Summary
A DKIM body hash failure indicates that the email body has been altered between the signing process and verification. This can stem from incorrect signature generation or modifications by various sources, including line break changes, encoding issues, email security services, SMTP servers, or third-party tools. To resolve this, one must ensure correct DKIM implementation, prevent content modifications after signing, and review the email flow to identify altering intermediaries. Utilize debugging tools to validate the DKIM signature and key management. Proper configuration of outbound email settings, including signing after Exchange-related transport rules if applicable, is critical. If the changes are minor and infrequent, it might not be worth the debugging effort.
Key findings
- DKIM Failure Consequence: A failing DKIM body hash leads to overall DKIM validation failure, affecting email authentication and potentially deliverability.
- Signing Issues: Problems with hash generation or an invalid key can result in body hash failures.
- Content Modification Problems: Various email handling services, such as security filters, SMTP servers appending footers, and third-party integrations, are common causes of alterations.
- Encoding & Format: Character encoding problems or alterations to line breaks and spaces cause problems.
- Complexity and value: Minor and infrequent causes may not be worth debugging effort.
Key considerations
- Verify DKIM Key: Confirm that your DKIM record is correctly implemented and that your key is valid.
- Prevent Content Modification: Identify and prevent any services from altering the email body after the DKIM signature is applied.
- Email Flow Review: Review the email's path from sending to receiving to identify if any intermediaries modify its content.
- Examine Raw Email Messages: If possible, compare raw email data pre and post transport to help reveal alteration points.
- Debugging: If you encounter a consistent problem, it is worth using a DKIM debugging tool to examine the specific problems.
- Transport Rules: Ensure DKIM signing occurs AFTER any transport rules, in order to be valid.
What email marketers say
11 marketer opinions
A DKIM body hash failure indicates that the email body has been altered between the time it was signed and the time it was received. Common causes include line break changes, character encoding issues, email security services modifying content, SMTP servers adding tracking pixels or disclaimers, and third-party services like link trackers. To fix this, review the email flow, identify modifying intermediaries, ensure correct UTF-8 encoding, use DKIM validators, and implement DKIM correctly, checking the key and domain record.
Key opinions
- Content Alteration: Changes to the email body after DKIM signing, such as line breaks, spaces, or character encoding, cause hash mismatches.
- Intermediary Services: Email security services, SMTP servers, and third-party tools (link trackers, etc.) can modify email content, leading to DKIM failures.
- Encoding Issues: Incorrect character encoding, especially with special characters, can result in DKIM body hash failures.
- Key Configuration: An incorrect DKIM key, domain record, or selector can all lead to DKIM failing.
Key considerations
- Review Email Flow: Examine the entire email path from sender to recipient to identify any services or servers that may be altering the content.
- Validate DKIM Signature: Use DKIM validator tools to check the signature and identify where the signing process is breaking.
- Test Thoroughly: Send test emails and examine raw email data to pinpoint content changes and ensure proper DKIM implementation.
- Implement Correctly: Ensure that you are properly generating a DKIM key and ensure it is valid.
- Disable Services: Try temporarily disabling all services that may be editing your content to ensure your DKIM passes.
Marketer view
Email marketer from Valimail shares that common causes include: line ending changes, character encoding issues, or modifications by intermediaries like email security services. Also URL rewriting by security services. It is important to check for these issues in the sending process.
7 May 2024 - Valimail
Marketer view
Email marketer from Email Geeks shares that line breaking could be the issue as even adding or removing a single space between signing and delivery would cause the hash to fail. They ask if it's happening on every message because If it's only the odd one or too it could take you more time to try and debug than it's actually worth....
8 Mar 2022 - Email Geeks
What the experts say
6 expert opinions
A DKIM body hash failure means the DKIM check fails entirely. The problem arises either from incorrect signing or because the email content is altered after signing, especially by intermediate servers or content modification services. Addressing it requires correct hash generation, identifying and preventing post-signing content changes, and properly configuring mail relays.
Key opinions
- DKIM Failure: A failed body hash means the entire DKIM validation fails, undermining email authentication.
- Incorrect Signing: Problems in the hash generation process itself can cause the verification to fail.
- Content Modification: Any alteration of the email body after DKIM signing leads to hash mismatches and failure.
- Intermediate Servers: Mail relays that modify the email content before delivery invalidate the DKIM signature.
Key considerations
- Verify Hash Generation: Ensure the DKIM signature is created correctly with proper configuration.
- Prevent Content Changes: Identify and eliminate any services that might be altering the email body after signing.
- Check Mail Relays: Review all mail relays to prevent them from modifying the content before delivery.
Expert view
Expert from Email Geeks shares that if the DKIM body hash fails, nothing is passing and DKIM is failing.
13 Aug 2024 - Email Geeks
Expert view
Expert from Email Geeks explains If the body hash doesn’t verify, DKIM will fail.
5 May 2025 - Email Geeks
What the documentation says
6 technical articles
A DKIM body hash failure signifies that the email body has been modified after signing, due to content changes or encoding issues. Fixing it involves preventing content alteration, verifying DKIM configuration, debugging with tools like `opendkim-testkey`, examining raw messages to identify changes, and ensuring correct email settings, especially with Exchange servers where signing should occur post-transport rules.
Key findings
- Content Alteration: The primary cause is modifications to the email body between signing and verification, including encoding changes.
- Configuration Issues: Incorrect DKIM configuration, key management, or outbound email settings lead to signature failures.
- Exchange Server Impact: Exchange servers are known to alter messages, requiring DKIM signing after transport rules.
Key considerations
- Prevent Body Changes: Ensure that the email body remains unaltered after DKIM signing.
- Verify DKIM Configuration: Check DKIM selector, key, and overall setup for correctness.
- Use Debugging Tools: Employ tools like `opendkim-testkey` to diagnose signature and key issues.
- Examine Raw Messages: Compare raw email messages before and after sending to identify modifications.
- Correct signing order: Ensure DKIM signing occurs AFTER any Exchange-related transport rules, in order to be valid.
Technical article
Documentation from Oracle explains that it's important to configure outbound email settings to ensure correct DKIM signing. It's important to verify the selector, the key and make sure that the signing takes place before any modifications to the email can occur.
3 Sep 2023 - Oracle
Technical article
Documentation from Microsoft explains that Exchange servers are known to alter messages during transport. Therefore, the DKIM signing should occur AFTER any Exchange-related transport rules, in order to be valid.
1 Apr 2022 - Microsoft
How can a phishing email pass SPF and DKIM authentication checks?
How do I fix DKIM failing body hash verification?
How do I fix DMARC failures with OpenAir due to lack of DKIM signing?
How do I interpret SpamAssassin DKIM test results and troubleshoot DKIM signature issues?
Is DKIM signature case-sensitive and what causes DKIM tester errors?
