What You Need To Know About DKIM Fail | EasyDMARC

What You Need To Know About DKIM Fail

6 Min Read
A person working on a computer

In the digitized world, email authentication is crucial in safeguarding sensitive information. DomainKeys Identified Mail (DKIM) is one of three protocols leading to full DMARC record compliance. Thus, a DKIM fail can result in phishing, spoofing, and man-in-the-middle attacks.

DKIM verifies email integrity. It uses cryptographic signatures to verify that an email message comes from the claimed sender domain. This protocol blocks any attempts at email spoofing and forgery. Examples include inserting malicious links, compromising sensitive information, and infecting systems with malware.

This article explores the implications of DKIM fail and offers steps to resolve any DKIM issues.

Why DKIM Fails

Occasionally, DKIM verification can fail, leaving emails vulnerable to potential threats. This section dives into seven reasons this DMARC fails to happen.

Syntax Errors

DKIM record is a string of text, and one error could lead to misconfiguration. The easiest way to avoid this issue is to use a trusted DKIM record generator.

DKIM Signature Alignment Failure

This issue occurs when the alignment between the “From” header domain and the domain specified in the DKIM signature fails. There are three alignment options: strict, relaxed, and no alignment.

DKIM alignment failures can happen for several reasons:

  • Incorrect configuration of DKIM settings or DNS records
  • The “From” header modification during email forwarding
  • Email header changes by some mailing list services
  • Email header changes by some email gateways or security systems

In these cases, the domain owner must ensure that no interference can disrupt DKIM authentication.

No DKIM Configured for Third-Party Services

Each email vendor has their own instructions to configure DKIM on outbound emails. As DKIM configuration combines a private and public key, each ESP maintains a unique private key and shares a public key you can use.

Mail Server Communication Issues

Whether it’s DNS resolution timeouts or failures, network connectivity problems, or port blocking, some server issues can cause a DKIM fail. It’s crucial to ensure stable communication between servers at all times. This approach will help you avoid DKIM verification failures.

Message Body Modifications by MTAs

Mail Transfer Agents (MTAs) can alter the original email while adding the compliance footer text to the received email before auto-forwarding. Sometimes, this interferes with DKIM verification. This might result in the DKIM verification result “dkim=neutral (DKIM signature body hash not verified).”

We’ll talk more in-depth about this error and how to fix it later in the article.

DNS Outage or Downtime

If your DKIM authentication failed, there’s a chance that it’s because of a DNS outage or downtime. DNS outage reasons vary, but DDoS attacks, DNS misconfiguration, and connectivity occur most often.

Regardless of the reason, a DNS downtime can cause a DKIM fail.

Stop Guessing Why DKIM Fails

Start Configuring Your Sending Sources Now!

Why Do I See DKIM=Fail (“Body Hash Did Not Verify)?

The “DKIM body hash not verified” status means the computed hash of the message body doesn’t correspond to the body hash value stored in the “bh=” tag of the DKIM signature.

There are several reasons DKIM fails, and the “body hash did not verify” error pops up:

  • Email Content Changes: As mentioned above, some corporate email servers attach inline text to the bottom of incoming emails. If the change happens after applying the DKIM check, the DKIM signature can not be verified. A DKIM check would return invalid results.
  • Email Gateway Interference: Sometimes, a DKIM fail happens because of an email gateway or a security system. As they scan for spam or malware, they might change the email content, causing the discrepancy.
  • Transport Layer Security (TLS) Issues: The main point of TLS is to secure email in transit. If it fails, content alteration in transit becomes possible, resulting in DKIM failure.

Several other reasons may cause DKIM=neutral (“body hash did not verify”)

  • The signer calculated the signature value incorrectly
  • Someone spoofed the email and signed it without having the correct private key
  • The public key specified in the DKIM-Signature header is incorrect
  • The public key published by the email sender in their DNS is incorrect

If the DKIM alignment failed, the chances of passing DMARC get smaller. If SPF alignment also failed, DMARC alignment will not work as well. You need at least one protocol to pass for the DMARC to pass.

It’s crucial to investigate all sources appearing in the failed section to identify them as valid or malicious. If you recognize the source, we recommend you configure SPF and DKIM. If the source under question is illegitimate, investigate this – the source might try to send malicious emails using your domain.

Here are some steps to investigate the source:

  • Ask yourself if you recognize the source
  • Try to find information about the source on the internet
  • Find out if the source appears on RBL blacklist websites
  • Use forensic reports to see what kind of emails the source sends
  • If the source is valid, you can configure DKIM for it using vendor documentation or using our Source Configuration blog category.
  • If all else fails, contact the ESP for more information

How to Resolve DKIM Failures?

Resolving DKIM failures needs a systematic approach to identifying and addressing underlying issues. Here are some steps to resolve DKIM failures:

  • Identify the Cause of DKIM Failure: Getting to the bottom of DKIM failure starts by reviewing the notification or error message. Recipient servers usually include valuable insight in these messages. You can also check the DKIM signature itself and see if it has a proper configuration. This process doesn’t need to be manual – EasyDMARC has a DKIM checker that can identify any issues and discrepancies.
  • Verify DNS Records: Ensure that the DKIM public key (a DNS TXT record) is published and accessible. The DKIM selector specified in the email header should match the corresponding DNS record.
  • Check Email Content Integrity: Even minor changes in the email content after DKIM signing can cause DKIM verification failure.
  • Review Email Gateway Configurations: Some security systems might change the email content in a way that affects DKIM authentication.
  • Use Transport Layer Security (TLS): All emails should go through TLS. Ensuring that it works correctly and is up-to-date prevents content alteration during transit.
  • Track DKIM Performance in Aggregate Reports: This helps detect and address any issues as they occur. EasyDMARC’s Aggregate Reports Analyzer can help you follow up with DKIM failures and resolve them at once.
  • Consult with Email Service Providers (ESPs): Each ESP is unique when it comes to DKIM. Thus, asking support teams for advice can help with specific cases.
  • Follow DKIM Best Practices: Use solid cryptographic algorithms, rotate DKIM keys periodically, and maintain consistent email configurations across your infrastructure.
  • In-app Email Source Identification: Our system can recognize 1,000+ sources in our DB and provides directions on how to setup DKIM (and SPF) for the given source.

Resolving DKIM failures may need collaboration with email administrators, DNS administrators, and email service providers. Regular monitoring and proactive maintenance tools like EasyDMARC help maintain email security and ensure successful DKIM verification.

Comments
guest
5 Comments
Inline Feedbacks
View all comments
Geoffrey Brown
Geoffrey Brown
Apr 23, 2024

Why is it that, when looking at aggregate reports, the DKIM information sometimes misses the name of the DKIM signature (sig1 in my case). This is taken from the DKIM AUTHENTICATION RESULTS of the aggregate report:

DKIM authentication results Reporter
—————————————————–
· Pass with mrgizmo.nz (s=sig1) google.com
· Pass with mrgizmo.nz (s=sig1) google.com
· Pass with mrgizmo.nz amazon-ses
· Pass with mrgizmo.nz amazon-ses
· Pass with mrgizmo.nz (s=sig1) google.com
· Pass with mrgizmo.nz amazon-ses

Presumably, because it is flagging a pass this can only occur in all cases if the sig1 DKIM signature was used for DKIM checking. Is this correct ?

It appears that amazon-ses does not mention the signature used in their aggregate reports. It would seem that aggregate reports do not need to have this information (DKIM signature name used). This seems a bit silly as it is possible to have more then one signature for DKIM – eg. a sig1._domainkey.mrgizmo.nz and a sig2._domainkey.mrgizmo.nz. Are some aggregate reports “sloppy” in their reporting of detail or does the standard not require this information to be reported ?

Hagop K. (EasyDMARC Admin)
Admin
Hagop K. (EasyDMARC Admin)
Apr 23, 2024
Reply to  Geoffrey Brown

Indeed, you’re correct. Aggregate reports rely entirely on how the MBPs deliver them, and occasionally we encounter instances of missing or inaccurate data. As you pointed out, Amazon SES is one such service that omits the DKIM selector (s=) from its reports.

Geoffrey Brown
Geoffrey Brown
Apr 23, 2024

The mention is the DKIM commentary above states:
—————————————————————————————————–
Email Content Changes: As mentioned above, some corporate email servers attach inline text to the bottom of incoming emails
—————————————————————————————————–

Should this not say …attach inline text to the bottom of outgoing emails…

Geoffrey, New Zealand.

Hagop K. (EasyDMARC Admin)
Admin
Hagop K. (EasyDMARC Admin)
Apr 23, 2024
Reply to  Geoffrey Brown

This discussion focuses on incoming emails from the receiver’s end, which have the capacity to compromise the integrity of the originally sent email. When receivers add inline text to the message, it can alter its integrity, thereby increasing the probability of DKIM failure.

Geoffrey Brown
Geoffrey Brown
Apr 24, 2024

Not being an expert on these new email features it makes more logical sense for the issue to occur on outgoing emails (ie. at the sender end). This is because adding signatures or disclaimers is a fairly common thing.

On the other hand, at the receiving end, you first need to receive the email before changing anything about it. The receiving process will need to deal with the DKIM side of things and only once this is done can changes to email occur (like putting warnings into email about links etc).

I wonder how much of an issue either of these are these days however as in both cases making sure that you only process DKIM with the content sent by the sender avoids any receiving errors. Likewise, on the sending end, making sure you only calculate the DKIM check code once the final email is complete (with disclaimers etc) also avoids the issue completely I would have thought.

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us