Sent to Gmail will dkim failed.

Locked
akong77
KeyHelp Translator
Posts: 44
Joined: Mon 2. Aug 2021, 07:39

Sent to Gmail will dkim failed.

Post by akong77 »

Hello,
I use keyhelp and use it dns with dkim recorder.I has check dkim is done.But it's will failed when I send to gmail.
The log like below.

dkim=neutral (body hash did not verify) header.i=@aspa.idv.tw header.s=default header.b=BqzuLuAr;

What's problem?
User avatar
Fezzi
Posts: 126
Joined: Wed 12. Dec 2018, 04:04

Re: Sent to Gmail will dkim failed.

Post by Fezzi »

Did you Google the problem?

That came up on a quick search: https://easydmarc.com/blog/what-you-nee ... dkim-fail/


Why do I see DKIM= neutral (body hash did not verify)?

When the body hash verification fails, that means the computed hash of the message body does not agree with the body hash value stored in the “bh=” tag of the DKIM signature.

Some corporate email servers append inline text to the bottom of incoming emails before anti-spam agents parse them. In situations like that, the body hash would be invalidated.

The email(s) from this source failed the DMARC check. This means that the email was not DMARC compliant, therefore SPF and DKIM are both invalid. This can mean two things:

The source failed the DMARC checks because DKIM and/or SPF were not set up correctly;

The source failed the DMARC checks because someone has sent malicious emails on behalf of your domain.

It is important to investigate all sources that appear in the failed section to identify the sources as valid or as malicious. If you recognize a source as legitimate, you can dig in the data and make sure to set up and align SPF or DKIM correctly. If you don’t recognize a source you will have to investigate this, because this source might try to send malicious emails on behalf of your domain.

Several reasons that may cause DKIM= neutral (body hash did not verify)

A forwarder, a smart-host, or another filtering agent modified the body of the email;
The signer calculated the signature value incorrectly;
Someone spoofed the email and signed it without having the correct private key.
The public key specified in the DKIM-Signature header is wrong;
The public key published by the sender in their DNS is wrong;

The steps that you can take to investigate the source:

Do I recognize the source as a partner of my company?
Search on Google what kind of source this is.
Does the source appear on RBL blacklist websites?
Check the forensic reports to see what kind of emails the source sends.
If the source is valid, search for documentation to set up DMARC correctly.
Contact the source.


Hope that helps to solve your problem...
Gruss

Fezzi

Everyone can do something, no one can do everything.
Locked