Why are my plane ticket emails going to spam in Hotmail when DKIM fails, but passes in Gmail?
Matthew Whittaker
Co-founder & CTO, Suped
Published 16 Jul 2025
Updated 16 Aug 2025
8 min read
It's incredibly frustrating when crucial emails, like plane tickets, don't reach the inbox and instead land in spam folders. The confusion deepens when you see that your DKIM authentication passes successfully in Gmail, but fails specifically for Hotmail or Outlook recipients. This discrepancy can be a real head-scratcher, especially for time-sensitive communications where deliverability is paramount.
The email ecosystem is complex, and different mail providers, particularly those under the Microsoft umbrella, often have their own stringent interpretations and validation processes for email authentication protocols. While the core standards are universal, how they are applied can vary, leading to such perplexing situations.
DKIM, or DomainKeys Identified Mail, serves as a digital signature, allowing the receiving mail server to verify that an email was indeed sent by the domain it claims to be from and that the message hasn't been tampered with in transit. When a message passes DKIM, it means the signature is valid and matches the domain specified in the DKIM record, adding a layer of trust to the email's origin.
Gmail is generally quite forgiving when it comes to DKIM. As long as the signature is present and validates cryptographically, it will often report a pass result. This is because Gmail's filtering primarily relies on a combination of authentication, sender reputation, and content analysis.
However, a passing DKIM signature isn't the only factor. For emails to be fully authenticated under DMARC, SPF, and DKIM standards, the DKIM signing domain (the d= tag in your DKIM record) must align with the domain in your From header. This is known as domain alignment. If this alignment fails, even with a valid DKIM signature, the email might still be treated with suspicion, especially by mail providers like Hotmail, leading to it being sent to the spam folder. Understanding DMARC alignment failures is key here.
Why Hotmail (Outlook) might fail where Gmail passes
Microsoft's email services, including Hotmail and Outlook, are known for their particularly rigorous spam filtering and email authentication checks. They often apply additional scrutiny beyond merely verifying the DKIM signature. This can explain why DKIM might fail for Hotmail even if it passes elsewhere.
A common reason for this specific failure is how Microsoft's systems process email content. Even subtle modifications to the email body or headers during transit through various mail servers can invalidate the DKIM signature if the receiving server is very sensitive to such changes. This is often linked to differences in character encoding or handling of certain characters (like tabs vs. spaces) that can cause the calculated body hash to differ from the one signed by the sender.
This stricter approach by Microsoft means that even if your DKIM setup is technically correct according to the RFCs, minor inconsistencies or network-level alterations can lead to a failed authentication. It's a key reason why emails to Hotmail and Outlook recipients might fail DKIM while passing for other providers like Gmail.
Common reasons for DKIM failures at Microsoft
Content modification: Emails might be altered in transit by intermediate servers, invalidating the original DKIM signature.
Character encoding differences: Discrepancies between the declared character set (e.g., US-ASCII) and the actual characters used (e.g., UTF-8) can cause issues.
Header inconsistencies: Malformed or non-standard headers can trigger stricter filtering and DKIM validation failures.
Internal relay systems: Sometimes, Microsoft's own internal processing can inadvertently modify emails, leading to DKIM failures.
Investigating the email headers and content
Looking at the email headers you provided, the line Authentication-Results: spf=pass (sender IP is 18.214.133.205) smtp.mailfrom=kiusys.com; dkim=fail (signature did not verify) header.d=kiusys.com;dmarc=none action=none header.from=; clearly indicates that the dkim=fail is due to a signature did not verify error. This strongly points to the email content or headers being altered in a way that breaks the signature, rather than a DNS issue with the DKIM record itself.
A significant red flag is the formatting of your Reply-To and From headers. Malformed headers can be a major cause of deliverability issues, especially for discerning email providers. The provided headers show a mix of domains and unusual syntax, which spam filters are quick to flag as suspicious. These headers do not conform to standard email formatting practices, reducing trust in the message.
Another area to investigate is the declared character encoding. Your headers specify Content-Type: text/html; charset="us-ascii" and Content-Transfer-Encoding: 7bit. If your email content contains characters outside of the US-ASCII range (e.g., special characters, emojis, non-English text), this mismatch can cause Microsoft's filters to modify the email body, leading to a DKIM signature failure.
Visible sender
The From header shows LESLY.CASARES@EQUAIR.COM.EC. This is the address that recipients see as the sender. Even though the actual sending address in the Return-Path is noreply@kiusys.com, the visible From domain EQUAIR.COM.EC is important for alignment.
DKIM signing domain
The DKIM-Signature header specifies d=kiusys.com. This means that the kiusys.com domain is responsible for signing the email. For DMARC alignment, the domain in the From header (EQUAIR.COM.EC) needs to match or be a subdomain of the DKIM signing domain (kiusys.com). In this case, they are different, which can be problematic.
Beyond authentication: Reputation and content filters
Even when SPF, DKIM, and DMARC appear to be configured correctly, other elements can influence where your emails land. Sender reputation is a critical factor, built over time based on sending history, spam complaint rates, and engagement. If your domain or IP address has a low reputation or is listed on a blocklist (or blacklist), your emails are more likely to be flagged as spam.
The content of the email itself also plays a significant role. Aggressive sales language, excessive use of all caps, suspicious links, or certain attachments can trigger spam filters. For transactional emails like plane tickets, ensuring the content is clean, concise, and devoid of marketing elements can improve deliverability. High volumes of emails sent without a proper warm-up period or to unengaged recipients can also negatively impact your sender score.
Furthermore, recipient engagement with your emails matters. If a significant number of recipients mark your emails as spam, delete them without opening, or move them to the junk folder, it sends a strong negative signal to the mail provider. This feedback loop can lead to future emails being automatically filtered into the spam folder, even if your authentication is technically correct.
Steps to resolve deliverability issues
To address these deliverability issues for your plane ticket emails, here are the key steps you should take:
Fix malformed headers: Correct the syntax of your From and Reply-To headers to adhere to standard RFC formatting. They should be clean and consistent.
Ensure character encoding consistency: If your emails contain non-ASCII characters, change your charset to UTF-8 to avoid content alteration. Test thoroughly after this change.
Achieve DMARC alignment: Ensure the From header domain aligns with your DKIM signing domain (d=). This is critical for Hotmail deliverability. You can monitor this with DMARC monitoring.
Consistently test your email deliverability to various providers, especially Hotmail and Outlook, after making changes. This iterative testing process is essential to identify and rectify issues specific to different receiving systems. Additionally, regularly check your domain and IP against blocklists (or blacklists) to ensure your sending reputation is healthy.
Ensuring inbox delivery for critical emails
Ensuring the reliable delivery of critical transactional emails like plane tickets requires a proactive and meticulous approach. While DKIM passing in Gmail is a positive sign, it's not a universal guarantee across all mail providers, especially with the differing strictness levels of services like Hotmail and Outlook. Email deliverability is a constantly evolving challenge that requires vigilance.
By addressing header formatting, ensuring character encoding consistency, achieving proper DMARC alignment, and continuously monitoring your sender reputation, you can significantly improve your chances of reaching the inbox, no matter the recipient's mail provider. It's about building trust with receiving servers through clear, compliant, and consistent sending practices.
Views from the trenches
Best practices
Regularly check your DKIM configuration and DNS records for any inconsistencies or errors.
Ensure that your email content encoding, especially if it includes non-ASCII characters, is consistently UTF-8.
Always align your email's visible 'From' domain with your DKIM signing domain for optimal DMARC validation.
Proactively monitor DMARC reports to catch authentication failures, particularly with specific mail providers.
Conduct thorough deliverability tests to various email providers, including Hotmail and Outlook, after any configuration changes.
Common pitfalls
Using malformed 'Reply-To' or 'From' headers, which can immediately trigger spam filters.
Mismatching character encodings between your email content and what's declared in the headers.
Assuming that a DKIM pass at one major provider (like Gmail) means it will pass everywhere else.
Ignoring the subtle, provider-specific differences in how DKIM signatures are validated and interpreted.
Neglecting your overall domain and IP reputation, which can lead to blocklisting (blacklisting) regardless of authentication.
Expert tips
When troubleshooting, examine the full email headers provided by the recipient's mail server for detailed authentication results and spam scores.
If DKIM fails due to 'signature didn't verify' at Microsoft, try simplifying your email content to identify specific problematic characters or formatting.
Consider contacting Microsoft's postmaster support if persistent DKIM failures occur despite adherence to best practices, as they may offer specific insights.
Implement a strict DMARC policy (quarantine or reject) gradually to enforce authentication and receive detailed feedback reports.
Maintain a clean mailing list and encourage positive engagement from recipients to build a strong sender reputation over time.
Expert view
Expert from Email Geeks says that the DKIM issue should be fixed, noting a rare but long-standing problem with character encoding at Outlook.com that can make DKIM signatures fail.
Feb 7, 2022 - Email Geeks
Marketer view
Marketer from Email Geeks says that some brands experience DKIM failures specifically at Outlook, even when it passes everywhere else.
Hotmail and Outlook, are known for their particularly rigorous spam filtering and email authentication checks. They often apply additional scrutiny beyond merely verifying the DKIM signature. This can explain why DKIM might fail for Hotmail even if it passes elsewhere.
