Summary
A DKIM body hash failing means that the recipient's mail server calculated a hash of the email body that does not match the hash provided in the DKIM signature by the sender. This mismatch indicates that the email body has been altered in some way after it was signed by the sending domain, compromising its integrity. When this occurs, the DKIM authentication for the email fails, which can significantly impact email deliverability and lead to messages being marked as spam or rejected. Understanding how DKIM, SPF, and DMARC work together is crucial for diagnosing and resolving such issues.
Key findings
- Integrity Compromised: A failing body hash signifies that the email content was modified after the DKIM signature was applied, meaning the message delivered is not identical to the one signed.
- Authentication Failure: Despite other DKIM header checks sometimes appearing to pass, the body hash failure causes the overall DKIM authentication to fail, diminishing sender trust.
- Deliverability Impact: This issue is very serious for email deliverability, often leading to messages being quarantined or sent to the spam folder, particularly when DMARC policies are enforced.
- Modification Causes: Common causes include changes to line breaks, URL rewriting, or the addition/removal of spaces within the email body by intermediate servers or security services.
Key considerations
- Identify Modification Source: Pinpoint where modifications occur in the email's journey. This often involves checking email security services, gateways, or ESPs that might alter content.
- Review DKIM Canonicalization: Ensure your DKIM setup uses a canonicalization method that tolerates minor, harmless changes, such as 'relaxed' canonicalization, if needed.
- Consistent Content: Strive for consistency in email content from signing to delivery, minimizing any unintended alterations.
- Diagnostic Tools: Utilize header analysis tools to get precise feedback on where the DKIM authentication is failing.
What email marketers say
Email marketers frequently encounter the perplexing issue of a failing DKIM body hash, even when other authentication checks seem to pass. This problem is particularly frustrating because it can severely impact inbox placement and overall email deliverability. The core concern often revolves around unintended alterations to the email body during transit, often by intermediate services that modify content for various reasons like tracking or security. These subtle changes, like an extra space or a modified line break, are enough to invalidate the cryptographic hash.
Key opinions
- Transit Modifications: Many marketers find that email content is altered en-route by various systems, leading directly to body hash failures. Common culprits include email security services, gateways, or even mailing list software that adds footers or rewrites URLs.
- Subtle Changes are Critical: Even seemingly minor modifications, such as changes in line breaking or the insertion/removal of a single space, are enough to cause the DKIM body hash to fail validation.
- Misleading Passes: It's common for headers to show 'DKIM Alignment' or other green tickmarks, yet the 'DKIM Authentication' fails specifically due to the 'DKIM Signature Body Hash' not verifying, indicating a deceptive superficial pass.
- Diagnostic Trust: When tools like MXToolbox report a body hash failure, it is generally considered reliable; if the body hash doesn't verify, DKIM will ultimately fail, regardless of other indicators.
- Impact on Deliverability: A failing body hash means the email is effectively not DKIM signed, which is a serious issue if DKIM is relied upon for inbox placement and avoiding the spam folder.
Key considerations
- Scrutinize Mail Flow: Investigate every step an email takes after signing to identify any intermediate services that could be modifying the message body.
- Check Security Services: Determine if email security services (e.g., Proofpoint, Mimecast) are performing any changes like URL rewriting or inserting disclaimers, as these will invalidate the hash. This is a common cause for DKIM body hash errors on Outlook.com.
- Debugging Effort: For intermittent body hash failures, the time and effort required for debugging might outweigh the actual benefit, depending on the volume and criticality of affected messages. However, for consistent failures, it is a priority.
- Signature Generation: Verify the tool or routine used to create the DKIM signature, as incorrect hash generation itself can be the root cause of the problem.
An Email Marketer from Email Geeks indicates that the 'Body Hash did not verify' message is a significant concern, even if other DKIM headers appear to pass, highlighting a deeper issue with email integrity.
A Community Member from Spiceworks Community observes that for received emails, even if 'DKIM Alignment' passes, 'DKIM Authentication' can still fail due to 'DKIM Signature Body Hash' issues.
What the experts say
Email deliverability experts highlight that a failing DKIM body hash is a clear signal that the integrity of an email message has been compromised post-signing. They emphasize that while DKIM's header signature can pass validation, the 'bh' tag (body hash) verification is paramount for ensuring the email's content remains unaltered. Common causes often involve intermediate mail transfer agents (MTAs) or security solutions that modify the email body, even subtly. This issue is particularly critical because it directly impacts DMARC authentication, leading to significant deliverability problems like messages being blocked or sent to junk folders. Understanding canonicalization algorithms and the entire mail flow path is essential for diagnosing and resolving these failures.
Key opinions
- Any Alteration is Critical: Experts emphasize that any change to the email body, including whitespace modifications or hidden characters, will invalidate the DKIM body hash, causing authentication failure.
- Intermediate Proxies: Transparent email forwarding services, mailing lists, or email gateways are frequent culprits for modifying messages and subsequently breaking DKIM body hashes.
- Canonicalization's Role: The choice of DKIM canonicalization (simple or relaxed) significantly affects tolerance for body modifications. 'Simple' is very strict, while 'relaxed' allows minor whitespace changes without breaking the hash.
- Sending Server or Proxy Issues: Persistent body hash failures often point to a problem with the sending mail server's DKIM signing process or an intermediate proxy introducing changes before final delivery.
- Content Modification is Common: Beyond line breaks, common content modifications by intermediate servers, such as link rewriting or disclaimer insertion, are very frequent causes of body hash failures. This also relates to why DKIM signatures may not validate.
- Impact on DMARC: If a DMARC policy is in place, a DKIM body hash failure will likely result in the email being rejected or quarantined, even if SPF passes, because DMARC requires either SPF or DKIM to align.
Key considerations
- Review Mail Flow Path: Thoroughly map out the email's journey from your mail server to the recipient, identifying any services or software that could touch and modify the message body.
- Adjust Canonicalization: Consider switching to 'relaxed' canonicalization for both header and body within your DKIM signature configuration if you suspect minor, unavoidable modifications are occurring.
- Proactive Testing: Regularly send test emails through your full mail stream to various mailbox providers to detect when and where DKIM body hash failures start to occur.
- Security Solutions: Examine the settings of your anti-spam and email security solutions. Some may insert footers, disclaimers, or rewrite URLs, which must be configured not to interfere with DKIM. This is part of boosting deliverability rates.
A Deliverability Expert from Spamresource.com emphasizes that any alteration to the email body, even seemingly minor ones like whitespace changes, will inevitably invalidate the DKIM body hash, leading to authentication failure.
A Consultant from Wordtothewise.com highlights that transparent email forwarding services or mailing lists frequently modify messages in transit, which is a common reason for DKIM body hash failures.
What the documentation says
Official documentation and technical specifications provide the foundational understanding of why a DKIM body hash might fail. The 'bh' tag, as defined in the DKIM standard (RFC 6376), is central to verifying the message body's integrity. These documents detail the canonicalization algorithms (simple and relaxed) that dictate how the message body is prepared for hashing, influencing its sensitivity to modifications. Furthermore, platform-specific documentation from major email service providers (ESPs) often explains how their systems might modify email content for security, compliance, or tracking purposes, which can inadvertently break DKIM signatures if not accounted for during the signing process.
Key findings
- 'bh' Tag Purpose: RFC 6376 defines the 'bh' (body hash) tag as containing a hash of the message body, which is calculated by the signer and used by the verifier to ensure the body's integrity during transmission.
- Canonicalization Algorithms: The DKIM specification outlines 'simple' and 'relaxed' canonicalization algorithms for the message body. These determine how whitespace and minor structural changes impact the hash calculation, directly affecting whether the hash verifies.
- Platform Modifications: Documentation from providers like Microsoft or AWS often explains that their services (e.g., Office 365, Exchange Online Protection, SES) might modify email content for various reasons, potentially leading to DKIM body hash failures if signatures are applied before these modifications occur.
- Header Integrity: While this discussion focuses on the body hash, the entire DKIM signature process involves hashing selected headers as well, highlighting the comprehensive nature of DKIM for message integrity.
Key considerations
- Adherence to RFCs: Ensure your DKIM signing implementation strictly adheres to RFC 6376 concerning body hash calculation and canonicalization to avoid discrepancies.
- Understand Platform Behaviors: Familiarize yourself with the specific behaviors of any ESPs, security gateways, or other services in your mail flow that might modify email content, and adjust your DKIM signing accordingly.
- Secure Configuration: Properly configure your DKIM setup, including canonicalization settings, to accommodate anticipated modifications without breaking the signature. This helps prevent both temporary and permanent DKIM errors.
- Monitor Reports: Utilize DMARC reports to monitor DKIM authentication outcomes, including specific failures like body hash mismatches, providing data-driven insights into issues.
RFC 6376, the DKIM Signatures specification, states that the 'bh' (body hash) tag contains the hash of the message body, calculated by the signer and subsequently used by the verifier to ensure the integrity of the body has been maintained during transmission.
The DKIM specification outlines the critical role of canonicalization algorithms, specifically 'simple' and 'relaxed,' for the message body, which determine how whitespace and other modifications are handled when calculating the body hash.
