Suped

Summary

A DKIM body hash failing means that the recipient's mail server calculated a hash of the email body that does not match the hash provided in the DKIM signature by the sender. This mismatch indicates that the email body has been altered in some way after it was signed by the sending domain, compromising its integrity. When this occurs, the DKIM authentication for the email fails, which can significantly impact email deliverability and lead to messages being marked as spam or rejected. Understanding how DKIM, SPF, and DMARC work together is crucial for diagnosing and resolving such issues.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What email marketers say

Email marketers frequently encounter the perplexing issue of a failing DKIM body hash, even when other authentication checks seem to pass. This problem is particularly frustrating because it can severely impact inbox placement and overall email deliverability. The core concern often revolves around unintended alterations to the email body during transit, often by intermediate services that modify content for various reasons like tracking or security. These subtle changes, like an extra space or a modified line break, are enough to invalidate the cryptographic hash.

Marketer view

An Email Marketer from Email Geeks indicates that the 'Body Hash did not verify' message is a significant concern, even if other DKIM headers appear to pass, highlighting a deeper issue with email integrity.

22 Jul 2020 - Email Geeks

Marketer view

A Community Member from Spiceworks Community observes that for received emails, even if 'DKIM Alignment' passes, 'DKIM Authentication' can still fail due to 'DKIM Signature Body Hash' issues.

15 Mar 2023 - Spiceworks Community

What the experts say

Email deliverability experts highlight that a failing DKIM body hash is a clear signal that the integrity of an email message has been compromised post-signing. They emphasize that while DKIM's header signature can pass validation, the 'bh' tag (body hash) verification is paramount for ensuring the email's content remains unaltered. Common causes often involve intermediate mail transfer agents (MTAs) or security solutions that modify the email body, even subtly. This issue is particularly critical because it directly impacts DMARC authentication, leading to significant deliverability problems like messages being blocked or sent to junk folders. Understanding canonicalization algorithms and the entire mail flow path is essential for diagnosing and resolving these failures.

Expert view

A Deliverability Expert from Spamresource.com emphasizes that any alteration to the email body, even seemingly minor ones like whitespace changes, will inevitably invalidate the DKIM body hash, leading to authentication failure.

10 Apr 2024 - Spamresource.com

Expert view

A Consultant from Wordtothewise.com highlights that transparent email forwarding services or mailing lists frequently modify messages in transit, which is a common reason for DKIM body hash failures.

22 Jun 2023 - Wordtothewise.com

What the documentation says

Official documentation and technical specifications provide the foundational understanding of why a DKIM body hash might fail. The 'bh' tag, as defined in the DKIM standard (RFC 6376), is central to verifying the message body's integrity. These documents detail the canonicalization algorithms (simple and relaxed) that dictate how the message body is prepared for hashing, influencing its sensitivity to modifications. Furthermore, platform-specific documentation from major email service providers (ESPs) often explains how their systems might modify email content for security, compliance, or tracking purposes, which can inadvertently break DKIM signatures if not accounted for during the signing process.

Technical article

RFC 6376, the DKIM Signatures specification, states that the 'bh' (body hash) tag contains the hash of the message body, calculated by the signer and subsequently used by the verifier to ensure the integrity of the body has been maintained during transmission.

2011 - RFC 6376

Technical article

The DKIM specification outlines the critical role of canonicalization algorithms, specifically 'simple' and 'relaxed,' for the message body, which determine how whitespace and other modifications are handled when calculating the body hash.

2011 - DKIM Specification

7 resources

Start improving your email deliverability today

Get started