Valid DKIM but "body hash did not verify" error on Outlook / Hotmail / Live?

Why do I get dkim=fail (body hash did not verify) on Outlook / Hotmail / Live when I have a valid DKIM setup in place?

I've made sure that my SPF, DKIM, DMARC records are set up correctly and the DKIM record on my domain matches my servers DKIM key.

When sending emails from my domain to Google etc, I get SPF = Pass, DKIM = Pass, DMARC = Pass and it's over a secure connection. All good.

When sending to Outlook.com with the same config I get the error: dkim=fail (body hash did not verify). Why ?

Does anyone have an idea why that is?

I'm using Postfix on Debian 9 with SpamAssassin.
My DNS records are old, it's not because of DNS propagation.
I'm using Thunderbird as a client to send emails.


Solution 1:

This was an issue with special characters for us. Compare source code or the 'original' email in Gmail vs. source code of the same email in Hotmail and you will find the ones causing DKIM to fail. It was the -- and ' characters for us (encoded with words, not numbers.) It was okay if it is encoded in HTML, but not if it is added as text, and then pasted inside the HTML.

Microsoft is not recognizing them, applying canonicalization, and removing them which is causing the body hash to not verify.

Solution 2:

I am using PHPMailer and I had the same issue where my DKIM keys were functional in testing and then starting failing in production. It turned out that my production code was inserting a space at the end of the $body variable that was being fed into $mail-> Body = $body and this was causing my body hash did not verify error.