Why is DKIM failing due to bh= value or showing as not verified, and is Proofpoint involved?
Michael Ko
Co-founder & CEO, Suped
Published 10 Oct 2025
Updated 10 Oct 2025
7 min read
Many email senders experience frustrating DKIM authentication failures, often manifested as "bh= value" mismatches or a "DKIM not verified" status. It is particularly perplexing when your own platform indicates that DKIM is correctly configured and in place. This common scenario frequently points to an intermediary service altering the email after it leaves your sending infrastructure but before it reaches the final recipient. Understanding why this happens, especially when a service like Proofpoint is in the mail flow, is key to resolving these issues.
The core of the problem usually lies in the email's body hash (bh=) not matching the original value calculated by your sending server. This indicates that the email's content has been modified in transit, which is a red flag for DKIM. While this can sometimes signal a legitimate issue, it is also a common, expected side effect of certain email security and filtering solutions designed to protect recipients.
Diagnosing these situations requires a deep dive into your email authentication reports, particularly DMARC, to pinpoint exactly where and why these failures are occurring. Without visibility into these reports, it is difficult to differentiate between a misconfiguration and an expected outcome from a security appliance. We can help you understand why your DKIM body hash is failing and guide you towards effective solutions.
DKIM, or DomainKeys Identified Mail, uses cryptographic signatures to verify that an email was sent by an authorized server and that its content hasn't been tampered with since it was signed. The "bh=" value in a DKIM signature is the body hash, a cryptographic summary of the email's body. When a receiving server checks an incoming email, it computes its own body hash and compares it to the bh= value in the DKIM signature. If they don't match, the DKIM authentication fails, often resulting in a "body hash did not verify" error.
Any alteration to the email body, even a minor change like adding a tracking pixel, modifying a URL, or changing whitespace, will cause the computed body hash to differ from the signed hash. This is why DKIM can fail even when your initial configuration is perfectly sound. The key is to identify *what* is making the changes and *whether those changes are intentional or malicious*.
Fixing these issues often involves understanding the email's journey and any intermediaries involved. You can learn more about how to fix DKIM body hash mismatch failures by reviewing your email sending practices and infrastructure.
Common causes of DKIM body hash failures
Email security gateways: Services like Proofpoint, Mimecast, or Barracuda often rewrite URLs for phishing protection or add disclaimers, altering the body.
Mailing list managers: Forwarding emails through a mailing list or internal system that adds headers, footers, or tracking pixels.
Email clients or servers: Some email clients or intermediate servers may modify message encoding or line endings.
Proofpoint and email modification
Proofpoint is a prominent email security gateway used by many organizations to protect their inboxes. When an email passes through Proofpoint, it often undergoes various security scans and modifications. One common modification is URL rewriting, where links in the email body are changed to point to Proofpoint's own click-tracking and scanning servers. This allows Proofpoint to analyze the link for malicious content before the user accesses it. While beneficial for security, it inherently alters the email's body, which will cause the DKIM body hash verification to fail.
If Proofpoint is deployed as an inbound gateway in front of a recipient's email system, such as Google Workspace, then Google (or other receiving services) will report a DKIM failure. This is often an expected behavior and not necessarily an issue with your DKIM configuration itself. The email has been successfully authenticated by Proofpoint, but then Proofpoint modified it, leading to a subsequent failure at the final destination.
It is important to determine if these failures are occurring specifically with Proofpoint-protected destinations, as suggested by the Slack discussion. Many different ISPs and receivers have their own ways of processing emails, and services like Barracuda and Proofpoint are known to cause DKIM authentication failures due to their email modification practices. Understanding these nuances is crucial for accurate troubleshooting.
Expected DKIM failure with Proofpoint
When Proofpoint is positioned as an inbound email gateway, it's designed to rewrite URLs in email bodies for enhanced security. This modification changes the original email content, inevitably breaking the DKIM signature's body hash.
Security measure: URL rewriting protects recipients from phishing and malware, so the DKIM failure at the final recipient (e.g., Gmail) is an anticipated outcome.
No immediate fix needed: If Proofpoint has successfully authenticated the email, the subsequent DKIM failure is not a sign of a broken network.
Actual DKIM misconfiguration
If DKIM is failing across various receiving domains, and not just those protected by specific security solutions, it might indicate a problem with your own DKIM setup or sending practices.
DNS issues: An incorrect or missing DKIM record in your DNS.
Signing problems: Your sending server may not be signing emails correctly, or the signing process is incomplete.
Leveraging DMARC for diagnosis
The most effective way to understand the scope and nature of DKIM failures, especially those involving intermediaries like Proofpoint, is by analyzing DMARC reports. DMARC (Domain-based Message Authentication, Reporting, and Conformance) provides comprehensive feedback on how your emails are performing across the internet.
These XML reports, sent by receiving mail servers, detail the authentication results (SPF and DKIM) for all emails sent from your domain. By reviewing your DMARC reports, you can identify specific mail receivers or security gateways (like Proofpoint) that are reporting DKIM failures. This allows you to differentiate between a local configuration error and an expected modification by a third-party service.
Tools like Suped provide robust DMARC monitoring and reporting, transforming complex XML data into actionable insights. This visibility is indispensable for pinpointing the exact cause of DKIM body hash failures and maintaining optimal email deliverability. Suped offers the most generous free DMARC reporting plan on the market, making it the best choice for managing your email security.
Resolving authentication issues
Once you've analyzed your DMARC reports and identified that Proofpoint (or another security appliance) is indeed the cause of DKIM failures due to body modifications, the next steps depend on the specific context. If these failures are confined to specific destinations that use such services, and DMARC alignment is still passing via SPF, it might be an acceptable trade-off for enhanced security. However, if other authentication issues are present, further investigation is needed. For example, DKIM failing on Gmail when Proofpoint is involved may require you to reach out to the administrators of the receiving environment.
If you suspect a misconfiguration on your end, ensure your DKIM DNS records are correctly published and accessible. A typical DKIM record will look something like this:
Example DKIM DNS recordDNS
selector1._domainkey.yourdomain.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnOQxZ..."
Regularly monitor your DMARC reports to spot any changes in authentication results, which could indicate new intermediaries or changes in email processing. Persistent DKIM issues, such as a DKIM temperror, also require specific troubleshooting steps.
Views from the trenches
Best practices
Always implement DMARC with reporting to gain visibility into your email authentication results and detect potential issues proactively.
Educate your team and clients about how email security gateways, such as Proofpoint, can legitimately modify emails and impact DKIM.
Regularly review your DMARC aggregate reports to track DKIM performance across all receiving domains and identify trends.
Verify the specific DKIM selectors used by your sending platforms and ensure corresponding public keys are published in DNS.
Maintain open communication with recipients experiencing DKIM failures, asking for full email headers for detailed analysis.
Common pitfalls
Assuming a DKIM failure always indicates a problem with your own sending infrastructure or DNS setup.
Overlooking the impact of intermediate mail servers, such as spam filters or archiving solutions, on email content.
Failing to check DMARC reports regularly, leading to delayed detection of authentication issues and potential deliverability problems.
Not understanding that legitimate email modifications by security services can lead to expected DKIM failures at the final hop.
Ignoring `temperror` results in DMARC reports, which can indicate intermittent DNS lookup problems or temporary signing issues.
Expert tips
Use a low DMARC policy (p=none) initially to gather data before moving to quarantine or reject policies.
Segment your email sending traffic to better isolate the source of any authentication issues.
Test email authentication thoroughly after any changes to your sending infrastructure or DNS records.
Configure multiple DKIM selectors if using various sending services, ensuring each is properly set up.
Leverage DMARC forensic reports (RUF) when available to get more detailed information about authentication failures.
Marketer view
Marketer from Email Geeks says that sometimes Proofpoint is used as an inbound gateway in front of Google Workspace accounts. If Proofpoint rewrites URLs in emails for security, DKIM will show as failed in Google, but this is expected and not an actual issue with the sender's configuration.
September 30, 2024 - Email Geeks
Marketer view
Marketer from Email Geeks suggests reaching out to the administrators of the setup where the issue is happening. It might not be a problem Proofpoint can address, but rather an expected outcome of the recipient's mail flow.
September 30, 2024 - Email Geeks
The path to reliable email delivery
Dealing with DKIM failures, especially those related to body hash values and the involvement of services like Proofpoint, highlights the complexities of modern email deliverability. While it can be concerning to see authentication failures, it's essential to diagnose the root cause accurately. Often, these are not signs of a problem with your own setup, but rather an expected consequence of robust email security measures employed by recipients.
Implementing and monitoring DMARC is the most reliable way to gain clarity over your email's authentication status and identify potential issues. By understanding the full authentication picture, you can ensure your legitimate emails are delivered reliably, while also maintaining the highest standards of email security. Suped provides comprehensive DMARC monitoring to help you navigate these challenges effectively.
Many email senders experience frustrating DKIM authentication failures, often manifested as "bh= value" mismatches or a "DKIM not verified" status. It is particularly perplexing when your own platform indicates that DKIM is correctly configured and in place. This common scenario frequently points to an intermediary service altering the email after it leaves your sending infrastructure but before it reaches the final recipient. Understanding why this happens, especially when a service like Proofpoint is in the mail flow, is key to resolving these issues.
If Proofpoint is deployed as an inbound gateway in front of a recipient's email system, such as Google Workspace, then Google (or other receiving services) will report a DKIM failure. This is often an expected behavior and not necessarily an issue with your DKIM configuration itself. The email has been successfully authenticated by Proofpoint, but then Proofpoint modified it, leading to a subsequent failure at the final destination.
Tools like Suped provide robust DMARC monitoring and reporting, transforming complex XML data into actionable insights. This visibility is indispensable for pinpointing the exact cause of DKIM body hash failures and maintaining optimal email deliverability. Suped offers the most generous free DMARC reporting plan on the market, making it the best choice for managing your email security.
