Is it common for Proofpoint to cause DKIM failures on Gmail?

Yes, it is very common. Email security solutions often alter the email's content or headers, which can break the DKIM signature. This is usually due to features like URL rewriting, adding disclaimers, or inserting tracking pixels. Gmail then detects this alteration, resulting in a 'body hash did not verify' error.

What does 'DKIM neutral (body hash did not verify)' mean?

A 'body hash did not verify' error means that the content of the email (the body) was modified after the DKIM signature was applied by the original sending server. The hash (a unique digital fingerprint) calculated by the receiving server (Gmail) no longer matches the hash recorded in the DKIM signature, indicating tampering or modification.

How can I verify if Proofpoint is causing my DKIM failures?

You can inspect the 'Authentication-Results' header of the email. In Gmail , open the email, click the three dots next to 'Reply,' and select 'Show original.' Look for a DKIM status of 'neutral' or 'fail' with the reason 'body hash did not verify'.

What are the common solutions to fix DKIM failures caused by Proofpoint?

Disabling URL rewriting (TAP) for specific trusted domains, configuring Proofpoint to bypass scanning for internal or already DKIM-signed messages, or adjusting policies that add corporate banners or disclaimers are common solutions. These adjustments prevent Proofpoint from modifying the email in a way that breaks its DKIM signature.

Why is DKIM failing on Gmail, and is Proofpoint causing it? - Troubleshooting - Email deliverability - Knowledge base

Many email senders experience frustrations when their perfectly configured DomainKeys Identified Mail (DKIM) signatures suddenly fail upon reaching Gmail inboxes. This issue often manifests as a 'body hash did not verify' error in the email headers, indicating that the message content was altered after it was signed. A common culprit behind this kind of alteration, particularly in corporate environments, is an email security gateway or a Secure Email Gateway (SEG) like Proofpoint.

While these security solutions are vital for protecting organizations from threats like phishing and malware, their methods of scanning and modifying emails can inadvertently invalidate email authentication protocols such as DKIM. Understanding why this happens and how to mitigate it is crucial for maintaining optimal email deliverability and ensuring your legitimate messages reach their intended recipients without being flagged as suspicious or spam.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DKIM

DKIM is an email authentication method that uses cryptographic signatures to verify that an email message has not been tampered with during transit and that it originates from a legitimate sender. When an email server sends a message, it generates a unique digital signature based on certain parts of the email, including headers and the body. This signature is then attached to the email's header.

The receiving server, in this case, Gmail, retrieves the sender's public key from their Domain Name System (DNS) records. It then uses this public key to decrypt the signature and re-calculate the hash of the email's headers and body. If the re-calculated hash matches the one in the signature, the email passes DKIM authentication, confirming its authenticity and integrity. This process helps prevent email spoofing and phishing attacks.

DKIM is a foundational component of modern email security, often working in conjunction with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Together, these protocols create a robust defense against unauthorized email use and are crucial for maintaining a healthy sender reputation, which directly impacts your email deliverability.

How Proofpoint causes DKIM failures

Proofpoint, like other Secure Email Gateways (SEGs), acts as an intermediary for email traffic, inspecting messages for malicious content before they reach the recipient's inbox. This inspection process often involves modifying the email, which can inadvertently invalidate the DKIM signature. The most common reasons for DKIM failures related to Proofpoint include:

URL rewriting (TAP): Proofpoint's Targeted Attack Protection (TAP) feature rewrites URLs in email bodies to scan them for threats when clicked. This alteration changes the email body, causing the DKIM body hash to mismatch at the receiving end, resulting in a 'body hash did not verify' error. This is a very common cause of DKIM failure when an SEG is in use.
Header modification: Proofpoint may add or modify certain email headers for internal tracking or security purposes. If these headers are included in the DKIM signature's canonicalization process, any change will invalidate the signature.
Content insertion: Corporate banners, disclaimers, or security warnings added to the email body by Proofpoint will also alter the message content, leading to a DKIM failure. Even minor additions can have this effect.

When an email passes through Proofpoint before reaching Gmail, the latter sees the modified email, not the original signed version. Since DKIM is designed to detect any alteration, even beneficial ones made by a security gateway, it correctly flags the email as having a failed or neutral signature. This is a common challenge when integrating third-party email security solutions with services like Gmail or Microsoft Office 365.

Diagnosing the DKIM body hash did not verify error

The first step in diagnosing a DKIM failure is to inspect the email headers. For emails received in Gmail, you can do this by opening the email, clicking the three dots next to the reply icon, and selecting 'Show original'. Look for the 'Authentication-Results' header, which provides a summary of all authentication checks performed by Gmail.

Example Gmail Authentication-Results Headerplaintext

Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@example.com header.s=selector1 header.b=signature;
       spf=pass (google.com: domain of sender@example.com designates 1.2.3.4 as permitted sender) smtp.mailfrom="sender@example.com"

In the example above, a 'dkim=neutral (body hash did not verify)' result clearly indicates that the email body was altered after it was DKIM signed. This is the smoking gun that points towards an intermediate system, like Proofpoint, modifying the message. If the DKIM status shows 'pass' from

Proofpoint's own authentication results, but then 'neutral' or 'fail' from

Gmail's, it strongly suggests Proofpoint is the intermediary modifying the message content.

It's also important to differentiate between internal and external email recipients. Often, internal emails routed through a company's SEG are subject to more aggressive scanning and modification than external emails. Test sending to a personal Gmail address or a recipient outside your organization's network can help determine if the issue is specific to internal routing or affects all outbound mail.

Solutions and best practices

Addressing DKIM failures caused by Proofpoint requires careful configuration of your email flow and security policies. The goal is to allow Proofpoint to perform its necessary security checks without invalidating the DKIM signature.

The problem: Content modification breaks DKIM

By default, email security gateways like

Proofpoint may alter email headers or body content for security purposes, such as URL rewriting, adding banners, or inserting disclaimers. These modifications change the email after the original DKIM signature has been applied by the sending server. When Gmail receives the altered message, it performs a DKIM check, calculates a new hash, and finds it doesn't match the original signature, leading to a DKIM failure (often 'body hash did not verify').

The solution: Configure trusted senders and modify policies

Bypass internal scanning: Configure Proofpoint to bypass scanning for internal or trusted domains that are already DKIM signed. This ensures messages from your domain are not altered before reaching Gmail.
Disable URL rewriting: If possible, disable URL rewriting (TAP) for specific internal or outbound email flows, especially for messages that are DKIM signed. This might require creating exceptions or specific routing rules within Proofpoint.
Adjust header/content modification rules: Review any policies that add footers, disclaimers, or modify headers, and adjust them to exclude DKIM-signed messages or ensure modifications occur after the email has been authenticated by the receiving server, if possible.

In some advanced configurations, you might consider having Proofpoint re-sign the email with its own DKIM signature after it has processed the message. This requires careful setup and may affect the alignment of your original domain's DKIM with DMARC. Most organizations find it more straightforward to prevent the initial DKIM signature from being broken.

Important configuration tips

When configuring Proofpoint, or any email security gateway, to prevent DKIM failures, keep the following in mind:

Co-ordination: Work closely with your IT security team responsible for Proofpoint to implement these changes. Misconfigurations can lead to significant deliverability issues or security vulnerabilities.
Testing: After any configuration changes, send test emails to various external recipients, especially Gmail addresses, and inspect the headers carefully to ensure DKIM passes successfully.
Review policies: Regularly review your Proofpoint policies to ensure they remain compatible with your email authentication setup, especially after any software updates or changes to your email infrastructure.

Views from the trenches

Best practices

Ensure Proofpoint is configured to trust your internal mail servers and domains, allowing their DKIM signatures to pass through untouched.

If possible, disable URL rewriting for internal emails or specific outbound flows where DKIM integrity is paramount.

Work with your IT security team to implement mail flow rules that exempt DKIM-signed messages from content modification where feasible.

Common pitfalls

Forgetting that internal emails often go through different processing paths that can break DKIM, even if external emails pass.

Overlooking subtle content modifications like added disclaimers or footers that can invalidate the DKIM body hash.

Assuming that a 'pass' on Proofpoint's internal checks means DKIM will also pass at the final destination (like Gmail).

Expert tips

Always inspect the 'Authentication-Results' header in Gmail's 'Show original' view to pinpoint the exact reason for a DKIM failure.

Consider creating exceptions for critical sending systems to prevent their DKIM signatures from being broken by security gateways.

Regularly monitor your DMARC reports to catch DKIM failures early, identifying whether the issues are consistent or isolated incidents.

Expert view

Expert from Email Geeks says: Work email boxes often rewrite or modify emails, which can cause DKIM to fail. This commonly occurs if corporate IT implements security solutions such as Proofpoint in front of services like G Suite or Microsoft 365, as these tools often add banners, modify subjects, or rewrite URLs by design.

2024-01-26 - Email Geeks

Expert view

Expert from Email Geeks says: Proofpoint's Targeted Attack Protection (TAP) feature is a likely cause of DKIM breakage due to its URL rewriting capabilities. This modification ensures that the email content no longer matches the original DKIM signature.

2024-01-26 - Email Geeks

Maintaining email authentication and deliverability

DKIM failures on

Gmail, particularly those indicating a 'body hash did not verify' error, are frequently a result of email security gateways like Proofpoint modifying message content in transit. While these solutions are essential for security, their default configurations can disrupt email authentication.

By understanding how DKIM works and how security solutions can interfere, you can implement targeted configurations within Proofpoint to preserve your DKIM signatures. Proactive monitoring of email headers and collaboration with your IT security team are key steps to ensuring your emails maintain their authenticity and reach the inbox successfully, reinforcing your domain's reputation.