How to fix DKIM body hash did not verify errors on Outlook.com and prevent emails from going to spam?
Michael Ko
Co-founder & CEO, Suped
Published 3 Jun 2025
Updated 19 Aug 2025
8 min read
Sending emails is often straightforward, but sometimes, messages encounter unexpected hurdles. One such obstacle is the "DKIM body hash did not verify" error, particularly common when sending to Outlook.com and other Microsoft email services. This error means that the content of your email was modified after it was signed by DKIM, leading to authentication failure.
When DKIM fails, it signals to receiving mail servers, especially those operated by Microsoft, that the message's integrity is compromised, often resulting in your emails landing in the spam or junk folder. It's a frustrating situation that can severely impact your email deliverability. Understanding why this happens and how to address it is crucial for ensuring your messages reach the inbox reliably.
DKIM (DomainKeys Identified Mail) is an email authentication method that allows the receiver to check that an email was indeed authorized by the owner of that domain. It does this by adding a digital signature to the email header. This signature is generated based on the email's content, including both headers and body. The receiving server then uses the sender's public key, published in DNS, to decrypt this signature and verify the message's integrity. If any part of the signed email body changes, the hash calculation will not match the signature, resulting in a "body hash did not verify" error.
Unlike other mail clients, Outlook.com is particularly sensitive to even minor modifications in the email body or headers. This heightened sensitivity can often lead to DKIM failures where other email providers might pass the same message. The core of the problem lies in the fact that Outlook.com's systems might alter the email content, even subtly, after it has been DKIM signed by your sending server. When the hash of the modified email body no longer matches the original signature, the verification fails.
A key aspect of DKIM is "canonicalization," which dictates how the email content is prepared before hashing. The relaxed/relaxed canonicalization is generally recommended because it tolerates minor changes to whitespace and header case without breaking the signature. If your ESP (Email Service Provider) uses a stricter canonicalization (like simple/simple), even a single space or line break added by an intermediary server could cause the body hash to fail. Many email experts recommend checking if your DKIM signature uses relaxed canonicalization to avoid such issues.
Common culprits behind body modification
Several factors can cause your email body to be modified in transit, leading to a DKIM body hash failure. It’s not always about malicious intent; often, it’s due to legitimate but unintended processing by various mail servers along the delivery path. Identifying the specific culprit requires careful investigation.
Email forwarders and gateways: If your emails pass through an email forwarding service or a gateway (like a spam filter or archiving solution), these systems might add headers, footers, disclaimers, or even re-encode the message body. This alters the content, invalidating the original DKIM signature. Many organizations use security solutions like Mimecast, which can break DKIM signatures during transit.
Encoding issues: The way your email is encoded, particularly if it contains non-ASCII characters or excessively long lines, can sometimes lead to issues. Receiving servers, especially Microsoft's, might reformat or re-encode these elements, breaking the DKIM hash. Ensuring proper MIME encoding is crucial.
ESP behavior: While your ESP is responsible for signing emails, some ESPs might have configurations that inadvertently lead to these issues, especially if they perform post-signing modifications. If your DKIM is failing only to Outlook.com, it’s often a sign that their handling of the message or your specific email content is problematic for Microsoft's strict checks.
It's worth noting that the subject line itself is unlikely to be the sole cause of a DKIM body hash failure, as suggested in some discussions, but issues with encoding the subject or other headers can certainly contribute to broader message integrity problems.
Diagnosing the problem
To effectively fix the "DKIM body hash did not verify" error, you need to diagnose exactly what is being changed in your email. This involves comparing the raw email as sent with the raw email as received by Outlook.com. Most email clients allow you to view the original message headers. For Outlook.com, you can often find this option by opening the email, clicking the three dots (...) or "File" menu, and looking for "View message source" or "View details."
Example DKIM Failure Headertext
Authentication-Results: spf=pass (sender IP is 195.154.153.77) smtp.mailfrom=newsletter.example.com; outlook.com; dkim=fail (body hash did not verify) header.d=newsletter.example.com; outlook.com; dmarc=pass action=none header.from=newsletter.example.com;
Once you have both versions of the email, use a diff tool or simply manually compare them. Pay close attention to white spaces, line breaks, character encoding, and any added or removed content within the body. Also, verify the DKIM-Signature header in the received email to ensure it specifies c=relaxed/relaxed, which indicates a more forgiving canonicalization. If it's anything else, that could be a significant part of the problem. This step is critical for troubleshooting emails that still go to spam despite seemingly correct authentication.
Sometimes, the issue may not be with your sending practices but with intermediary systems. For instance, if you are using Microsoft 365 as your email platform, there might be specific configurations or features that are inadvertently altering the email body. This is a common challenge, and sometimes it's best to consult Microsoft's documentation or support if the problem persists even after checking your email content thoroughly.
Fixing DKIM body hash errors and preventing spam
Resolving the "DKIM body hash did not verify" error and improving deliverability to Outlook.com requires a systematic approach. The most effective strategy is to work closely with your ESP to ensure their signing process does not lead to these issues.
Causes of DKIM failure
In-transit modification: Email content is altered by a relay, forwarder, or security scanner.
Incorrect canonicalization: Strict canonicalization settings are used, making it sensitive to minor changes.
Encoding issues: Non-standard characters or formatting cause re-encoding by receiving servers.
Beyond technical fixes, maintaining a strong sender reputation is key. Ensure your email lists are clean and engaged, avoid spammy content or practices, and consistently monitor your deliverability. Tools that provide blocklist monitoring can also help you stay aware of any listings that might impact your emails. Remember, DKIM is just one part of the authentication puzzle, alongside SPF and DMARC, which together build a strong foundation for email trust. For a deeper dive into overall deliverability, consider exploring our guide on preventing emails from going to spam in Microsoft Outlook.
Best practices for DKIM
Collaborate with your ESP: They are best positioned to analyze and adjust signing processes.
Review email content: Avoid complex HTML, long lines, or unusual characters.
Check canonicalization: Ensure it's set to relaxed/relaxed.
Views from the trenches
Best practices
Ensure your ESP is using relaxed canonicalization for DKIM signing to tolerate minor email body modifications.
Regularly test your email content with an email deliverability tool to identify any issues before sending large campaigns.
Keep your email content as clean and straightforward as possible, minimizing complex HTML or unusual characters.
Implement DMARC with a p=none policy to monitor DKIM authentication results and identify patterns of failure.
Common pitfalls
Failing to compare raw email content (sent vs. received) to pinpoint exactly where modifications occur.
Assuming the problem is solely with Outlook.com and not investigating potential issues with your ESP or intermediary relays.
Overlooking the impact of email forwarders or security gateways that might alter the email body.
Not monitoring DMARC reports, which provide aggregated data on DKIM authentication failures.
Expert tips
If DKIM fails only for Microsoft, consider whether your email structure causes Microsoft to rewrite the message on inbound.
The "body hash did not verify" error often points to something being modified in transit or an encoding issue with your email.
While the subject line typically doesn't break DKIM, the overall MIME encoding or message structure can be a culprit.
Always consult your ESP first, as they control the DKIM signing process and can often identify root causes quickly.
Expert view
Expert from Email Geeks says the DKIM signature breaking is likely due to an encoding issue with how the mail is being sent and how Microsoft is handling the encoding.
2019-11-28 - Email Geeks
Expert view
Expert from Email Geeks says the "body hash did not verify" suggests something was modified in transit or possibly an encoding issue.
2019-11-28 - Email Geeks
Summary and best practices
The "DKIM body hash did not verify" error, especially prevalent with Outlook.com, can be a significant roadblock to successful email delivery. By understanding the core mechanics of DKIM, carefully diagnosing potential content modifications, and working closely with your ESP, you can mitigate these issues.
Ensuring your emails pass DKIM authentication is vital for maintaining a good sender reputation and preventing your legitimate messages from being marked as spam. Consistent monitoring and adherence to best practices will help keep your emails in the inbox.
Outlook.com and other Microsoft email services. This error means that the content of your email was modified after it was signed by DKIM, leading to authentication failure.
