What causes OpenDKIM to incorrectly validate DKIM signatures for emails with long headers?
Michael Ko
Co-founder & CEO, Suped
Published 4 Aug 2025
Updated 19 Aug 2025
7 min read
Email authentication protocols like DKIM are foundational to ensuring your messages reach the inbox. They act as a digital signature, allowing receiving mail servers to verify that an email hasn't been tampered with in transit and truly originates from the claimed sender. When everything works as intended, these signatures provide a layer of trust, protecting against spoofing and phishing.
However, even with robust systems in place, anomalies can occur. One particularly tricky scenario involves OpenDKIM, a widely used open-source implementation for DKIM signing and verification, and its behavior with emails containing unusually long header values. This can lead to what appear to be inexplicable DKIM validation failures, sending legitimate emails to the spam folder and impacting your domain's reputation.
To understand why OpenDKIM might struggle with long headers, it's essential to first grasp the basics of DKIM and its reliance on canonicalization. When an email is signed with DKIM, specific header fields and parts of the email body are selected and hashed. This hash is then encrypted with a private key and included in the DKIM-Signature header. Receiving servers use the public key, retrieved from your DNS records, to decrypt the hash and then compute their own hash of the email. If the two hashes match, the DKIM signature is validated, confirming the email's integrity and authenticity.
Canonicalization is the process of standardizing the email's headers and body into a consistent format before hashing. This ensures that minor, permissible changes to an email in transit, such as changes in whitespace or line endings, do not invalidate the signature. DKIM specifies two canonicalization algorithms: simple and relaxed. The relaxed canonicalization is more forgiving, normalizing whitespace and empty lines, making it generally more robust for real-world email flows. You can find more details in RFC 6376, section 3.4, which outlines the DKIM specification.
Understanding canonicalization
DKIM's effectiveness relies heavily on consistent canonicalization. If the signing server and the verifying server canonicalize an email differently, even by a single character, the computed hash values will not match, leading to a DKIM authentication failure. This is why proper implementation and understanding of canonicalization rules are critical for email deliverability.
The OpenDKIM header folding issue
The issue with OpenDKIM, particularly concerning long headers, stems from its handling of header folding. Email headers are often formatted to be human-readable, with long lines broken into multiple lines using indentation, a process known as folding. For example, a List-Unsubscribe header that contains a very long, MIME-encoded value might be folded immediately after the header name.
The problem arises because OpenDKIM, in certain versions (and as noted, potentially since 2014, with patches not fully resolving it), can incorrectly canonicalize such folded headers. When the header is folded immediately after the header name due to its extreme length or specific encoding, OpenDKIM's canonicalization process might interpret it differently from how other compliant DKIM verifiers would. This subtle discrepancy in whitespace or line breaks, invisible to the naked eye, changes the hash input, leading to a DKIM signature validation failure.
This issue becomes a double-edged sword: if you use OpenDKIM to sign your outgoing emails, recipients using other DKIM verification tools may report a failed signature. Conversely, if you are a receiving mail server using OpenDKIM to verify incoming emails, you might incorrectly flag legitimate emails with such headers as having invalid DKIM signatures. This can be particularly problematic for specific headers like List-Unsubscribe, which are crucial for email compliance and sender reputation management.
Impact on email deliverability and reputation
When DKIM signatures fail, even due to subtle canonicalization errors, the consequences for email deliverability can be severe. Receiving mail servers, especially those with strict anti-spam policies, often rely heavily on DKIM, SPF, and DMARC for trust signals. A failed DKIM signature can instantly trigger a higher spam score, leading to your emails being routed to the junk folder or even outright rejected. This significantly impacts your campaign effectiveness and overall communication.
Beyond immediate inbox placement, consistent DKIM failures can damage your sender reputation. Mailbox providers like Google and Microsoft track your domain's authentication success rates. A pattern of failed authentications, even if caused by a software bug, signals unreliable sending practices. This can lead to your domain being placed on internal blocklists (or blacklists), making it increasingly difficult for your legitimate emails to reach recipients, even those not using OpenDKIM for verification.
Symptoms of DKIM failure
Spam folder delivery: Emails are consistently landing in recipients' junk or spam folders.
DMARC rejection: DMARC reports show a high percentage of DKIM fail or permerror results.
Intermittent failures: DKIM validation passes some places but fails with others, particularly those using OpenDKIM.
Impact on your email program
Reduced deliverability: Your emails won't reach your audience's inboxes effectively.
Damaged sender reputation: Mailbox providers will see your domain as less trustworthy over time.
Increased support tickets: Recipients will report not receiving your emails.
Diagnosing and mitigating the problem
Diagnosing this specific OpenDKIM issue requires careful inspection of email headers. Look for Authentication-Results headers that show a DKIM failure, especially if the email contains very long or MIME-encoded header values. You might notice permerror (bad sig) or body hash did not verify errors. An email deliverability tester can help you examine these headers in detail. Also, check DMARC reports for dkim=fail entries which will indicate failed DKIM authentication.
Mitigating this OpenDKIM-specific issue often involves configuration adjustments rather than waiting for a software patch. One approach is to carefully select which headers are included in the DKIM signature. If a particular header (like List-Unsubscribe) is known to cause problems due to its length and folding behavior, you might exclude it from the signed headers list in your OpenDKIM configuration. This ensures that only headers that OpenDKIM can consistently canonicalize are included in the signature.
Another strategy is to control how your email sending system generates headers to avoid excessively long or poorly folded values. This might involve adjusting MIME encoding settings or ensuring that header values don't push folding points into problematic positions. While OpenDKIM's behavior with long headers has been a known issue for some time, as discussed in the OpenDKIM configuration manpage, it's crucial to implement workarounds to maintain deliverability. Regularly monitoring your blocklist status and DMARC reports can help catch such issues early.
Conclusion
While DKIM is a robust authentication protocol, specific implementations like OpenDKIM can encounter edge cases that lead to validation failures. The problem of long, folded email headers causing incorrect canonicalization is a prime example of such a scenario. Understanding this nuance is key to maintaining high email deliverability.
By proactively auditing your email headers, carefully configuring your DKIM signing process, and closely monitoring your DMARC data, you can minimize the impact of these technical quirks and ensure your legitimate emails consistently reach the inbox.
Views from the trenches
Best practices
Ensure your email sending system generates headers that comply with RFC standards, particularly concerning folding whitespace and line lengths. Avoid creating excessively long, unbroken strings within header values if possible.
Regularly review your DMARC aggregate and forensic reports to identify any DKIM failures, specifically looking for those with 'permerror' or 'body hash did not verify' results.
If using OpenDKIM for signing, explicitly define which headers are signed to exclude those that are prone to canonicalization issues due to dynamic content or extreme length.
Implement a comprehensive email deliverability monitoring strategy to detect authentication failures quickly and understand their impact on your inbox placement.
Common pitfalls
Overlooking subtle header formatting changes introduced by mail transfer agents (MTAs) or email service providers (ESPs) after DKIM signing, which can invalidate signatures.
Assuming that a correct DKIM DNS record alone guarantees proper email authentication without considering the internal signing and verification processes.
Not accounting for differences in how various DKIM implementations (like OpenDKIM) handle edge cases, such as very long or complex header values.
Failing to update OpenDKIM to the latest stable versions, which might contain fixes for canonicalization bugs, although some issues can persist.
Expert tips
Use a robust email header analyzer to dissect the raw headers of emails that fail DKIM validation. Compare the canonicalized form of headers at signing time versus verification time.
Consider using 'relaxed' canonicalization for both header and body as it is more resilient to minor modifications in transit, reducing the chances of signature breaks.
Set up DMARC with reporting to gather detailed insights into your authentication results, which will highlight any consistent DKIM failures for specific senders or recipients.
When troubleshooting, test with multiple recipients and different email clients to see if the DKIM failure is consistent or isolated to specific receiving environments.
Expert view
Expert from Email Geeks says they found that OpenDKIM gives false validation failures when a header has a very long word at the beginning, like a MIME-encoded content, which then causes header folding immediately after the header name.
2019-03-26 - Email Geeks
Marketer view
Marketer from Email Geeks says they have seen this issue in the past, even with Cloudmark, which uses a wrapper around OpenDKIM. This issue caused problems specifically with List-Unsubscribe headers.
Google and 
Microsoft track your domain's authentication success rates. A pattern of failed authentications, even if caused by a software bug, signals unreliable sending practices. This can lead to your domain being placed on internal blocklists (or blacklists), making it increasingly difficult for your legitimate emails to reach recipients, even those not using OpenDKIM for verification.
