The Home of the Security Bloggers Network
Home » Security Bloggers Network »
If you received the “DKIM signature is not valid” error, there are problems with your DKIM configuration and you need to fix them now! Invalid DKIM signature errors may occur due to:
This blog will focus on some common reasons for the “DKIM signature is not valid” error and some recommendations to get you back on track!
DKIM or Domain Keys Identified Mail is an email authentication protocol. DKIM helps maintain the legitimacy of email messages by ensuring no changes are made during transfer. This prevents threat actors and man-in-the-middle attackers from altering email content.
A DKIM signature is a header added to email messages so that the recipient’s mail server can authenticate the emails by checking the sender’s DKIM key. This process is based on cryptography-based online security.
Some common tags in a DKIM signature header are as follows:
The presence of an erroneous DKIM record or missing DKIM header fields can result in the DKIM signature is not valid error.
You will see the ‘Your DKIM signature is not valid’ message when DKIM authentication check fails. Here are the common reasons for this failure:
All the cases, except the last one, are technical issues that can be resolved by an expert. However, it’s not realistic to avoid the last one as you can’t control the recipients to stop appending compliance footers. So, what can happen when these auto-forwarded messages fail both SPF and DKIM and you’ve set the DMARC policy to ‘reject’?
Earlier it was quite challenging for recipient servers to manage such unauthenticated but legitimate emails. But these days, all the major email service providers or ESPs use Authenticated Received Chain or ARC protocol.
This protocol lets mail servers identify the mail server which managed it previously. This lets them know the authentication assessment steps.
Despite aligning DKIM records, you can see an invalid DKIM signature error. Let’s see what the possible causes for “DKIM signature is not valid” are and how to fix them.
After you created the DKIM TXT record and added it to the DNS configuration file, if you come across the “DKIM signature is not valid” error, this can be resolved by following these steps:
You can see errors despite changing the settings in the DNS configuration file. This typically occurs because it takes up to 24 to 48 hours for DNS propagation after you make changes in DNS settings. This varies depending on the TTL value mentioned in the DNS record.
In such scenarios, it’s suggested to wait for 3 to 4 days so that the DNS propagates fully. Meanwhile, you can check the DNS propagation status of the domain using DNS propagation tools or analyzers.
If you see a DKIM signature’s status as ‘DKIM-signature body hash not verified’ it simply means the calculated hash of the email isn’t in agreement with the body hash value added in the “bh=” tag.
Many business email servers change the inline text to the bottom of incoming emails before the components are broken down. This leads to an invalid body hash, triggering the DKIM-signature body hash not verified error. This eventually causes a failed DKIM and subsequently a failed DMARC check.
In some situations, sources may fail DKIM and DMARC checks because a hacker has tampered with your email’s content. This can also lead to the DKIM-signature body hash not verified error.
Some possible reasons why you see DKIM= neutral (body hash did not verify) are:
These are some common reasons that can lead to the DKIM-signature body hash not verified error.
When you come across the DKIM-signature body hash not verified error, it may be useful to investigate your email source.
DKIM doesn’t filter email but the details shared by it help filters used by the receiver’s domain. So, if an email comes from a trusted domain and passes DKIM checks, its spam score may be reduced. If it fails the DKIM check, it’s marked as spam or can be quarantined or have a spam tag added to the subject line.
The next steps you can follow to strengthen your DKIM compliance are:
If the DKIM signature not valid error still persists, get in touch with your email service provider for guidance, or contact us for expert advice on everything email authentication!
*** This is a Security Bloggers Network syndicated blog from PowerDMARC authored by Yunes Tarada. Read the original post at: https://powerdmarc.com/fix-dkim-signature-is-not-valid/ 
About The Author
More Stories
Local Infrastructure, Lower Costs: How Peering Is Moving the Needle on Internet Affordability
On Global Accessibility Awareness Day, An Internet for Everyone Must Include Everyone
An Open Fiber Data Standard to Make the Internet for Everyone