Blacklisted by the DKIM Test (Body hash did not verify, Result: "fail") - ORF Forums

Blacklisted by the DKIM Test (Body hash did not verify, Result: "fail") RSS Back to forum



I have received this message several times from several senders. I haven't found a good explanation on what it means and what to do about it. Can you shed some light on what it means?
"Blacklisted by the DKIM Test (Body hash did not verify, Result: "fail")"

Thanks, - Robert

by We do IT 1 year ago

Hi Robert,

Usually it means that the Mail has been altered and the DKIM Hash doesn't match. You may verify, that the ORF transport agents are on priority 1 and 2 so that no other agent might be the culprit. But even than it could be caused because of other systems that you might not have under your control.


by NorbertFe 1 year ago

@We do IT: When the body hash verification fails, that means the computed hash of the message body does not agree with the body hash value stored in the "bh=" tag of the DKIM signature. This can be caused by several things:

>> The body of the email was modified by a forwarder, a smart-host or another filtering agent that runs before ORF.

>> The signature value was calculated incorrectly by the signer.

>> The public key specified in the DKIM-Signature header is wrong.

>> The public key published by the sender in their DNS is wrong.

>> Someone spoofed the email and signed it without having the correct private key.

To increase the chance of successful DKIM signature verification, adhere to the three rules below:

1. Only enable the DKIM Test on ORF servers that directly receive emails from the internet (i.e. the ones external mail servers connect to).

2. If you have multiple ORF servers, disable the DKIM Test on the "back-end" servers that receive incoming emails from other ORF servers or via other mail servers in your network.

3. Assign the highest priority to the "Vamsoft ORF SMTP Receive Agent" on your Exchange transport agent list - this way other agents will not be able to modify the email before the DKIM signature verification. Transport agents with a priority closest to 0 process email messages first. See the related help page at

When in doubt, you can always cross-check the DKIM signature using third-party DKIM verifier tools, such as the one available at:

by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)


When I analyze headers using the Google tool, it always spits out a clean report.

Whenever I use the MX records tool, I almost always see an issue, such as, the DKIM doesn't check out or today, the body hash doesn't check out.

Does that always imply an issue with the EMAIL?

Also, whenever I sign into my Gmail using a browser, it always shows that I am signed in on another account. Why is that? Thanks

by gemini2 9 months ago

@gemini2: Hello gemini2,

In case you have issues with the DKIM Test in ORF, please send the following to for analysis:

- The email that should have passed DKIM signature verification (please save in .eml or .msg format);
- The corresponding log file (e.g. orfee-2020-02-21.log) from the day of the incident (you may find it on the configured logging path);
- Your ORF configuration file (located in [ORF v6.2+]: C:\ProgramData\ORF Fusion\ , or [ORF v5.x-v6.1.1]: C:\Program Files (x86)\ORF Fusion) ;
- And a short description of your system setup (e.g. front-end /back-end mail servers, non-transparent firewalls, other filtering agents running before ORF, etc.);

As for your Gmail-related question, its probably best if you contact Gmail support (

by Daniel Novak (Vamsoft) 9 months ago
(in reply to this post)


I have seen these same results from MXtoolbox on every header I have analyzed, including several fortune 500 tech companies. I assume the tool has a flaw.

by sphbecker 2 weeks ago

@sphbecker: Well even fortune 500 tech companies have their problems with DKIM and DMARC. Cisco is one of them. ;)

by NorbertFe 2 weeks ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2