Why is Microsoft DKIM failing when Gmail passes, and how to fix it?

Email marketer from Mailhardener explains a common reason for deliverability problems are due to shared IP addresses which can cause deliverability issues so dedicated IP addresses are a good fix if you have deliverability issues and want control over your sending reputation. URL: https://www.mailhardener.com/blog/shared-vs-dedicated-ip-addresses

Email marketer from Reddit shares that sometimes Microsoft's servers are very sensitive to the slightest DKIM misconfiguration. They recommend double-checking the selector used in the DKIM record and ensuring it matches the one used in the signing process. URL: https://www.reddit.com/r/emailmarketing/comments/xyz123/dkim_failing_on_microsoft_but_passing_on_gmail/

Email marketer from EasyDMARC recommends using online tools to check the DKIM record to confirm it's valid and propagates correctly. Tools like EasyDMARC's DKIM Record Lookup can identify issues such as typos, incorrect syntax, or propagation problems. URL: https://easydmarc.com/tools/dkim-record-lookup/

Email marketer from MXToolbox explains that using their DKIM record lookup tool, you can diagnose if the correct public key is available in DNS and validates against messages being sent. A mismatch here would lead to Microsoft rejecting the DKIM signature, even if Gmail accepts it. URL: https://mxtoolbox.com/dkim.aspx

Marketer from Email Geeks notes the DKIM hashing algorithm is sha-1, an old, insecure, deprecated algorithm, and suggests asking Postmark to use sha-256.

Marketer from Email Geeks suggests Microsoft might have deprecated support for sha-1 and recommends talking to Postmark.

Email marketer from Email on Acid shares that issues may arise due to incorrect DNS configuration. To fix this, check that the DKIM TXT record is published correctly, that there are no typos, and that the DNS record has fully propagated. DNS record lookup tools are useful for this. URL: https://www.emailonacid.com/blog/article/email-authentication-spf-dkim-dmarc/

Email marketer from Email Marketing Tips suggests to check the DKIM key length as Microsoft and some other providers now require a minimum key length (e.g., 1024 bits). If your DKIM key is shorter, upgrade the key length to prevent failures. URL: https://www.emailmarketingtips.com/troubleshooting-dkim-failures/

Email marketer from Super User explains to look carefully at the authentication-results header that Microsoft is providing. It may offer specific diagnostic information about why the DKIM check failed. Often this is more informative than a simple pass/fail result. https://superuser.com/questions/480137/dkim-spf-check-failed

Email marketer from Stack Overflow explains that Outlook might be more strict with DKIM validation than Gmail. They suggest ensuring the DKIM record is published correctly, the signing is valid by using tools like DKIMValidator, and that the body hash is calculated correctly, particularly with line endings. URL: https://stackoverflow.com/questions/26004445/dkim-works-for-gmail-but-not-outlook

Expert from Email Geeks explains that Postmark is signing with DKIM, not the user, and the domain being evaluated by Outlook for DKIM is ab.mtasv.net which is Postmark's domain, so the user needs to escalate to Postmark.

Expert from Email Geeks explains that sha-1 is the encryption algorithm used to generate the hash for signing and that DMARC is passing because of the custom SPF domain, and it may not be sha-1, Microsoft could just be breaking something.

Expert from Word to the Wise explains Microsoft often forwards messages internally, and this can break DKIM signatures if the message content is altered during the forwarding process. Verifying the DKIM signature before and after forwarding can help identify if this is the issue. They also advise checking the authentication results header to pinpoint the exact reason for the failure. URL: https://wordtothewise.com/2015/01/dmarc-failures-internal-forwarding/

Expert from Email Geeks explains when one provider like Microsoft is failing DKIM, it’s often a text-encoding or folding issue and asks if relaxed/relaxed is being used, and what encryption type.

Expert from Email Geeks states Microsoft does a lot of internal forwarding and breaking DKIM happens, suggesting that Postmark stop using sha1 and use a current algorithm could help with the breakage.

Documentation from Microsoft Learn explains that DKIM failures can occur if the message is modified in transit, invalidating the signature. This could be due to email forwarding or list servers that alter the message content. They recommend checking the message headers for any indication of tampering. URL: https://learn.microsoft.com/en-us/Exchange/mail-flow-best-practices/email-authentication

Documentation from AuthSMTP explains that an incorrect selector is one of the common reasons for DKIM failing, check your selector is set correctly with your provider or sending server. URL: https://www.authsmtp.com/dkim/

Documentation from RFC Editor explains that the DKIM specification (RFC 6376) requires proper handling of whitespace and line endings during signature generation. Discrepancies in how different mail servers handle these aspects can lead to validation failures. URL: https://www.rfc-editor.org/rfc/rfc6376

Documentation from DMARC.org explains that DKIM alignment is crucial for DMARC compliance. If the DKIM-signing domain doesn't match the domain in the 'From' header, DMARC may fail even if DKIM passes. This could be why Gmail passes (which may not be enforcing DMARC as strictly), but Microsoft fails. URL: https://dmarc.org/overview/

Documentation from OpenDKIM explains that the DKIM specification allows for different canonicalization methods for headers and the body. Using different canonicalization methods in senders and receivers will break DKIM even though both parties are standards compliant. https://www.opendkim.org/