What You Need To Know About DKIM Fail

In the digitized world, email authentication is crucial in safeguarding sensitive information. DomainKeys Identified Mail (DKIM) is one of three protocols leading to full DMARC record compliance. Thus, a DKIM fail can result in phishing, spoofing, and man-in-the-middle attacks.

DKIM verifies email integrity. It uses cryptographic signatures to verify that an email message comes from the claimed sender domain. This protocol blocks any attempts at email spoofing and forgery. Examples include inserting malicious links, compromising sensitive information, and infecting systems with malware.

This article explores the implications of DKIM fail and offers steps to resolve any DKIM issues.

Why DKIM Fails

Occasionally, DKIM verification can fail, leaving emails vulnerable to potential threats. This section dives into seven reasons this DMARC fails to happen.

Syntax Errors

DKIM record is a string of text, and one error could lead to misconfiguration. The easiest way to avoid this issue is to use a trusted DKIM record generator.

DKIM Signature Alignment Failure

This issue occurs when the alignment between the “From” header domain and the domain specified in the DKIM signature fails. There are three alignment options: strict, relaxed, and no alignment.

DKIM alignment failures can happen for several reasons:

• Incorrect configuration of DKIM settings or DNS records
• The “From” header modification during email forwarding
• Email header changes by some mailing list services
• Email header changes by some email gateways or security systems

In these cases, the domain owner must ensure that no interference can disrupt DKIM authentication.

No DKIM Configured for Third-Party Services

Each email vendor has their own instructions to configure DKIM on outbound emails. As DKIM configuration combines a private and public key, each ESP maintains a unique private key and shares a public key you can use.

Mail Server Communication Issues

Whether it’s DNS resolution timeouts or failures, network connectivity problems, or port blocking, some server issues can cause a DKIM fail. It’s crucial to ensure stable communication between servers at all times. This approach will help you avoid DKIM verification failures.

Message Body Modifications by MTAs

Mail Transfer Agents (MTAs) can alter the original email while adding the compliance footer text to the received email before auto-forwarding. Sometimes, this interferes with DKIM verification. This might result in the DKIM verification result “dkim=neutral (DKIM signature body hash not verified).”

We’ll talk more in-depth about this error and how to fix it later in the article.

DNS Outage or Downtime

If your DKIM authentication failed, there’s a chance that it’s because of a DNS outage or downtime. DNS outage reasons vary, but DDoS attacks, DNS misconfiguration, and connectivity occur most often.

Regardless of the reason, a DNS downtime can cause a DKIM fail.

Why Do I See DKIM=Fail (“Body Hash Did Not Verify)?

The “DKIM body hash not verified” status means the computed hash of the message body doesn’t correspond to the body hash value stored in the “bh=” tag of the DKIM signature.

There are several reasons DKIM fails, and the “body hash did not verify” error pops up:

• Email Content Changes: As mentioned above, some corporate email servers attach inline text to the bottom of incoming emails. If the change happens after applying the DKIM check, the DKIM signature can not be verified. A DKIM check would return invalid results.
• Email Gateway Interference: Sometimes, a DKIM fail happens because of an email gateway or a security system. As they scan for spam or malware, they might change the email content, causing the discrepancy.
• Transport Layer Security (TLS) Issues: The main point of TLS is to secure email in transit. If it fails, content alteration in transit becomes possible, resulting in DKIM failure.

Several other reasons may cause DKIM=neutral (“body hash did not verify”)

• The signer calculated the signature value incorrectly
• Someone spoofed the email and signed it without having the correct private key
• The public key specified in the DKIM-Signature header is incorrect
• The public key published by the email sender in their DNS is incorrect

If the DKIM alignment failed, the chances of passing DMARC get smaller. If SPF alignment also failed, DMARC alignment will not work as well. You need at least one protocol to pass for the DMARC to pass.

It’s crucial to investigate all sources appearing in the failed section to identify them as valid or malicious. If you recognize the source, we recommend you configure SPF and DKIM. If the source under question is illegitimate, investigate this – the source might try to send malicious emails using your domain.

Here are some steps to investigate the source:

• Ask yourself if you recognize the source
• Try to find information about the source on the internet
• Find out if the source appears on RBL blacklist websites
• Use forensic reports to see what kind of emails the source sends
• If the source is valid, you can configure DKIM for it using vendor documentation or using our Source Configuration blog category.
• If all else fails, contact the ESP for more information

How to Resolve DKIM Failures?

Resolving DKIM failures needs a systematic approach to identifying and addressing underlying issues. Here are some steps to resolve DKIM failures:

• Identify the Cause of DKIM Failure: Getting to the bottom of DKIM failure starts by reviewing the notification or error message. Recipient servers usually include valuable insight in these messages. You can also check the DKIM signature itself and see if it has a proper configuration. This process doesn’t need to be manual – EasyDMARC has a DKIM checker that can identify any issues and discrepancies.

• Verify DNS Records: Ensure that the DKIM public key (a DNS TXT record) is published and accessible. The DKIM selector specified in the email header should match the corresponding DNS record.
• Check Email Content Integrity: Even minor changes in the email content after DKIM signing can cause DKIM verification failure.
• Review Email Gateway Configurations: Some security systems might change the email content in a way that affects DKIM authentication.
• Use Transport Layer Security (TLS): All emails should go through TLS. Ensuring that it works correctly and is up-to-date prevents content alteration during transit.
• Track DKIM Performance in Aggregate Reports: This helps detect and address any issues as they occur. EasyDMARC’s Aggregate Reports Analyzer can help you follow up with DKIM failures and resolve them at once.
• Consult with Email Service Providers (ESPs): Each ESP is unique when it comes to DKIM. Thus, asking support teams for advice can help with specific cases.
• Follow DKIM Best Practices: Use solid cryptographic algorithms, rotate DKIM keys periodically, and maintain consistent email configurations across your infrastructure.
• In-app Email Source Identification: Our system can recognize 1,000+ sources in our DB and provides directions on how to setup DKIM (and SPF) for the given source.

Resolving DKIM failures may need collaboration with email administrators, DNS administrators, and email service providers. Regular monitoring and proactive maintenance tools like EasyDMARC help maintain email security and ensure successful DKIM verification.