A DKIM body hash mismatch means the email body was modified after DKIM signing. The bh= tag in the DKIM-Signature header contains a hash of the original body. If the body changes in transit — from content filters, mailing list footers, antivirus scanners, or encoding changes — the hash won't match and DKIM fails.
DKIM Body Hash Mismatch: Causes and Fixes
What the Body Hash Does
When your email server signs a message with DKIM, it computes a hash of the message body and stores it in the bh= tag of the DKIM-Signature header:
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=selector;
bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
h=From:To:Subject:Date;
b=...
The receiving server recomputes the body hash and compares it. If they don't match, DKIM fails — regardless of whether the signature itself is valid.
Common Causes
Mailing list software adds footers, unsubscribe links, or modifies content. This is the most common cause. The message body changes after signing, breaking the hash.
Content filters and security gateways that rewrite URLs, strip attachments, or modify HTML will break the body hash.
Email forwarding services that add banners or modify content (as opposed to pure envelope forwarding) will cause mismatches.
Encoding changes during transit — converting between quoted-printable and base64, or character set conversions — alter the raw body.
Practitioner note: I see body hash mismatches most often with mailing list software (Listserv, Mailman, Google Groups). The list adds a footer and the hash breaks. This is exactly the problem that ARC was designed to solve.
How to Diagnose
- Check your DMARC aggregate reports for DKIM failures
- Look at Authentication-Results headers on failing messages
- Identify the intermediary — what system sits between your sending server and the recipient?
The intermediary that modifies the body is your culprit.
Fixes
If a mailing list is modifying the body: You can't prevent this. Rely on ARC headers for receivers that support ARC. For DMARC, make sure SPF alignment passes as a fallback.
If your own gateway modifies the body: Move DKIM signing to after the gateway processes the message. DKIM should be the last thing that touches the email before it leaves your infrastructure.
If a security appliance rewrites URLs: Configure DKIM signing after the URL rewriting step, or whitelist your domain from URL rewriting.
Practitioner note: The fix is almost always architectural — sign the message after all modifications are complete. If you're running a content filter that rewrites links before DKIM signing, switch the order. If a third-party service modifies the body, you can't control it, so make sure SPF covers you for DMARC.
Don't use the l= (body length) tag to work around this. It tells receivers to only hash part of the body, but it creates a security hole — an attacker can append content to a signed message. The security community considers l= harmful.
If your DKIM is failing due to body hash mismatches and you can't identify the cause, I can trace the email path and find the modification point.
Sources
- RFC 6376: DomainKeys Identified Mail (DKIM) Signatures, Section 3.7
- RFC 6377: DKIM and Mailing Lists
- M3AAWG: DKIM Best Practices
- dmarcian: Understanding DKIM Failures
v1.0 · April 2026
Frequently Asked Questions
What is a DKIM body hash?
The bh= tag in the DKIM-Signature header contains a Base64-encoded hash of the email body at the time of signing. Receivers recompute this hash and compare it to verify body integrity.
What causes DKIM body hash mismatch?
Anything that modifies the email body after signing: mailing list footers, content filters, antivirus scanners, email forwarding services, or encoding conversions.
Can I fix a DKIM body hash mismatch?
You can't fix it after the fact — the message was already altered. You need to identify what's modifying the body and either stop it or ensure DKIM signing happens after the modification.
Does body length limit (l= tag) help?
The l= tag limits how much of the body is hashed, which can prevent mismatches from appended content. But it's a security risk — attackers can append malicious content to signed messages. Don't use it.
How do I tell if my emails have body hash mismatches?
Check DMARC aggregate reports for DKIM failures, or examine Authentication-Results headers on received messages. Look for dkim=fail with a body hash verification error.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.