many email providers, like Gmail, are quite tolerant of minor DKIM discrepancies or rely on other authentication methods like SPF to pass an email, Microsoft's validation can be notably stricter. This often boils down to several factors that are more prevalent within the Microsoft ecosystem (including Outlook.com and Hotmail.com). One major area is their internal email routing and re-authentication processes.
Microsoft's mail servers frequently re-authenticate messages as they traverse internal networks, sometimes modifying message headers or the body in ways that can invalidate a DKIM signature. This internal forwarding can break DKIM, even if the initial signature was valid. Additionally, Microsoft has been known to be more sensitive to specific configurations, such as the hashing algorithm used for DKIM signatures. An outdated algorithm like SHA-1, while still supported by some, might be treated with more suspicion or outright rejection by Microsoft's systems.
Another subtle difference can be in DNS lookup behavior. Some reports suggest Microsoft's gateway might hit short DNS timeouts when performing DKIM key lookups. If the DNS response is delayed or inconsistent, it could result in a DKIM temperror (temporary error) or a hard fail. This behavior can lead to inconsistent DKIM results between providers, making diagnosis tricky.
Gmail's DKIM validation
Relaxed checks: Often more forgiving, especially if SPF or DMARC passes, even if DKIM alignment is relaxed.
Header analysis: Primarily looks at the Authentication-Results header for a direct DKIM pass.
Algorithm flexibility: Tends to support older hashing algorithms (like SHA-1) without immediate rejection.
Forwarding impact: Less prone to breaking DKIM signatures during internal forwarding. May rely on ARC for forwarded mail.
Microsoft's DKIM validation
Stricter alignment: Can require stricter alignment for DKIM, even if DMARC policy allows relaxed. Refer to our article on why DKIM fails in Hotmail but passes in Gmail.
Internal re-authentication: Messages might be re-signed or modified during internal server hops, invalidating original DKIM.
Algorithm preference: Strong preference for modern hashing algorithms like SHA-256. Older ones (SHA-1) may result in failure or increased spam scoring.
One of the primary reasons for DKIM failures specifically with Outlook and Hotmail is often related to the domain specified in the d= tag of your DKIM signature. If you're using a third-party email service provider (ESP) or a mailing list, they might sign emails using their own domain (e.g., ab.mtasv.net) rather than your sending domain (e.g., yourdomain.com). This causes a DKIM alignment failure for DMARC, as the domains do not match, leading to a dkim=fail result from Microsoft.
Another common pitfall is the use of outdated hashing algorithms. While DKIM supports both SHA-1 and SHA-256, SHA-1 is considered less secure and has been deprecated by many systems over time. Microsoft, in its effort to strengthen email security, may be more inclined to reject or flag emails signed with SHA-1, contributing to a DKIM fail result even if the signature itself is technically correct.
Message modification during transit is also a frequent culprit. If any part of the signed email headers or body is altered after the DKIM signature is applied and before it reaches the Microsoft recipient, the signature will be invalidated. This can happen with forwarding services, email gateways, or even certain email clients if they modify the message content. For example, if an email is forwarded through a Microsoft 365 distribution list, it might break the original DKIM signature, leading to a failure. For more information, read our article Why are Microsoft Office 365 DKIM signatures failing.
Below is an example of an Authentication-Results header showing a DKIM failure from a Microsoft domain:
Example authentication headerplaintext
Authentication-Results: spf=pass (sender IP is 50.31.205.9) smtp.mailfrom=<pm-bounces.email.fanmadefits.com>; outlook.com; dkim=fail (signature did not verify) header.d=<ab.mtasv.net>;outlook.com; dmarc=pass action=none header.from=<email.fanmadefits.com>;compauth=pass reason=100
Steps to troubleshoot and fix DKIM issues
Diagnosing DKIM failures can be complex, especially when results differ across providers. The first step is always to examine the email headers carefully, particularly the Authentication-Results header. This header provides a detailed breakdown of how each authentication check (SPF, DKIM, DMARC) fared for the received email. Look for dkim=fail and the reason provided (e.g., signature did not verify or temperror). Pay close attention to the header.d value within the DKIM portion, as this indicates which domain Microsoft is attempting to verify the signature against.
If the header.d value is not your sending domain, it suggests that your ESP is signing with their domain, which might cause DMARC alignment issues. In such cases, contact your ESP to inquire about custom DKIM signing with your domain. Most reputable ESPs offer this as a standard feature for improved deliverability and DMARC compliance. Ensure that the DKIM key used is rsa-sha256, as SHA-1 is outdated. Refer to our article on why DKIM fails for Outlook.com and Hotmail.com.
If you suspect message modification, verify that no intermediate mail servers, gateways, or forwarding rules are altering the email content after it leaves your control. This can sometimes be challenging to pinpoint without access to mail logs from each hop. Finally, ensure your DKIM DNS record is correctly published and propagated, using tools to check its validity. Our email deliverability tester can assist with this. Addressing these points should help resolve why your DKIM is failing with Microsoft while passing elsewhere.
Best practices for DKIM
Use SHA-256: Always configure your DKIM signatures to use the SHA-256 hashing algorithm, as SHA-1 is outdated.
Custom DKIM signing: If using a third-party ESP, ensure they offer the ability to sign emails with your own domain, not theirs. This is crucial for DMARC alignment.
Monitor DMARC reports: Regularly analyze DMARC aggregate reports to identify authentication failures, especially from Microsoft receivers.
Check for modifications: Be aware of any systems or services that might alter emails in transit, as this will break DKIM.
Views from the trenches
Best practices
Ensure your email service provider supports DKIM signing with your custom domain to maintain DMARC alignment and avoid issues with providers like Microsoft.
Regularly monitor your email headers and DMARC reports to catch any intermittent DKIM failures and diagnose the root cause quickly, especially when sending to Microsoft domains.
Always use the rsa-sha256 algorithm for DKIM signatures to ensure compliance with modern security standards and improve deliverability across all major email providers.
If using a third-party email service, confirm that they are not altering the email content or headers after applying the DKIM signature, as this will invalidate it.
Common pitfalls
Failing to configure custom DKIM signing with your own domain, instead relying on the email service provider's generic signing domain, which leads to alignment failures.
Continuing to use the outdated SHA-1 hashing algorithm for DKIM signatures, which can result in rejection or increased spam scoring by stricter receiving mail servers like Microsoft.
Overlooking internal message modifications by intermediate mail servers or forwarding systems, causing valid DKIM signatures to break before reaching the final recipient.
Ignoring DMARC aggregate reports or only checking for overall 'pass' rates, missing specific DKIM failures reported by Microsoft or other sensitive receivers.
Expert tips
Microsoft's internal email routing can sometimes break valid DKIM signatures, so always check if the issue persists across multiple Microsoft-controlled domains.
If you're using a mail relay or an email security gateway, ensure it's configured to preserve DKIM signatures or re-sign messages correctly with your domain's keys.
DNS caching issues can sometimes lead to temporary DKIM failures, especially with Microsoft. Allow sufficient time for DNS propagation after any changes to your DKIM record.
Even if DMARC shows a pass due to SPF alignment, a persistent DKIM failure for Microsoft suggests a deeper issue with their validation process, warranting direct investigation.
Expert view
Expert from Email Geeks says when one provider, especially Microsoft, is failing DKIM, it's often due to a text-encoding issue or a folding issue, and recommends checking if relaxed/relaxed canonicalization is used.
2021-09-13 - Email Geeks
Marketer view
Marketer from Email Geeks says that if Postmark is signing the messages using their domain and not the sender's, then Postmark customer service needs to address the issue.
2021-09-13 - Email Geeks
Ensuring robust email authentication
Dealing with DKIM failures when Gmail passes and Microsoft fails can be a complex puzzle, often rooted in Microsoft's unique validation behaviors and internal processing. By meticulously examining email headers, ensuring proper DKIM alignment, upgrading to SHA-256, and addressing any potential message modifications, you can significantly improve your email deliverability to Microsoft recipients. Consistent monitoring and a proactive approach to authentication best practices are essential for maintaining a healthy sending reputation and ensuring your messages reliably reach the inbox.
Gmail's DKIM checks perfectly, yet consistently fail when sending to 
Microsoft (Outlook.com, Hotmail.com, Office 365) recipients. This discrepancy often leaves senders puzzled, wondering if their setup is truly correct or if there's a hidden issue only Microsoft is detecting. You are not alone in encountering this challenge, as it is a common point of confusion for many email administrators and marketers. Understanding the nuances of how different mail providers, especially Microsoft, handle DKIM validation is key to resolving these persistent failures.
Gmail, are quite tolerant of minor DKIM discrepancies or rely on other authentication methods like SPF to pass an email, Microsoft's validation can be notably stricter. This often boils down to several factors that are more prevalent within the Microsoft ecosystem (including Outlook.com and Hotmail.com). One major area is their internal email routing and re-authentication processes.
Outlook and Hotmail is often related to the domain specified in the d= tag of your DKIM signature. If you're using a third-party email service provider (ESP) or a mailing list, they might sign emails using their own domain (e.g., ab.mtasv.net) rather than your sending domain (e.g., yourdomain.com). This causes a DKIM alignment failure for DMARC, as the domains do not match, leading to a dkim=fail result from Microsoft.
