Message headers show “dkim=fail (body hash did not verify)” — your mail is DKIM-signed, but the receiver rejects the signature.
The bh= tag in a DKIM-Signature is a hash of the message body at send time; the receiver recomputes it and, on mismatch, returns “body hash did not verify”. That means the body was changed in transit — it does not mean your key is wrong. The usual culprits are mailing-list software and forwarders that append footers or unsubscribe links, and relays that re-encode HTML. RFC 6376 notes that “simple” canonicalization breaks on any modification, so c=simple/simple signers fail where relaxed/relaxed would survive trivial whitespace changes. Source: RFC 6376 §3.7 · verified 2026-07-15
relaxed/relaxed in your sending service so trivial whitespace/format changes don't break the hash.l= (body-length) tag if present — RFC 6376 §8.2 warns it lets attackers append content; drop it and re-test.DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.
Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.
Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.