DKIM Body Hash (bh=)
Learn what the DKIM Body Hash (bh=) tag is, how it ensures message integrity, and how DMARCeye detects body hash mismatches across email authentications.
What is DKIM Body Hash (bh=)?
The DKIM Body Hash (bh=) is a component of a DomainKeys Identified Mail (DKIM) signature that represents a cryptographic digest of the email’s body content. It ensures that the message has not been altered after it was signed by the sending server. When a receiving mail server validates DKIM, it recalculates the body hash and compares it to the value in the “bh=” tag of the DKIM-Signature header.
If the calculated and stored hashes match, the message body is verified as intact and authentic. If they differ, the message fails DKIM validation, signaling that the content may have been modified in transit or tampered with by an intermediary.
How the DKIM Body Hash Works
When an outgoing mail server signs a message using DKIM, it performs the following steps:
- Normalizes the message body using a chosen canonicalization method (such as “simple” or “relaxed”)
- Computes a cryptographic hash (usually SHA-256) of the normalized body
- Encodes the hash value in Base64 format and stores it in the DKIM header’s “bh=” field
Example DKIM signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
b=G9k0...Why the Body Hash Matters
The body hash provides message integrity by detecting unauthorized changes. Even minor edits (like added spaces or hidden characters) can cause DKIM verification to fail. It protects against:
- Injection of malicious links or attachments
- Unauthorized content modification by relays
- Corruption during forwarding or encoding
DKIM Body Hash and DMARCeye
DMARCeye analyzes DKIM signatures in authentication reports to verify body hash integrity across all messages. It identifies cases where “bh=” mismatches occur and correlates them with sending systems, gateways, or relays responsible for the modification.
By visualizing DKIM body hash validation results, DMARCeye helps administrators pinpoint which messages were altered and by which intermediary. This insight improves message reliability, compliance, and delivery performance while preventing subtle integrity attacks that could compromise trust.
With DMARCeye’s advanced DKIM analytics, organizations can monitor how their signing domains perform across global mail flows and ensure that every authenticated message remains unmodified from origin to inbox.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.