DKIM Body Hash Mismatch
A DKIM body hash mismatch occurs when the body of the email changes after the DKIM signature was created. DKIM signs the message body and stores a body hash in the DKIM-Signature header using the bh= parameter. When the receiving server recalculates the body hash, it must match the original value. If the content changes during delivery, the recalculated hash becomes different and DKIM verification fails.
One-Minute Fix
Ensure that no system modifies the email body after DKIM signing. Gateways, forwarding services, mailing lists, and security tools must not add footers or rewrite message content after signing.
DKIM-Signature: v=1;
a=rsa-sha256;
d=example.com;
s=selector1;
bh=abc123originalhash;
b=signaturevalue
Body sent by sender:
Hello John,
Your invoice is attached.
Body received by mailbox provider:
Hello John,
Your invoice is attached.The body received by the mailbox provider must match the body that was originally signed.
Re-checkWrong vs correct setup
Wrong setup
DKIM-Signature: v=1;
a=rsa-sha256;
d=example.com;
s=selector1;
bh=abc123originalhash;
b=signaturevalue
Body sent by sender:
Hello John,
Your invoice is attached.
Body received by mailbox provider:
Hello John,
Your invoice is attached.
--
Scanned by SecureMail GatewayThe gateway added a footer after the message was signed. Because the body changed, the recalculated body hash no longer matches the bh value stored in the DKIM header.
Correct setup
DKIM-Signature: v=1;
a=rsa-sha256;
d=example.com;
s=selector1;
bh=abc123originalhash;
b=signaturevalue
Body sent by sender:
Hello John,
Your invoice is attached.
Body received by mailbox provider:
Hello John,
Your invoice is attached.The body delivered to the receiver is identical to the body that was signed. Because the content did not change, the recalculated body hash matches the bh value and DKIM verification succeeds.
Why this happens
DKIM body hash mismatches usually happen when downstream systems modify email content after the signature was created. Security gateways, mailing lists, forwarding services, and link rewriting tools frequently introduce these changes.
Why this is a problem
- DKIM authentication fails.
- DMARC may fail if DKIM was expected to provide aligned authentication.
- Mailbox providers may distrust the message.
- Legitimate email can land in spam.
How this affects deliverability
Mailbox providers rely on DKIM to verify that a message was not modified in transit. When the body hash fails verification, the receiver cannot confirm the integrity of the message content.
Common causes
- Mail gateways adding legal disclaimers or security footers.
- Mailing lists modifying the body of the message.
- Security systems rewriting links inside the email.
- Forwarding services reformatting the message content.
What we checked
We verified whether the DKIM body hash stored in the DKIM-Signature header matches the hash calculated from the received message body.
Live DNS lookup. No login. No saved domains. No tracking.
FAQ
Can small formatting changes break DKIM?
Yes. Even small changes such as added footers, rewritten links, or altered whitespace can invalidate the DKIM body hash.
Does this mean the sender is malicious?
Not necessarily. Many legitimate messages fail DKIM because an intermediate system modified the message after signing.
How do I fix this safely?
Identify which system modifies the message after DKIM signing and disable those changes or move DKIM signing later in the mail flow.
Next steps
- Send a test email and inspect the DKIM-Signature header.
- Check whether the body changed during delivery.
- Review gateways and mailing list software.
- Ensure DKIM signing happens after all content modifications.
- Send another test email and verify DKIM now passes.
- Review the full troubleshooting guidance in the DKIM Hub.
- Explore sender authorization issues in the SPF Hub.
- Review alignment and policy issues in the DMARC Hub.