How to fix “dkim=fail (body hash did not verify)” from all receivers

Message headers show “dkim=fail (body hash did not verify)” — your mail is DKIM-signed, but the receiver rejects the signature.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

The bh= tag in a DKIM-Signature is a hash of the message body at send time; the receiver recomputes it and, on mismatch, returns “body hash did not verify”. That means the body was changed in transit — it does not mean your key is wrong. The usual culprits are mailing-list software and forwarders that append footers or unsubscribe links, and relays that re-encode HTML. RFC 6376 notes that “simple” canonicalization breaks on any modification, so c=simple/simple signers fail where relaxed/relaxed would survive trivial whitespace changes. Source: RFC 6376 §3.7 · verified 2026-07-15

How to fix it

Step 1. Confirm this is the only error: if the selector resolves and the key is present, the signature is fine and the body is the problem.
Step 2. Switch canonicalization to relaxed/relaxed in your sending service so trivial whitespace/format changes don't break the hash.
Step 3. If a mailing list or forwarder adds footers, expect DMARC to pass only via untouched DKIM — see the forwarding guide.
Step 4. Remove the l= (body-length) tag if present — RFC 6376 §8.2 warns it lets attackers append content; drop it and re-test.

Frequently asked

How long until fixes take effect?

DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.

Does this apply if I send fewer than 5,000 emails a day?

Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.

Can I just ask my hosting provider to fix it?

Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →