Why is Microsoft DKIM failing when Gmail passes, and how to fix it?

Key findings

• DKIM domain mismatch: If a third-party sending service (ESP) signs the email with its domain, while your header.from domain is different, Microsoft might flag this as a DKIM failure even if the signature itself is valid. This is often an alignment issue.
• Outdated algorithms: Microsoft may be deprecating support for older hashing algorithms like SHA-1. If your ESP is still using SHA-1 for DKIM signing, upgrading to SHA-256 can resolve these failures.
• Microsoft's internal processing: Microsoft's email servers often perform multiple internal forwarding and re-authentication steps, which can sometimes break the DKIM signature during transit. This is a known quirk of Microsoft's systems.
• Header interpretation: Microsoft's Authentication-Results headers can be verbose and include diagnostic information that might initially confuse senders about the true status of DKIM. Understanding where to look for the d= tag (domain used for DKIM signature verification) is key.
• Content modifications: Subtle changes to email content, such as a new line starting with a period, can invalidate the DKIM signature by changing the body hash.

Key considerations

• Review email headers: Carefully examine the Authentication-Results headers received by Microsoft properties. Look for the dkim= entry and the header.d= value to understand which domain is being evaluated for DKIM and why it might be failing.
• Engage your ESP: If a third-party service is handling your DKIM signing, open a support ticket with them. Inquire about their DKIM signing domain, the cryptographic algorithm used, and any known issues with Microsoft recipients. Request custom DKIM signing with your domain if possible, or ensure they are using rsa-sha256 or a more secure algorithm.
• Ensure DKIM alignment: For DMARC to pass via DKIM, the domain in the d= tag of the DKIM signature must match or be a subdomain of your header.from domain. Microsoft can be stricter about this. Mailgun's blog highlights the importance of checking this alignment.
• Monitor DMARC reports: Even if DMARC passes due to SPF alignment, persistent DKIM failures on Microsoft merit investigation. Regularly check DMARC aggregate reports to identify trends and specific issues.

Key opinions

• ESP control: Many marketers use ESPs like Postmark, and when DKIM fails, they realize it's the ESP's domain (d=espsdomain.net) that's being evaluated, not their own. This means the ESP is responsible for the DKIM signature's integrity.
• DMARC passing due to SPF: Marketers often see DMARC passing even with DKIM failures at Microsoft because SPF is still aligning and authenticating the email. This can mask the underlying DKIM issue. Understanding DMARC alignment is crucial here.
• Microsoft's quirks: There's a general consensus that Microsoft's email authentication processing can be unique and sometimes challenging, leading to seemingly inconsistent results compared to other providers like Gmail. This is often due to their internal processing of email traffic.
• Shared IP challenges: When using shared IPs through an ESP, marketers question whether proper alignment is even possible or if the issue is on their end due to the ESP's DKIM signing practices. This directly impacts email deliverability to the inbox.

Key considerations

• Custom DKIM signatures: Marketers should explore if their ESP allows for a customized DKIM signature that uses their own domain, rather than the ESP's. This directly impacts DKIM alignment for DMARC.
• Algorithm upgrades: It's important to verify that the ESP uses modern hashing algorithms, specifically rsa-sha256. Outdated algorithms like SHA-1 might cause rejection or failure specifically with Microsoft. Configuring DKIM for Microsoft 365 with current standards is vital.
• Provider communication: If DKIM failures persist, direct communication with the ESP's customer service or deliverability team is necessary. They can confirm their DKIM setup and investigate any specific issues with Microsoft.
• Header review for diagnostics: Even though Microsoft's headers can be complex, marketers are advised to examine the raw message headers for clues, especially the dkim=fail and header.d= values, to inform their discussions with ESPs.

Key opinions

• External signing: Experts emphasize that if a third-party ESP (like Postmark) signs the DKIM, the DKIM signature's domain (d= tag) will be the ESP's domain, not the sender's. This means the sender has no control over that specific DKIM signature and must escalate issues to the ESP.
• SHA-1 deprecation: There's a strong suspicion that Microsoft may be depreciating support for the older, less secure SHA-1 hashing algorithm. Senders are advised to urge their ESPs to use rsa-sha256 for DKIM signing.
• Microsoft's unique header data: Microsoft's email headers often contain extensive diagnostic information, which can be confusing but sometimes reveals their specific analysis, like identifying the receiving domain as part of the header.d= value for DKIM evaluation.
• Internal forwarding: Experts frequently point out that Microsoft's internal email forwarding, where messages pass through multiple internal servers, is a common cause for DKIM signatures breaking. This internal re-authentication process can inadvertently invalidate the signature.
• Inaccuracies and inconsistencies: There's a consensus among experts that Microsoft's authentication mechanisms can sometimes produce inaccurate or inconsistent results, as evidenced by past issues where their SPF algorithm incorrectly identified internal IPs.

Key considerations

• Header analysis: Thoroughly examining the Authentication-Results header in emails received by Microsoft is critical to pinpoint the exact reason for DKIM failure, specifically the dkim= and header.d= values. This is crucial for troubleshooting Office 365 authentication failures.
• Algorithm updates: If SHA-1 is in use, push your ESP to transition to rsa-sha256. While newer algorithms like ed25519 exist (per RFC 8463), they lack widespread support, so rsa-sha256 remains the current best practice for broad compatibility, including with Microsoft. This can help with diagnosing and reducing DKIM temporary error rates with Microsoft.
• Content formatting: Be mindful of obscure message formatting issues, such as starting a new line with a period, which can cause subtle changes to the message body and lead to DKIM signature invalidation. Refer to resources from Word to the Wise for more on these technical nuances.
• Expect Microsoft-specific behavior: Anticipate that Microsoft's authentication checks might behave differently than other mail providers. While frustrating, understanding these differences helps in troubleshooting and setting realistic expectations.

Key findings

• DKIM signature components: DKIM signatures include parameters such as the version (v=), algorithm (a=), canonicalization method (c=), signing domain (d=), and selector (s=), all of which are critical for proper validation. For a deeper dive into these, refer to a simple guide to DMARC, SPF, and DKIM.
• Alignment failure: A common cause of DKIM failure, particularly concerning DMARC, is identifier alignment issues where the d= domain in the DKIM signature does not align with the header.from domain, as detailed by Skysnag.
• Microsoft-specific error codes: Microsoft can report specific DKIM statuses, such as temperror in DMARC reports, indicating a temporary issue with DNS lookup during signature validation, as explained by URIports Blog. For more info, see decoding DKIM temperror.
• Hash algorithm importance: The choice of hashing algorithm, such as rsa-sha256, is crucial for DKIM signature security and acceptance. While newer, more secure options like ed25519 (RFC 8463) exist, their adoption is not yet universal.

Key considerations

• DNS records configuration: Properly configuring your DKIM DNS record for Microsoft 365, as detailed by O365Info, is essential to prevent spam and phishing, ensuring the public key is correctly published and accessible.
• Strict alignment enforcement: Microsoft may enforce stricter DKIM alignment than DMARC's relaxed mode allows. This implies that even if your DKIM passes, a failure in alignment between the signing domain and the From header domain can lead to rejection or lower deliverability.
• Body hash integrity: The DKIM Signature Body Hash must remain unchanged. Any modification to the email body, even minor, after signing will cause the DKIM signature to fail verification.
• Forwarding impact: Email forwarding can break DKIM signatures if the forwarding server modifies the message content or headers, affecting the calculated hash. This is a common challenge with email list servers.