Summary
The 'DKIM body hash did not verify' error on Outlook.com, often leading to emails being sent to spam, primarily arises from the email's content being altered after it has been digitally signed by DKIM but before it reaches the recipient's inbox. These modifications can be subtle, such as changes to whitespace, line endings, or the introduction of non-ASCII characters, and are frequently introduced by intermediary services like email forwarding, anti-spam gateways, security filters, or even internal systems adding disclaimers or archiving. Outlook.com is particularly strict in enforcing RFC compliance, making these issues more apparent. A critical solution involves configuring DKIM canonicalization to 'relaxed/relaxed' for both the header and body, which makes the signature more robust against minor, legitimate alterations during transit. Senders should meticulously audit their email flow, compare raw email versions, and work closely with their Email Service Providers to ensure proper DKIM record publication and signing practices. If deliverability issues persist after addressing DKIM, attention should shift to audience engagement and overall sender reputation.
Key findings
- Content Alteration: The primary cause of 'DKIM body hash did not verify' errors, particularly on Outlook.com, is the modification of email content after the DKIM signature has been applied, but before it reaches the recipient.
- Intermediary Interference: Email forwarding services, anti-spam gateways, security filters, proxy servers, and even internal mail transfer agents (MTAs) are common culprits for inadvertently altering email bodies in transit.
- Canonicalization Importance: Using 'relaxed/relaxed' canonicalization for both DKIM header and body is widely recommended, as it tolerates minor whitespace changes, empty lines, or other subtle formatting shifts that may occur during transmission.
- Microsoft's Strictness: Outlook.com (and formerly Hotmail) is noted for its strict RFC compliance, making it particularly sensitive to even minor email body modifications and more likely to flag DKIM verification failures.
- Encoding and Formatting: Encoding issues, such as long lines or non-ASCII characters in the payload, and subtle changes like altered line endings, added footers, or removed whitespace can invalidate the body hash.
- ESP Involvement: Resolving complex DKIM issues often requires contacting your Email Service Provider (ESP), as they manage how DKIM records are signed and applied to your outgoing mail.
- Beyond DKIM Fixes: Even after resolving DKIM issues, emails may still go to spam, indicating that other factors like audience engagement and overall sender reputation play a significant role in deliverability.
Key considerations
- Audit Email Path: Thoroughly audit your email's journey from your sending server to the recipient's inbox, particularly for Outlook.com, to pinpoint where modifications occur.
- Compare Raw Emails: Obtain the raw email as it was sent and compare it with the raw email received by Outlook.com to identify any alterations in content or headers.
- Review DKIM Header: Examine the 'DKIM-Signature' header in the received email, specifically the 'c=' part, to ensure it specifies 'c=relaxed/relaxed' and indicates proper canonicalization.
- Configure Intermediary Services: Adjust email gateway appliances, anti-spam filters, or security solutions to either bypass DKIM signing, sign emails after modifications, or ensure they do not alter the email body.
- Check DNS Records: Verify that your DKIM CNAME records for your custom domain are correctly configured and published in your DNS, especially if using Microsoft 365.
- Internal System Review: Ensure that no internal systems-such as archiving solutions, disclaimer injectors, or security scanners-modify the email body after it has been signed by the DKIM module but before it leaves your sending server.
- Monitor DKIM Failures: Utilize tools like Google Postmaster Tools to monitor your domain's DKIM authentication failure rates, which can signal systemic issues requiring further investigation.
- Address Overall Deliverability: If DKIM issues are resolved but emails still land in spam folders, broaden your investigation to include factors like audience engagement, sender reputation, and network neighbors.
What email marketers say
10 marketer opinions
When Outlook.com reports a 'DKIM body hash did not verify' error, leading to emails potentially landing in spam, the fundamental problem is that the email's content has been modified after its digital signature was applied by the sender. These alterations, often subtle and unintentional, can be introduced by various intermediary systems-such as email forwarding services, anti-spam filters, or security gateways-or even by internal infrastructure components like disclaimer adding services or archiving solutions, before the email leaves the sender's network. The most effective preventative measure is to configure DKIM to use 'relaxed' canonicalization for both the header and body, making the signature resilient to minor, legitimate formatting adjustments during transmission. Resolving this requires a thorough audit of the entire email flow, comparing the raw email as sent versus as received by Outlook.com, and working closely with your Email Service Provider to ensure proper DKIM implementation and signing practices.
Key opinions
- Post-Signature Content Alteration: The core reason for DKIM body hash verification failures, especially with Outlook.com, is that the email's content is inadvertently modified after the DKIM signature has been applied by the sender.
- Intermediate System Interference: Common culprits for these modifications include email forwarding services, anti-spam gateways, proxy servers, and various security solutions that process emails in transit.
- Internal Infrastructure Impact: Even internal systems like email archiving solutions, corporate disclaimer injectors, or security scanners can alter the email body after DKIM signing but before it leaves the sender's server, invalidating the hash.
- Relaxed Canonicalization as a Solution: Configuring DKIM to use 'relaxed' canonicalization for both the header and body is widely recommended, as it allows for minor, acceptable changes in whitespace or line endings during transmission without invalidating the signature.
- Outlook.com's Strict Enforcement: Outlook.com is particularly strict in enforcing RFC compliance, making it highly sensitive to even slight modifications to the email body and prone to flagging DKIM verification errors.
- MIME and Formatting Issues: Problems like overly long lines, non-ASCII characters, or specific MIME encoding intricacies can contribute to body hash mismatches upon receipt.
- ESP Collaboration is Key: For many organizations, resolving DKIM signing issues effectively necessitates direct collaboration with their Email Service Provider (ESP), who manages the technical aspects of DKIM application.
Key considerations
- Audit the Email's Journey: Meticulously trace the email's path from your sending infrastructure to Outlook.com, identifying any points where content might be altered.
- Compare Raw Mail Versions: Obtain and compare the raw email source code as sent versus as received by Outlook.com to precisely pinpoint any modifications that occurred.
- Verify DKIM Canonicalization Settings: Check the 'c=' tag within the received email's 'DKIM-Signature' header to confirm it specifies 'relaxed/relaxed' canonicalization.
- Configure Intermediary Devices: Adjust email gateway appliances, security filters, or other intermediate systems to either apply DKIM signing after their modifications or ensure they do not alter the email body at all.
- Assess Internal System Behavior: Ensure no internal email systems, such as those adding footers, disclaimers, or performing content scans, are modifying the email after it has been signed by DKIM.
- Consult Your Email Service Provider: Engage with your ESP's support team to diagnose and resolve any underlying DKIM configuration or signing problems on their end.
- Subject Line is Rarely a Factor: Note that changes to the subject line are generally not a cause for DKIM body hash verification failures, as the body hash specifically relates to the email's content payload.
Marketer view
Email marketer from Email Geeks responds that a subject line is unlikely to break DKIM signing and suggests the issue might be related to how DKIM records are signed, recommending contact with the ESP.
22 Aug 2021 - Email Geeks
Marketer view
Email marketer from Email Geeks explains that Microsoft-specific modifications to the email body in transit can cause DKIM failures, suggesting the issue is likely due to how the mail is structured, possibly related to MIME encoding. He recommends comparing the raw mail as sent versus received by Outlook to identify changes, specifically checking for long lines and non-ASCII characters in the payload as common culprits.
29 Nov 2024 - Email Geeks
What the experts say
3 expert opinions
The 'DKIM body hash did not verify' error, commonly observed on Outlook.com and often resulting in emails being marked as spam, fundamentally indicates that the email's content was altered after the DKIM signature was applied. This frequently occurs when the sending Mail Transfer Agent (MTA) or other services modify the message body, even subtly, by adding elements like footers, removing whitespace, or changing line endings. These post-signature changes invalidate the original DKIM hash, leading to verification failure, particularly given Outlook.com's stringent RFC compliance. To resolve this, email senders must ensure their systems do not alter email content after signing, and a common recommendation is to utilize 'relaxed/relaxed' DKIM canonicalization settings to better tolerate minor modifications. If DKIM issues are resolved but emails continue to be flagged as spam, broader deliverability factors such as audience engagement and sender reputation also warrant investigation.
Key opinions
- Post-Signature Content Changes: The primary cause of 'DKIM body hash did not verify' errors, particularly on Outlook.com, is that the email's content is modified after the DKIM signature has been applied.
- MTA or In-Transit Modifications: These content alterations are typically introduced by the sending Mail Transfer Agent (MTA) or other services in transit, including subtle changes like added footers, removed whitespace, or changed line endings.
- Encoding Issues as a Factor: Encoding issues within the email's body can also contribute to the DKIM verification failure.
- Outlook.com's Strictness: Outlook.com (formerly Hotmail) is known for its strict RFC compliance, which makes it highly sensitive to even minor post-signature content modifications, thereby making these errors more apparent.
- Relaxed Canonicalization Benefits: Implementing 'relaxed/relaxed' DKIM canonicalization can mitigate these issues by allowing for minor, acceptable variations in the email body without invalidating the signature.
- Beyond DKIM Factors: Even after resolving DKIM issues, emails may still be marked as spam if there are underlying problems with audience engagement or overall sender reputation that need to be addressed.
Key considerations
- Prevent Post-Signing Alterations: Ensure your email sending servers (MTAs) and any intermediate services are configured not to alter the email's content-such as adding footers or changing line endings-after the DKIM signature has been applied.
- Review DKIM Canonicalization: Examine your DKIM canonicalization settings; using 'relaxed/relaxed' for both the header and body is recommended as it is more forgiving of minor content changes that may occur in transit.
- Address Broader Deliverability: If DKIM body hash errors are resolved but emails still consistently land in spam folders, broaden your investigation to include factors like audience engagement, sender reputation, and network neighbors.
Expert view
Expert from Email Geeks explains that a broken DKIM signature, specifically the 'body hash did not verify' error on Outlook.com, is likely due to an encoding issue or something being modified in transit, often exacerbated by Microsoft's handling. If the DKIM issue is resolved but emails still go to spam, she advises looking into audience engagement and network neighbors.
3 Jul 2022 - Email Geeks
Expert view
Expert from Word to the Wise explains that DKIM body hash did not verify errors, often leading to emails being marked as spam, typically stem from modifications to the email body after the DKIM signature is applied. To fix this, email senders should ensure their servers are not altering the message content-such as adding footers, removing whitespace, or changing line endings-before the email is sent. It's also recommended to review DKIM canonicalization settings, with 'relaxed/relaxed' being more forgiving of minor changes.
11 Dec 2021 - Word to the Wise
What the documentation says
6 technical articles
To address 'DKIM body hash did not verify' errors on Outlook.com and prevent emails from landing in spam, the critical step is to ensure that the email's content remains unchanged after its DKIM signature has been applied. These verification failures frequently stem from subtle modifications introduced by various points in the mail flow, such as anti-spam gateways, forwarding services, or even improper mail flow rules within a Microsoft 365 environment. A highly recommended solution is to configure DKIM with 'relaxed' canonicalization for both the header and body, as this setting significantly enhances the signature's resilience to minor, legitimate alterations during transmission. Additionally, it is essential to verify that your DKIM records are correctly published in DNS and that your sending server accurately applies the signature in accordance with your domain's established policy. Regularly monitoring DKIM failure rates using tools like Google Postmaster Tools can help identify systematic problems that require deeper investigation into your email signing process and overall email delivery chain.
Key findings
- Post-Signing Content Modification: The primary cause of 'DKIM body hash did not verify' errors, particularly on Outlook.com, is that the email's content is altered after the DKIM signature has been applied by the sender.
- Intermediary Service Interference: Services such as email forwarding rules, anti-spam gateways, and mailing list managers can inadvertently modify email bodies and headers, leading to DKIM verification failures.
- Canonicalization for Robustness: Employing 'relaxed' canonicalization for both the DKIM header and body is widely recommended, as it allows for minor changes in whitespace or empty lines without invalidating the signature.
- Microsoft 365 Configuration Importance: Correctly configuring DKIM for custom domains in Microsoft 365, including creating necessary CNAME records, is crucial to prevent these errors and ensure content integrity.
- DNS Record Accuracy and Signature Application: Ensuring the DKIM record is correctly published in DNS and that the sending server accurately applies the signature according to the domain's policy are vital steps in avoiding verification failures.
- Monitoring for Systemic Issues: Observing high rates of DKIM authentication failures through tools like Google Postmaster Tools can indicate systemic problems with email signing processes or alterations in transit, prompting further investigation.
Key considerations
- Prevent Post-Signing Alterations: Configure all intermediary services, including mail flow rules, anti-spam gateways, and forwarding services, to avoid modifying the email's body or headers after DKIM signing to ensure successful verification.
- Implement Relaxed Canonicalization: Set your DKIM canonicalization to 'Relaxed/Relaxed' for both the header and body, which makes the signature more tolerant of minor, legitimate alterations that may occur during transit.
- Verify Microsoft 365 DKIM Setup: For custom domains using Microsoft 365, ensure CNAME records are properly created in your DNS and that internal mail flow rules are not inadvertently altering content post-signing.
- Audit DNS and Signing Practices: Double-check that your DKIM record is correctly published in your DNS and that your sending server is applying the signature precisely according to your domain's policy.
- Utilize Monitoring Tools: Regularly use tools like Google Postmaster Tools to observe DKIM authentication failure rates, as high rates can signal systemic issues with your email signing process or intermediate alterations.
Technical article
Documentation from Microsoft Learn explains that correctly configuring DKIM for your custom domain in Microsoft 365 is crucial to prevent DKIM body hash did not verify errors. This involves creating CNAME records in your DNS to enable DKIM signing and ensuring that the content is not altered in transit, which can happen with improper mail flow rules.
9 Mar 2024 - Microsoft Learn
Technical article
Documentation from SendGrid explains that a DKIM body hash verification failure often indicates the email's content was altered after being signed by the sender, but before reaching the recipient. To fix this, ensure no intermediary services, such as forwarding rules, anti-spam gateways, or mailing list managers, are modifying the email's body or headers. Using relaxed canonicalization for both header and body can sometimes mitigate minor alterations.
29 Mar 2023 - SendGrid Documentation
How do I fix DKIM failing body hash verification?
How to fix Hotmail/Outlook emails landing in spam even with proper authentication and opt-in?
Why are Microsoft Office 365 DKIM signatures failing and how to fix it?
Why does DKIM fail for Outlook.com and Hotmail.com?
Why does my email header show DKIM and SPF as none, and how do I fix Outlook deliverability issues?
Why is my DKIM body hash failing and how do I fix it?
