Why is my DKIM body hash failing and how do I fix it?

Key findings

• Integrity Compromised: A failing body hash signifies that the email content was modified after the DKIM signature was applied, meaning the message delivered is not identical to the one signed.
• Authentication Failure: Despite other DKIM header checks sometimes appearing to pass, the body hash failure causes the overall DKIM authentication to fail, diminishing sender trust.
• Deliverability Impact: This issue is very serious for email deliverability, often leading to messages being quarantined or sent to the spam folder, particularly when DMARC policies are enforced.
• Modification Causes: Common causes include changes to line breaks, URL rewriting, or the addition/removal of spaces within the email body by intermediate servers or security services.

Key considerations

• Identify Modification Source: Pinpoint where modifications occur in the email's journey. This often involves checking email security services, gateways, or ESPs that might alter content.
• Review DKIM Canonicalization: Ensure your DKIM setup uses a canonicalization method that tolerates minor, harmless changes, such as 'relaxed' canonicalization, if needed.
• Consistent Content: Strive for consistency in email content from signing to delivery, minimizing any unintended alterations.
• Diagnostic Tools: Utilize header analysis tools to get precise feedback on where the DKIM authentication is failing.

Key opinions

• Transit Modifications: Many marketers find that email content is altered en-route by various systems, leading directly to body hash failures. Common culprits include email security services, gateways, or even mailing list software that adds footers or rewrites URLs.
• Subtle Changes are Critical: Even seemingly minor modifications, such as changes in line breaking or the insertion/removal of a single space, are enough to cause the DKIM body hash to fail validation.
• Misleading Passes: It's common for headers to show 'DKIM Alignment' or other green tickmarks, yet the 'DKIM Authentication' fails specifically due to the 'DKIM Signature Body Hash' not verifying, indicating a deceptive superficial pass.
• Diagnostic Trust: When tools like MXToolbox report a body hash failure, it is generally considered reliable; if the body hash doesn't verify, DKIM will ultimately fail, regardless of other indicators.
• Impact on Deliverability: A failing body hash means the email is effectively not DKIM signed, which is a serious issue if DKIM is relied upon for inbox placement and avoiding the spam folder.

Key considerations

• Scrutinize Mail Flow: Investigate every step an email takes after signing to identify any intermediate services that could be modifying the message body.
• Check Security Services: Determine if email security services (e.g., Proofpoint, Mimecast) are performing any changes like URL rewriting or inserting disclaimers, as these will invalidate the hash. This is a common cause for DKIM body hash errors on Outlook.com.
• Debugging Effort: For intermittent body hash failures, the time and effort required for debugging might outweigh the actual benefit, depending on the volume and criticality of affected messages. However, for consistent failures, it is a priority.
• Signature Generation: Verify the tool or routine used to create the DKIM signature, as incorrect hash generation itself can be the root cause of the problem.

Key opinions

• Any Alteration is Critical: Experts emphasize that any change to the email body, including whitespace modifications or hidden characters, will invalidate the DKIM body hash, causing authentication failure.
• Intermediate Proxies: Transparent email forwarding services, mailing lists, or email gateways are frequent culprits for modifying messages and subsequently breaking DKIM body hashes.
• Canonicalization's Role: The choice of DKIM canonicalization (simple or relaxed) significantly affects tolerance for body modifications. 'Simple' is very strict, while 'relaxed' allows minor whitespace changes without breaking the hash.
• Sending Server or Proxy Issues: Persistent body hash failures often point to a problem with the sending mail server's DKIM signing process or an intermediate proxy introducing changes before final delivery.
• Content Modification is Common: Beyond line breaks, common content modifications by intermediate servers, such as link rewriting or disclaimer insertion, are very frequent causes of body hash failures. This also relates to why DKIM signatures may not validate.
• Impact on DMARC: If a DMARC policy is in place, a DKIM body hash failure will likely result in the email being rejected or quarantined, even if SPF passes, because DMARC requires either SPF or DKIM to align.

Key considerations

• Review Mail Flow Path: Thoroughly map out the email's journey from your mail server to the recipient, identifying any services or software that could touch and modify the message body.
• Adjust Canonicalization: Consider switching to 'relaxed' canonicalization for both header and body within your DKIM signature configuration if you suspect minor, unavoidable modifications are occurring.
• Proactive Testing: Regularly send test emails through your full mail stream to various mailbox providers to detect when and where DKIM body hash failures start to occur.
• Security Solutions: Examine the settings of your anti-spam and email security solutions. Some may insert footers, disclaimers, or rewrite URLs, which must be configured not to interfere with DKIM. This is part of boosting deliverability rates.

Key findings

• 'bh' Tag Purpose: RFC 6376 defines the 'bh' (body hash) tag as containing a hash of the message body, which is calculated by the signer and used by the verifier to ensure the body's integrity during transmission.
• Canonicalization Algorithms: The DKIM specification outlines 'simple' and 'relaxed' canonicalization algorithms for the message body. These determine how whitespace and minor structural changes impact the hash calculation, directly affecting whether the hash verifies.
• Platform Modifications: Documentation from providers like Microsoft or AWS often explains that their services (e.g., Office 365, Exchange Online Protection, SES) might modify email content for various reasons, potentially leading to DKIM body hash failures if signatures are applied before these modifications occur.
• Header Integrity: While this discussion focuses on the body hash, the entire DKIM signature process involves hashing selected headers as well, highlighting the comprehensive nature of DKIM for message integrity.

Key considerations

• Adherence to RFCs: Ensure your DKIM signing implementation strictly adheres to RFC 6376 concerning body hash calculation and canonicalization to avoid discrepancies.
• Understand Platform Behaviors: Familiarize yourself with the specific behaviors of any ESPs, security gateways, or other services in your mail flow that might modify email content, and adjust your DKIM signing accordingly.
• Secure Configuration: Properly configure your DKIM setup, including canonicalization settings, to accommodate anticipated modifications without breaking the signature. This helps prevent both temporary and permanent DKIM errors.
• Monitor Reports: Utilize DMARC reports to monitor DKIM authentication outcomes, including specific failures like body hash mismatches, providing data-driven insights into issues.