I have a hosted VPS that is fully managed by the hosting company. For weeks they cannot figure out how to get DKIM working for my emails, even though in cPanel's Email Authentication section says DKIM is enabled. However, testing this shows the DKIM is failing for emails. I test this by sending an email to [email protected] and I get this:
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: fail (wrong body hash: expected 47DEQpj8HB***)
ID(s) verified:
Canonicalized Headers:
from:***
content-type:text/plain'0D''0A'
content-transfer-encoding:7bit'0D''0A'
subject:'0D''0A'
date:Sat,'20'10'20'Mar'20'2012'20'14:03:41'20'-0500'0D''0A'
to:[email protected]'0D''0A'
mime-version:1.0'20'(Apple'20'Message'20'framework'20'v1257)'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=***.com;'20's=mail;'20'h=From:Content-Type:'20'Content-Transfer-Encoding:Subject:Date:Message-Id:To:'20'Mime-Version;'20'bh=frcCV1k9oG9oKj3dp***;'20'b=
The hosting support said they generated the key then updated my DNS and I verified this in my Advanced DNS section in cPanel, but it still fails with the above error. I think I have shell access and know a thing or two about managing servers, so how can I try to resolve this myself or at least help the hosting support to fix it? I appreciate any help or advice.
Something is modifying the body of the email after it is signed.
Notice the error "Result: fail (wrong body hash: expected 47DEQpj8HB***)" ?
That tells you a few things off the bat..
Part of how a DKIM signature is generated involved taking cryptographic one-way hashes of both the headers and the body, and then digitally signing those hashes with the RSA key.
The error tells you that the hash of the body is inconsistent with the body that the verifier is seeing. Ie, your DKIM-signing software saw a (probably only very slightly) different email body than the verifier saw. Find out why* and fix it. That will be your solution.
*You might want to compare the verifiers report of the body with what you think you sent. Something, likely filtering software on your hosting provider's end, make some change to the body content.