Why are Microsoft Office 365 DKIM signatures failing and how to fix it?

Key findings

• OpenDKIM Interoperability: There's a consistent pattern of OpenDKIM failing to verify DKIM signatures originating from Microsoft, suggesting a compatibility issue between Microsoft's signing algorithms and OpenDKIM's validation processes.
• Internal Authentication Headers: Microsoft inexplicably adds an 'authentication-results' header based on the 'to' address at the receiving server, which can confuse standard DKIM verification mechanisms.
• Key Length Challenges: Some Office 365 DKIM signatures, particularly those implemented with a n=1024 tag, experience 50-60% failure rates, indicating potential issues with key length or algorithm handling.
• Dynamic Code Changes: Microsoft frequently changes its underlying code, including how it handles 'via' (on behalf of) addresses, leading to unexpected DKIM authentication results and 'on behalf of' displays in Outlook clients.

Key considerations

• Sender Responsibility: While some issues are Microsoft-specific, ensuring your DKIM records are correctly published for your custom domain is a foundational step. Review the guidance on troubleshooting Office 365 DKIM and SPF failures to catch common misconfigurations.
• Recipient Server Validation: Even if Microsoft's DKIM signing is technically valid by some standards, its compatibility with widely used open-source validators like OpenDKIM can be a problem. This might mean emails fail authentication checks at various receiving mail servers. You can learn more about DKIM body hash failing for O365 received emails.
• Monitoring DMARC Reports: Regularly monitor DMARC reports to identify consistent patterns of DKIM authentication failures for your Office 365-sent emails. This provides insight into which receiving domains are experiencing issues and helps diagnose the root cause, as explored in why DKIM validations fail intermittently with Office365.

Key opinions

• Frustration with Microsoft's Implementation: Many marketers express bewilderment and frustration over how Microsoft handles email authentication, particularly the peculiar addition of 'authentication-results' headers by the sending server (Office 365 itself) based on the recipient's domain.
• Intermittent Failures: There are reports of DKIM signatures from Office 365 failing intermittently, sometimes affecting a significant percentage (e.g., 50-60%) of emails, especially when the signature includes specific tags like n=1024.
• 'On Behalf Of' Issues: Marketers frequently observe emails showing 'on behalf of' displays in Outlook, even when DKIM is seemingly configured correctly. This often points to a Sender header being present.
• Shared IP Pool Complexities: When receiving emails from ESPs with shared IP pools, Office 365 can exhibit weirdness where emails are signed by both the MTA and the domain, complicating authentication.

Key considerations

• External Sending Platforms: If using a third-party ESP alongside Office 365, ensure the ESP is properly configuring DKIM for your domain to avoid DKIM from domain mismatch and DMARC risks. This is critical for preventing emails from going to spam.
• Outlook Client Behavior: Be aware that Outlook clients (desktop and web) may display 'on behalf of' more readily than other clients like Gmail. For issues related to DKIM body hash did not verify errors on Outlook.com, direct troubleshooting may be required.
• Proactive Monitoring: Given the dynamic nature of Office 365's authentication behavior, constant monitoring of deliverability metrics and authentication results is paramount. You can refer to Bob McKay's blog on O365 DKIM setup problems for insights.

Key opinions

• Cryptographic Interoperability: A core issue is that Microsoft's DKIM signing algorithm (or its specific implementation) does not always interoperate seamlessly with other widely used DKIM validators, such as OpenDKIM. This means Microsoft's signatures may be valid by their own internal standards but fail verification elsewhere.
• Microsoft's Internal Headers: The practice of Microsoft adding an 'authentication-results' header at the sending server that reflects authentication outcomes at the *receiving* server is noted as highly unusual and counter-intuitive by experts.
• OpenDKIM Maintenance: Some experts point out that OpenDKIM itself may not be as actively maintained as it once was, with developers shifting focus to OpenARC. An outdated OpenDKIM version could contribute to verification issues.
• Not a Client-Side Fix: The primary cause of these DKIM failures is often attributed to Microsoft's system, not to a misconfiguration on the client's (sender's) end, which limits what users can directly do to resolve it.

Key considerations

• Software Updates: Ensuring that mail servers validating DKIM signatures (like those running OpenDKIM) are updated to the latest stable versions might resolve some interoperability issues, as suggested in what causes OpenDKIM to incorrectly validate DKIM signatures.
• Redundant Verification: Some systems employ multiple DKIM verification checks using different software or algorithms. If one fails but another passes, it suggests an interoperability gap rather than a universally invalid signature.
• Impact on Deliverability: While DKIM failures might not always immediately impact deliverability if other authentication methods (like SPF and DMARC) pass, persistent failures can negatively affect domain reputation, potentially leading to emails being sent to the spam or junk folder. Learn more about fixing 'Your DKIM signature is not valid' errors.

Key findings

• Standard DKIM Setup: Microsoft 365 documentation outlines a straightforward process for enabling DKIM, typically involving creating two CNAME entries for your custom domain, as described in guides like how to enable DKIM in Microsoft 365.
• Key Rotation: Documentation often emphasizes the importance of rotating DKIM keys periodically to mitigate risks if a private key is compromised, which helps maintain security and reputation. Refer to o365info.com for guidance on rotating DKIM keys.
• DMARC Alignment: Official documentation aligns DKIM's purpose with DMARC, noting that proper DKIM signing and alignment are critical for protecting domains from phishing and spoofing. You can find more about a simple guide to DMARC, SPF, and DKIM.

Key considerations

• Limited Troubleshooting Details: Microsoft's public documentation typically provides high-level setup instructions but lacks in-depth troubleshooting guides for complex DKIM failure scenarios, especially those involving interoperability with other systems or specific error codes like DKIM Signature Body Hash failures.
• Custom Domain Integration: Documentation for custom domain DKIM setup often assumes ideal conditions, but real-world scenarios, particularly with DNS propagation and selector configuration, can introduce challenges. For example, issues can arise with finding domainGUID and initialDomain for DKIM setup.
• Absence of n=1024 Tag Details: There's typically no mention in official documentation about specific DKIM signature tags like n=1024 and their potential to cause authentication issues, leaving users to discover these problems through observation.