Suped

Why is Outlook breaking DKIM keys and how can I fix it?

12 Marketer opinions3 Expert opinions5 Technical articles3 Resources

Summary

Outlook's DKIM issues stem from several sources: modifications to email content (especially during forwarding), character encoding problems (particularly with non-ASCII characters), and canonicalization differences. This invalidates the original DKIM signature. Recommended fixes include implementing Sender Rewriting Scheme (SRS), ensuring UTF-8 encoding, correctly configuring SPF, DKIM, and DMARC, minimizing content modifications, using email validation tools, and employing dkimproxy for re-signing when needed.

Key findings

  • Content Modification: Outlook modifies email content (headers, format) during forwarding/transit, breaking DKIM.
  • Encoding Issues: Non-ASCII characters and inconsistent encoding invalidate DKIM signatures.
  • Forwarding Problems: Forwarding in Outlook often alters headers, causing DMARC failures.
  • Canonicalization: Differing interpretations of DKIM's canonicalization process lead to verification failures.
  • Global Impact: Outlook DKIM issues affect multiple clients and email providers (e.g., Postmark).

Key considerations

  • Implement SRS: Use Sender Rewriting Scheme to rewrite sender addresses, preserving DKIM/SPF during forwarding.
  • Ensure UTF-8: Encode all emails in UTF-8 to avoid encoding-related DKIM breaks.
  • Verify SPF/DKIM/DMARC: Correctly configure SPF, DKIM, and DMARC records for proper email authentication.
  • Minimize Modifications: Reduce or eliminate email content alterations in transit.
  • Use Validation Tools: Employ email validation tools to check DKIM signature integrity.
  • Resign with dkimproxy: Use dkimproxy to re-sign emails after content has been altered.
  • Understand Forwarding Rules: Administrators should be aware of forwarding rules and their effect on authentication.
  • Keep Lists Clean: Maintain clean email lists and avoid spam traps.

What email marketers say
12Marketer opinions

Outlook's DKIM issues stem primarily from its tendency to modify email content during forwarding or transit, invalidating the original DKIM signature. Common causes include character encoding issues, particularly with non-ASCII characters, and alterations to email headers. Implementing Sender Rewriting Scheme (SRS), ensuring UTF-8 encoding, verifying SPF and DKIM records, and avoiding content modifications are crucial steps to mitigate these problems.

Key opinions

  • Content Modification: Outlook often modifies email content, including headers, during forwarding or transit, which breaks DKIM signatures.
  • Character Encoding: Issues with character encoding, especially with non-ASCII characters, can lead to DKIM failures in Outlook.
  • Forwarding Problems: Email forwarding through Outlook can invalidate DKIM due to header alterations, affecting DMARC compliance.
  • Global Impact: The issue affects various email service providers, including Postmark, indicating a widespread problem with Outlook's DKIM handling.

Key considerations

  • Implement SRS: Use Sender Rewriting Scheme (SRS) to rewrite sender addresses when forwarding emails to preserve DKIM and SPF validation.
  • UTF-8 Encoding: Ensure that all emails are encoded using UTF-8 to avoid character encoding issues that can invalidate DKIM signatures.
  • Verify SPF/DKIM: Double-check and correct SPF and DKIM records to ensure proper email authentication.
  • Avoid Modifications: Minimize or eliminate any modifications to email content during transit to prevent DKIM signature breakage.
  • Test Email Validation: Utilize email validation tools to test and verify the integrity of DKIM signatures and overall email authentication.
  • Clean Email Lists: Maintain clean email lists and avoid being caught by spam filters.
Marketer view

Email marketer from EmailSecuritySPF notes that email forwarders, including those used by Outlook, often modify the email headers, leading to DKIM failures. Recommends using SRS (Sender Rewriting Scheme) to rewrite the sender address, preserving DKIM and SPF validation.

April 2022 - EmailSecuritySPF
Marketer view

Marketer from Email Geeks refers to this article about DKIM breaking when forwarding email: <https://techcommunity.microsoft.com/t5/networking-principles/microsoft-s-e-mailservers-break-dkim-on-non-ascii-characters/td-p/1774384>

March 2023 - Email Geeks
Marketer view

Email marketer from Reddit explains that DMARC failures in forwarded emails often occur because the forwarding process alters the email headers, invalidating the DKIM signature. Suggests that the receiving domain should implement SRS to correct the sender information.

April 2021 - Reddit
Marketer view

Email marketer from SMTP2GO suggests double-checking your SPF and DKIM records are correct, as well as checking that your message isn't being modified in transit and the encoding is correct. They also suggest using an email validation tool to test.

September 2023 - SMTP2GO
Marketer view

Marketer from Email Geeks reports that they are seeing Outlook breaking every piece of DKIM Signature from Postmark across multiple clients, indicating a global issue.

March 2025 - Email Geeks
Marketer view

Email marketer from Stack Overflow suggests that Outlook's DKIM issues might be related to the email's charset. Specifically, it recommends ensuring that the email is encoded using UTF-8 to avoid problems with character encoding that could invalidate the DKIM signature.

March 2025 - Stack Overflow
Marketer view

Email marketer from AuthSMTP says you should check that SPF and DKIM are setup correctly, use the correct DNS records, and always use UTF-8 encoding. They also suggest keeping your email lists clean to avoid spam filters.

July 2023 - AuthSMTP
Marketer view

Email marketer from Super User mentions that DKIM signatures can break when emails contain non-ASCII characters. This is due to encoding issues when the email is processed by different email systems. Converting to UTF-8 might help.

May 2022 - Super User
Marketer view

Email marketer from Word to the Wise explains that DKIM canonicalization issues with Microsoft can happen when Microsoft modifies the email content, causing the DKIM signature to fail. The article highlights that different systems have different interpretations of the DKIM RFC, leading to canonicalization problems.

May 2023 - Word to the Wise
Marketer view

Email marketer from Mailhardener explains that implementing SRS (Sender Rewriting Scheme) is crucial for handling email forwarding in a way that preserves DKIM and SPF authentication. SRS rewrites the sender address, ensuring that the forwarded email can still be authenticated.

December 2021 - Mailhardener
Marketer view

Email marketer from Microsoft Archive discusses the forwarding email problem in Office 365, noting that changes made during forwarding can cause DKIM failures. Advises administrators to understand how forwarding rules affect email authentication.

August 2021 - Microsoft Archive
Marketer view

Marketer from Email Geeks shares that DKIM will fail if an email is modified, as the receiving server cannot re-sign it to match the original encrypted signature. Believes Outlook is looking for UTF-8 encoding.

June 2022 - Email Geeks

What the experts say
3Expert opinions

Outlook is reportedly breaking DKIM keys due to modifying emails before DKIM validation, leading to failures. Root causes include content modifications, potential encoding issues, and differences in how systems interpret DKIM standards.

Key opinions

  • DKIM Breaking: Outlook is breaking DKIM keys for some customers.
  • Modification Suspected: Suspect Outlook modifies emails before DKIM validation.
  • Encoding Issues: Out-of-spec characters in encoding might be a contributing factor.
  • Canonicalization: DKIM canonicalization differences can lead to DKIM failures.

Key considerations

  • Investigate Modification: Determine how Outlook is modifying emails before DKIM validation.
  • Check Encoding: Look for and correct out-of-spec characters in email encoding.
  • Consider Canonicalization: Address potential DKIM canonicalization differences between systems.
Expert view

Expert from Word to the Wise explains that DKIM canonicalization issues can arise with Microsoft because they sometimes modify email content in transit. This modification invalidates the DKIM signature, as the hash of the message no longer matches the original. The article highlights how different systems have differing interpretations of the DKIM RFC, leading to canonicalization problems.

January 2024 - Word to the Wise
Expert view

Expert from Email Geeks states they are running into an issue where Outlook is breaking DKIM keys for some customers. They suspect Outlook is modifying the emails prior to DKIM validation, causing the failure and refers to this article: <https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/>

May 2024 - Email Geeks
Expert view

Expert from Email Geeks shares they've seen similar issues recently. Suggests looking for out-of-spec characters in an encoding that Microsoft might be changing, or even tabs being converted to spaces.

August 2023 - Email Geeks

What the documentation says
5Technical articles

Documentation indicates that Outlook breaks DKIM primarily due to modifications made during the email handling process, especially when forwarding. These modifications, including changes to headers and message format, invalidate the DKIM signature. Correctly configuring SPF, DKIM, and DMARC, ensuring consistent message formatting, and using tools to re-sign altered emails are recommended to mitigate these issues.

Key findings

  • Forwarding Issues: Forwarding emails in Outlook can break DKIM due to modifications.
  • Message Alteration: Any alteration to the message body or headers invalidates DKIM signatures.
  • Format Changes: Outlook might change the message format during sending or forwarding, affecting DKIM.
  • Header Modifications: Modifications to email headers can invalidate DKIM signatures.

Key considerations

  • Configure SPF/DKIM: Correctly configure SPF and DKIM to ensure proper authentication.
  • Consistent Formatting: Ensure the sending server uses a consistent message format and character encoding.
  • Re-sign Emails: Use tools like dkimproxy to re-sign emails after they've been altered.
  • Implement DMARC: Correctly configure DMARC settings to properly manage emails.
Technical article

Documentation from RFC Editor, the official DKIM standard (RFC 6376), states that DKIM signatures are designed to be invalidated when the message body or headers are altered in transit. Any modification, including those by email clients like Outlook, can cause DKIM verification to fail.

November 2024 - RFC Editor
Technical article

Documentation from Microsoft Docs explains that forwarding emails in Outlook can break DKIM due to modifications during the forwarding process. It recommends configuring SPF and DKIM correctly and educating users about the implications of forwarding.

September 2023 - Microsoft Docs
Technical article

Documentation from DMARC.org explains the importance of setting up email authentication (SPF, DKIM and DMARC), and explains how they work. Using these settings correctly will tell an email provider your email is valid.

June 2021 - DMARC.org
Technical article

Documentation from dkimproxy explains that modifications to email headers, including adding or removing fields, can invalidate DKIM signatures. Advises using tools like dkimproxy to re-sign emails after they've been altered.

January 2023 - dkimproxy
Technical article

Documentation from Microsoft Support details that Outlook might change the message format during sending or forwarding, affecting the DKIM signature. Recommends ensuring the sending server uses a consistent message format and character encoding.

October 2023 - Microsoft Support

Related resources
3Resources

O365/Outlook breaking DKIM? - Technical Help - dmarcian forum
O365/Outlook breaking DKIM? - Technical Help - dmarcian forum

I manage the Dmarc implementation across several domains and I feel it’s not unusual to see some reports from Enterprise Outlook/Outlook.com where DKIM fails (I’d say it seems to happen both with forwards and non-forwards). The emails were sent from it’s original source with valid DKIM which means that O365/Outlook are modifying the content/header, making DKIM fail. Does anyone experience the same thing and know in what cases/why O365/Outlook would modify the content/header making DKIM fail? Fo...

dmarcian forum
Forwarded emails failing dmarc - Technical Help - dmarcian forum
Forwarded emails failing dmarc - Technical Help - dmarcian forum

I have DKIM and SPF configured, together with a DMARC policy, and most emails seem to be passing with no problem. I currently have my policy set to 10% quarantine. However, when I view the Policy planner, it says “Publish a stronger policy” but has the following Note: “You have some forwarding volume that is not fully dmarc compliant. A more aggressive policy may prevent delivery of forwarded emails that do not pass DMARC (by preserving DKIM keys).” Here is a screen shot of the Detail Viewer,...

dmarcian forum
The demise of email forwarding is getting closer - TidBITS Talk ...
The demise of email forwarding is getting closer - TidBITS Talk ...

A bunch of universities have just sent out notices that email forwarding is going to increasingly break in the very near future. The big email services, gmail, yahoo, outlook and apple, are going to start tightening the thumbscrews (strict SPF, DMARK and DKIM, but also other stuff) on April 1 (bad timing, that). I’d vaguely seen that gmail was planning to block much more bulk mail to individuals, but hadn’t really thought about the consequences to normal email forwarding. (I blissfully no long...

TidBITS Talk

Related questions