Why is DKIM failing on Gmail, and is Proofpoint causing it?

Key findings

• Content modification: DKIM failures, specifically "body hash did not verify" errors, commonly occur when an intermediary system modifies the email content after the original DKIM signature is applied. Checking authentication results in email headers can pinpoint this issue.
• Proofpoint's role: Proofpoint (especially its Targeted Attack Protection, or TAP) is a frequent cause of DKIM failures. Its features, like URL rewriting, adding corporate banners, or disclaimers, alter the email body, breaking the DKIM signature.
• Internal email impact: These issues are particularly noticeable with internal emails within an organization where security solutions are actively scanning and modifying messages.
• SPF susceptibility: While DKIM is affected by content changes, SPF (Sender Policy Framework) can also be susceptible if email gateways forward messages through IP ranges not included in the sender's SPF record. However, proper configuration often exempts these IP ranges from further scanning.
• Importance of DMARC: DKIM failures can lead to DMARC failures, affecting email deliverability. DMARC relies on either SPF or DKIM aligning with the "From" domain. If DKIM is consistently failing due to modifications, it may impact your DMARC compliance. Learn more about the basics of DMARC, SPF, and DKIM.

Key considerations

• Check email headers: Always examine the "Authentication-Results" header in the raw email to identify the exact reason for DKIM failure, such as "body hash did not verify" or "neutral."
• Understand your email flow: Map out all intermediate servers, security gateways, and services (like Proofpoint) that handle your outbound and inbound emails. These systems are often configured to perform actions that invalidate DKIM signatures.
• External testing: Send test emails to external, non-corporate addresses (e.g., personal Gmail accounts) to verify if the DKIM failures persist outside of your internal network, as internal security measures might be the cause.
• Configure security gateways: Work with your IT department to properly configure email security solutions (like Proofpoint) to avoid content modification for specific trusted senders or to ensure that they re-sign emails appropriately (e.g., using ARC) if modifications are necessary. Proofpoint itself has been associated with routing flaws that impact deliverability.
• Implement ARC: Authenticated Received Chain (ARC) is a protocol that allows intermediate mail servers to attest to the original email authentication results, even after modifications. Implementing ARC can help maintain DMARC validation through such systems.

Key opinions

• Internal email modifications: Many marketers observe that internal email addresses or corporate networks are more prone to DKIM failures because internal IT systems frequently rewrite or modify emails.
• Security gateway interference: It is widely believed that security solutions like Proofpoint (or Mimecast, etc.) placed in front of email services like G Suite often cause DKIM to fail due to their interception and modification of email content.
• URL rewriting is a major factor: Specifically, URL rewriting by systems like Proofpoint's TAP (Targeted Attack Protection) is a guaranteed way to break DKIM signatures because it alters the body of the email.
• False positives in troubleshooting: Marketers sometimes go down a "rabbit hole" of troubleshooting their DKIM setup only to find the issue lies with their internal email security configuration.

Key considerations

• Test with external recipients: To accurately diagnose, always send test emails to non-corporate, external Gmail accounts that are not behind your organization's email security filters. This helps distinguish internal configuration issues from broader deliverability problems. Need a tool? Try a free email testing tool.
• Collaborate with IT: Marketers should work closely with their IT teams to understand how corporate email security solutions process outgoing and incoming messages and explore options for whitelisting or re-signing. This is critical for preventing Proofpoint Essentials emails from going to junk.
• Check email headers carefully: Don't just rely on a simple pass/fail indicator. Dive into the "Authentication-Results" header to see specific details like the DKIM selector used and the exact error message (e.g., DKIM body hash mismatch failures).
• Understand DMARC implications: Consistent DKIM failures, even if SPF passes, can impact DMARC alignment, potentially leading to deliverability issues to major ISPs like Gmail. Marketers need to understand why their emails are getting DMARC verification failed errors.

Key opinions

• Body hash verification errors: Experts confirm that persistent "body hash did not verify" errors indicate that the email content was altered after DKIM signing. This is the most direct sign of tampering by an intermediary.
• Intermediary modifications: Mailbox providers, anti-spam filters, and corporate security solutions (like Proofpoint) can and do modify emails, leading to DKIM authentication failures. These modifications are often done for security, compliance, or archival purposes.
• Proofpoint's specific impact: Proofpoint's Targeted Attack Protection (TAP) is frequently cited as a component that breaks DKIM by rewriting URLs within email bodies, a common feature of advanced threat protection systems.
• SPF and DKIM fragility: Both SPF and DKIM are inherently susceptible to breakage when emails pass through systems that modify them. This is by design, as their purpose is to verify the integrity of the message from sender to recipient.
• Exemptions and whitelisting: While SPF is also susceptible, most organizations configure their spam filters to exempt their filters' IP ranges from further scanning by the mailbox provider, mitigating SPF issues compared to DKIM. This is part of boosting email deliverability rates.

Key considerations

• Analyze full authentication results: The "Authentication-Results" header provides critical clues. It reveals which DKIM selector was used, the signing domain, and the specific failure reason, helping to identify where the signature was broken. This is key to fixing DKIM failures at different ISPs.
• Distinguish internal vs. external impact: Recognize that DKIM failures observed within a corporate network might be due to internal security measures and may not reflect broader deliverability issues to external recipients.
• Consider ARC implementation: For environments with necessary intermediate modifications, implementing Authenticated Received Chain (ARC) can help preserve authentication legitimacy by providing a chain of custody for email authentication results. This allows receivers like Gmail to trust modified messages. AutoSPF provides more detail on ARC's role in email security.
• Review security gateway configurations: Regularly audit and optimize the settings of email security solutions. Work with vendors or IT to ensure that necessary content modifications are handled in a way that minimizes impact on email authentication, or that messages are properly re-signed. This is essential for preventing emails from being blocked by Proofpoint.

Key findings

• DKIM's core principle: DKIM is designed to detect any alteration of an email's content or headers after it leaves the signing domain. A "body hash did not verify" error directly indicates a breach of this integrity.
• Impact of security gateways: Email security gateways, including Proofpoint, frequently perform actions like URL encapsulation, footer insertion, or header modification that inherently break DKIM signatures by altering the signed content.
• ARC as a solution: Authenticated Received Chain (ARC) is a standard designed to allow legitimate intermediaries to pass on authentication results even after modifying an email, ensuring DMARC continues to pass. Learn more in our guide on advanced email authentication.
• Configuration importance: Proper configuration of email security solutions is paramount. This often involves either disabling content modification for specific traffic, or ensuring the security solution re-signs the email using its own DKIM keys or ARC.

Key considerations

• Review vendor-specific guides: Consult the documentation provided by your email security gateway vendor (e.g., Proofpoint, Mimecast) for best practices on configuring their services to work harmoniously with DKIM and DMARC. For example, configuring Google Workspace for Proofpoint Essentials requires specific steps.
• Leverage DMARC reports: DMARC aggregate and forensic reports provide detailed insights into which authentication methods (SPF or DKIM) are failing and where (which recipient ISPs). This data is invaluable for identifying systemic issues. Refer to troubleshooting DMARC reports from Google and Yahoo.
• Implement DMARC policy gradually: Start with a p=none policy to monitor authentication results without impacting deliverability, then transition to quarantine or reject as issues are resolved.
• Ensure proper SPF and DKIM setup: Verify that your SPF and DKIM records are correctly published and configured for all sending sources, as misconfigurations here can also lead to failures before any intermediaries are even involved.