I sign my email using PHPMailer 5.2.16 setting DKIM parameters.The DKIM test passes everywhere (gmail, port25, mail-tester.) but fails on Hotmail and OutlookSee headers below.Any idea?
DKIM email security standard was designed to make sure messages were not altered or compromised in transit between sender and receiver. It uses public-key cryptography to sign email with private key before it’s sent from server. Recipient server can then use public key published on domain’s DNS to verify the source of the message, and that the body of the message hasn’t changed.
Once hash is verified, message passes DKIM check and is considered authentic. DKIM – DomainKeys Identified Mail DKIM email security standard/protocol enables the signing of emails in such a way that it is possible to verify who sent the mail through cryptographic signature.
Mar 23, 2017 Hello- We are an ESP company and we have are seeing emails that say that DKIM is failing with Hotmail as dkim=fail (body hash did not verify). When I did a DKIM test with Port25 I am passing DKIM. Our clients emails display a Fraud Detection message on top of the email for his @hotmail.com email account. Below is the full source header. All of the errors are to do with the body hash. The header seems fine. Gmail complains that 'body hash did not verify', while Port25's verifier fails with 'wrong body hash'. It suggests something is getting added to the body after signing, but I can't see where that might be, nor can I spot something in the email body in the received email.
Hash is created from an email segment, and then encrypted with a private key held by the original sender. That encrypted DKIM signature is sent along with the original email to the receiver. Receiver (mailbox provider) will lookup the domain DNS to find DKIM public key, which will be used to decrypt the DKIM signature into its original hash. Mail provider (receiver) is also hashing the selected elements and comparing it with the decrypted hash.Keypair = Anything encrypted with one key from a keypair can ONLY be decrypted using the other keyIf we make public key public, anyone can decrypt and read encrypted data but nobody could modify it (in transit). They need the private key to encrypt their own modified copy. Signature doesn’t encrypt data, just a hash sum od the data.
![Dkim-signature Body Hash Not Verified Dkim-signature Body Hash Not Verified](/uploads/1/2/3/9/123926913/522258112.png)
Steps:. A = a hash sum of your copy of the data. B = decrypt signature using domain/DNS/DKIM public key to reveal the hash sum (of the received email). if AB, your copy is unmodifiedHash sums are one way, irreproducible.The process of setting up DKIM can be difficult. It requires generating a public and private key pair and correctly placing the public key in your DNS records, and the private key within the email exchange server.
DKIM ElementsFor example, given the signature: DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;c=relaxed/simple; q=dns/txt; l=1234; t=; x=;h=from:to:subject:date:keywords:keywords;bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzRA verifier queries the TXT record type of brisbane.domainkey.example.net: # dig -t TXT.domainkey. +shortSome tags from the example above:. v – version. a – signing algorithm. d – domain. s – selector (which public key used; a domain can have many). c – canonicalization algorithm(s) for header and body (how to handle header case sensitivity, whitespace, CRLF, etc.).
q – default query method. l – the length of the canonicalized part of the body that has been signed. t – signature timestamp. x – its expire time.
h – list of signed header fields, repeated for fields that occur multiple times. bh – hash sum of canonicalized message body. It’s used to quickly check if a message fails DKIM (avoiding DoS attack). b – signature of data (includes headers and body)CanonicalizationDKIM defines two canonicalization algorithms for the body of the message, simple and relaxed:. simple – does very little: it just strips any blank lines at the end of the body.
relaxed – strips those blank lines, and then replaces any run of white space or tabs with a single spaceDKIM also defines two canonicalization algorithms for the headers of the message.