Why is Outlook breaking DKIM keys and how can I fix it?

Key findings

• Message alteration: Outlook (and other email providers) can break DKIM signatures if they modify the email message in any way after it has been signed by the sender, such as during forwarding, or due to their internal security processes.
• Character encoding: Issues often stem from non-ASCII characters or differences in how Outlook processes character encoding (e.g., expecting UTF-8) versus what the sender uses.
• Canonicalization: Subtle changes in header or body canonicalization (how the email is formatted for signing and verification) can lead to DKIM failures.
• Forwarding vs. direct send: While forwarding is a common cause of DKIM breakage, some users experience failures even when sending directly from their MTAs to Outlook, indicating pre-validation modifications.

Key considerations

• Monitor DMARC reports: Regularly check your DMARC reports for failure trends specific to Outlook recipients. This provides insight into why DKIM validation fails.
• Ensure proper encoding: Verify that your email content and headers are encoded correctly, preferably using UTF-8, and avoid out-of-spec characters that could be altered.
• Review canonicalization methods: If you control your DKIM signing, ensure you are using a relaxed canonicalization (e.g., relaxed/relaxed) for both header and body, as this is more tolerant to minor modifications.
• Test thoroughly: Send test emails to various Outlook accounts, including different versions or configurations, to replicate and diagnose the issue.
• Address forwarding challenges: Be aware that email forwarding often breaks DKIM due to modifications. This might be an acceptable trade-off for DMARC enforcement against spoofing if the volume of forwarded emails is low.

Key opinions

• Inconsistent breakage: Marketers frequently observe Outlook breaking DKIM keys for some customers but not others, or failing to replicate the issue with personal test accounts.
• Message modification suspicion: There's a strong belief that Outlook modifies messages prior to DKIM validation, introducing failures, even when emails are sent directly from MTAs.
• Impact of forwarding: Forwarded emails are a known pain point, often breaking DKIM and causing DMARC failures, which can complicate enforcement policies for senders concerned about spoofing.
• Encoding and character issues: Some speculate Outlook looks for specific encoding like UTF-8, and out-of-spec characters or conversions (e.g., tabs to spaces) can break signatures.
• Global service provider impact: Specific email service providers, like Postmark, are noted to experience widespread DKIM breakage with Outlook across multiple clients, suggesting a broader issue.

Key considerations

• Seek detailed failure reasons: Marketers need access to message headers and DMARC reports for clear reasons behind DKIM failures, which is not always readily available.
• Standardize character sets: Prioritize using a consistent and widely supported character set, such as UTF-8, for all email content to minimize parsing issues by recipient servers.
• Evaluate DMARC enforcement tolerance: For clients with strict DMARC policies, consider the trade-off of a few failed emails due to Outlook forwarders versus the strong anti-spoofing benefits of an enforcing policy.
• Implement DMARC: Microsoft's new requirements for high-volume senders, effective May 5, 2025, mandate SPF, DKIM, and DMARC compliance to avoid deliverability issues.

Key opinions

• Canonicalization is key: Differences in how sending and receiving servers (like Outlook) canonicalize (normalize) email headers or bodies can lead to DKIM signature mismatches.
• Encoding sensitivity: Outlook's systems are particularly sensitive to character encoding, and non-UTF-8 characters or subtle encoding shifts can cause DKIM validation to fail.
• Modification is the culprit: Any alteration to the email's content (headers or body) after it has been signed will invalidate the DKIM signature, regardless of who or what made the change.
• DMARC report insights: DMARC reports provide critical diagnostic information, including 'temperror' results, which can indicate DNS lookup issues during DKIM validation by Outlook.
• Key strength: Using weaker 1024-bit DKIM keys increases vulnerability and can lead to easier breakage or spoofing, prompting recommendations for 2048-bit keys.

Key considerations

• Use relaxed canonicalization: To increase tolerance for minor modifications, configure DKIM to use relaxed/relaxed canonicalization for both header and body.
• Ensure UTF-8 encoding: Confirm that all outgoing emails adhere to UTF-8 encoding standards to prevent character-related DKIM failures at Outlook.
• Upgrade DKIM keys: Transition from 1024-bit to 2048-bit DKIM keys where possible to enhance cryptographic strength and reduce vulnerability to breakage.
• Align with Microsoft requirements: Stay informed about Microsoft's evolving email authentication requirements, including mandatory SPF, DKIM, and DMARC policies for high-volume senders.
• Monitor DMARC and domain reputation: Proactive DMARC monitoring and tracking your sender reputation through tools like Google Postmaster Tools are essential for early detection of issues and maintaining trust.

Key findings

• Non-ASCII characters: Microsoft's email servers can break DKIM signatures if non-ASCII characters are present in the email body, leading to 'body hash did not verify' errors.
• Canonicalization differences: Variations in how email canonicalization is applied by different mail servers (sending vs. receiving) can cause DKIM failures.
• Forwarding modifications: Forwarding services, especially those that add footers or modify message structure, are prone to breaking DKIM signatures, even if SPF passes via SRS.
• Strict compliance requirements: Microsoft is increasingly enforcing SPF, DKIM, and DMARC authentication for high-volume senders, making proper configuration essential for deliverability.
• DNS lookup issues: A 'temperror' result in DMARC reports from Outlook.com often indicates a temporary issue during DNS lookup for DKIM validation.

Key considerations

• Adhere to standards: Ensure your email sending infrastructure strictly adheres to RFC standards for email formatting and DKIM signing, particularly regarding character sets.
• Implement DMARC properly: Utilize DMARC with a reporting policy to receive feedback on authentication failures, which can help diagnose DKIM issues with Outlook and other providers.
• Update DKIM keys: Consider upgrading to 2048-bit DKIM keys if currently using 1024-bit keys, as recommended for enhanced security.
• Understand DMARC alignment: Even if SPF passes, DKIM breakage can lead to DMARC failure if the DKIM signature is not aligned, highlighting the importance of both authentication methods.
• Split long DKIM records: If facing issues with TXT record length limitations from DNS providers, split your DKIM value into multiple 255-character chunks.