The error "dkim=neutral (body hash did not verify)" indicates a problem where the recipient's mail server cannot validate the integrity of your email's body using the DKIM signature. This often means the email content was altered after it was signed, or there's a mismatch in how the sending and receiving servers process the message. Addressing this requires a systematic investigation into your email sending infrastructure and configuration.
Key findings
In-transit modification: A common cause is when an email is modified after being signed with DKIM but before reaching the recipient. This could be due to a forwarding system, a security gateway, or even a mailing list manager adding or changing content (like footers or watermarks), which invalidates the original body hash. One example cited involves added watermark headers.
Encoding discrepancies: Differences in how the sending and receiving systems handle message encoding can lead to miscalculations of the body hash, even if the content hasn't been deliberately altered. Microsoft systems, in particular, have been noted for sometimes having issues with encoding handling that can affect DKIM verification.
Broken signer: If the DKIM body hash fails consistently across multiple major email providers, such as both Outlook and Gmail, it strongly suggests that the DKIM signing process on your outbound mail transfer agent (MTA) is not functioning correctly. This could involve an improperly generated key pair or a misconfigured signing process.
DNS record issues: Incorrect or outdated DKIM DNS records can prevent recipients from correctly verifying the signature. This includes misconfigured public keys or issues with the selector. You can find more details on troubleshooting DNS issues for DKIM in our guide, how to troubleshoot DKIM failures.
Key considerations
Cross-provider testing: Always test DKIM verification across different email service providers (ESPs), particularly with robust systems like Gmail. If a DKIM body hash passes with Gmail but fails with Outlook, it often points to an issue with Outlook's handling of the message, such as specific encoding interpretations. Our article, why is microsoft dkim failing, provides further insights.
Key pair regeneration: If DKIM body hash verification consistently fails across multiple major providers, regenerating your DKIM public/private key pair is a strong initial troubleshooting step. This can resolve issues related to a corrupted or improperly generated key that is causing signing failures.
Review intermediate systems: Examine any systems or services that handle your email after it leaves your primary sending server but before it reaches the recipient. This includes email security gateways, archiving solutions, or any forwarders that might modify the email content. Ensure these systems are configured not to alter DKIM-signed parts of the message.
Encoding adjustments: Consult your system administrators or email service provider about the encoding settings of your outbound MTA. Adjusting these settings might be necessary to ensure consistent hash calculation between your sending system and recipient verification systems, especially if specific character sets or line endings are causing discrepancies.
Email marketers often encounter DKIM body hash verification failures when their emails aren't reaching inboxes as expected. These failures can be particularly frustrating because DKIM is a critical component of email authentication, signaling to recipients that an email hasn't been tampered with in transit. Marketers frequently pinpoint issues arising from how their sending platforms or intermediate services handle email content after signing.
Key opinions
Platform-specific issues: Many marketers note that DKIM body hash failures can be specific to certain email platforms or cron jobs, indicating that the way an email is generated or processed by particular systems can impact the hash calculation.
Content alteration: A common belief is that any modification to the email body, even minor ones like adding invisible characters or converting line endings, after the DKIM signature is applied, will cause the body hash verification to fail. This includes watermarks or footer additions by intermediate servers.
DNS setup importance: Marketers frequently stress the importance of ensuring that DKIM records are accurately published in DNS and match the keys used by the sending server. Mismatches here are a straightforward reason for verification failure.
Need for robust testing: There's a strong consensus on the need to test email deliverability across various receiving systems. If an email passes DKIM with one provider but fails with another, it helps narrow down whether the issue is with the sender's configuration or the recipient's handling.
Key considerations
Identify modification points: Marketers should investigate all potential points where an email might be altered between sending and receipt, such as email gateways, ESPs, or forwarders. Identifying and reconfiguring these to prevent modifications is crucial. Learn more about why Mimecast causes DKIM failures.
Canonicalization standards: Ensure your sending platform adheres to DKIM canonicalization standards for headers and body. Differences in simple vs. relaxed canonicalization can lead to hash mismatches, particularly if certain characters or line breaks are handled differently. Reviewing how your email content is generated, especially for automated sends (like cron jobs), is important.
DKIM record integrity: Regularly verify that your DKIM DNS record, including the public key, is accurate and accessible. Tools that check DNS propagation and DKIM setup can help confirm this. Our article why is my cpanel dkim record failing explains how to resolve common validation issues.
Troubleshooting methodologies: When facing body hash failures, marketers should first determine if the issue is isolated to a specific receiving domain (like Outlook) or if it's universal. This diagnostic step helps pinpoint the root cause, distinguishing between a sender-side signing problem and a recipient-side parsing quirk. Testing with major providers like Gmail is key.
Marketer view
Marketer from Email Geeks indicates they have a customer experiencing the "dkim=neutral (body hash did not verify)" error. This customer is receiving this error when sending to Outlook. They are seeking advice on how to resolve this specific issue, as it is impacting their customer's email deliverability and authentication status, prompting an investigation into potential causes within the email flow.
18 Nov 2022 - Email Geeks
Marketer view
Marketer from Spiceworks Community reports that while their DKIM selector records validate correctly, the MX Tool Message Header Analyzer indicates that the DKIM signature line fails the hash check. This suggests a disconnect between the apparent validity of their DNS records and the actual verification process upon email receipt.The issue points to a deeper problem than just DNS setup.
04 Oct 2020 - Spiceworks Community
What the experts say
Email deliverability experts highlight that DKIM body hash verification failures typically stem from message alterations in transit or fundamental issues with the DKIM signer itself. They stress the importance of understanding the nuances of how different mail systems, particularly Microsoft's, handle email encoding and canonicalization, which can often lead to discrepancies in hash calculation.
Key opinions
Transit modification vs. Encoding: Experts note that a body hash failure means the recipient server couldn't recreate the hash using the public key. This points to either incorrect initial signing, message modification in transit (e.g., by a forwarding system), or differing encoding handling between systems. The last point, encoding, is often considered the most likely cause, especially with Microsoft systems.
Broken signer: If DKIM body hash verification fails across multiple major email providers (like both Gmail and Outlook), experts concur that the DKIM signing component (the signer) on the sending side is likely at fault. This requires a direct fix at the source.
Google as a benchmark: Many experts use Google's email system as a reliable benchmark for verifying correct DKIM implementation. Its robustness makes it a good first check. If an email passes DKIM verification with Gmail but fails elsewhere, it helps to isolate the issue to the problematic receiving system rather than the sender's fundamental setup. For deeper insights, see ultimate guide to google postmaster tools.
Microsoft's specific issues: Microsoft's systems have historically been known for issues with DKIM authentication and unique handling of text encoding. Experts often suggest that if a problem is seen with Microsoft and not Google, the initial assumption should lean towards Microsoft's processing being the cause, rather than the sending infrastructure.
Key considerations
Systematic troubleshooting: When a DKIM body hash fails, experts advise first determining if the failure is isolated to a single recipient (like Outlook) or universal. This helps identify whether the issue lies with a specific receiver's interpretation or a flaw in the sender's signing process.
Key pair management: A fundamental step if the signer is deemed broken is to regenerate the public/private DKIM key pair. This ensures that a fresh, uncorrupted key is used for signing, often resolving underlying issues. Our guide on invalid rsa public key errors provides further context.
Encoding adjustments on MTA: If encoding differences are suspected, particularly when Microsoft is the failing party, experts suggest investigating and potentially modifying the text encoding configuration on the outbound Mail Transfer Agent (MTA). This may require input from system administrators or your email service provider.
Monitoring DMARC reports: Leveraging DMARC reports is crucial for identifying DKIM failures at scale. These reports provide insights into which receiving domains are failing DKIM authentication and for what reasons, allowing for more informed troubleshooting. For assistance, consult understanding and troubleshooting dmarc reports.
Expert view
Expert from Email Geeks suggests that if an email passes DKIM verification at Gmail but fails at Outlook, it's likely due to a problem with text encoding in the message. They elaborate that Microsoft's system may have difficulty with the body hash calculation because of how it processes the encoding.The solution, they indicate, involves changing the encoding performed by the outbound MTA, though the exact technical steps are outside their direct expertise, suggesting it's a task for system administrators.
18 Nov 2022 - Email Geeks
Expert view
Expert from Word to the Wise explains that a "body hash did not verify" error means the recipient server could not recreate the body hash using the public key from DNS. This can occur if the email was signed incorrectly, modified in transit by a forwarding system, or if there's a discrepancy in how encoding is handled between the sending and receiving systems.They emphasize that encoding differences are more probable than initial signing errors or in-transit modifications in the case of Microsoft's systems, due to their specific parsing behaviors.
16 Nov 2022 - Word to the Wise
What the documentation says
Official documentation and technical guides emphasize that DKIM body hash verification failures typically occur when the computed hash of the email body at the recipient's end does not match the hash included in the DKIM-Signature header. This is a direct indication of content integrity compromise or a canonicalization mismatch. Understanding the precise steps of DKIM signing and verification, as well as potential intermediate modifications, is crucial for diagnosis.
Key findings
Hashing mechanism: The core of DKIM body verification involves the recipient's server re-hashing the email content and comparing it to the original hash stored in the DKIM signature. A mismatch indicates that the email's body has changed since it was signed. This ensures integrity.
DNS record accuracy: Documentation consistently points to accurate and current DNS setup as fundamental for DKIM. This includes ensuring correct DKIM records exist and are accessible, as well as verifying against any DNS service disruptions or damaged records that might impede public key retrieval.An accurate DNS setup is vital.
Canonicalization standards: DKIM verification is sensitive to the canonicalization method used (simple or relaxed). Differences in how sending and receiving servers interpret line endings, whitespace, and character sets can lead to different body hashes being computed, causing verification failures even without malicious intent. For example, manual verification sometimes requires adjusting canonicalized headers.
Email gateway effects: Many documents highlight how intermediate email gateways, forwarders, or security services (like Mimecast, for instance) can alter the email body (e.g., adding disclaimers, removing attachments, or changing encoding), thereby invalidating the original DKIM body hash. This is a common point of failure.
Key considerations
Review MTA-STS and DMARC: While directly related to integrity, ensuring MTA-STS is correctly configured and that DMARC is actively monitored can provide additional layers of protection and visibility into authentication failures, including DKIM body hash issues. This allows for comprehensive email authentication. Check our guide on dmarc, spf, and dkim.
Examine email headers: When troubleshooting, analyze the full email headers (e.g., via an MX Tool Message Header Analyzer) for detailed DKIM results, including the canonicalization method used and the original body hash. This information is critical for comparing how the sender and receiver processed the email content.
Mailing list/forwarder impact: Documentation often advises verifying configurations of email forwarders and gateways, as these are frequent culprits for modifying email content and breaking DKIM signatures. If using a mailing list, ensure it's configured to handle DKIM correctly, or resign emails if modifications are unavoidable.
DKIM selector validation: Ensure that the DKIM selector specified in your DKIM-Signature header is correct and corresponds to the public key published in your DNS. Mismatches here will prevent the recipient from even attempting to verify the hash. Further information on this can be found in our guide on practical guide to dkim selector name examples.
Technical article
Documentation from Itechtics recommends checking if correct DKIM records exist and are properly configured in DNS. It emphasizes verifying that MTA-STS (Mail Transfer Agent Strict Transport Security) is also set up, and that email forwarders or gateway configurations are not interfering with the email's integrity.These are crucial steps for resolving DKIM body hash issues.
29 Dec 2020 - Itechtics
Technical article
Documentation from MyEmailVerifier Blog advises a thorough check of the DNS setup for accuracy and currency when a DKIM signature verification fails. It suggests investigating any DNS service disruptions, or damaged or removed linked DKIM DNS resource records.The stability and correctness of DNS are paramount for DKIM.