Some emails sent through CDS in reflect mode are not being delivered. The receiving side’s antispam solution rejects these emails with an SMTP 550 5.7.x error, a class of codes used when the recipient rejects a message for policy reasons (e.g., antispam or failed authentication).

When this occurs, a Non-Delivery Report (NDR) is typically generated and sent to the sender. The NDR contains details about the rejection, including the SMTP error code and sometimes a diagnostic message from the recipient’s antispam system.

Often, the error received is generic, and further clarification may be required from the recipient’s email administrator or antispam solution provider.

In this specific scenario, further investigation shows that the emails are being rejected due to a DKIM body hash mismatch, which causes the authentication check to fail.

DKIM body hash mismatches occur when the email body is modified after the DKIM signature has been applied. This causes a mismatch between the calculated DKIM body hash and the actual message body.

Common causes include:

• Automatic additions such as email footers, disclaimers, or signatures.

• Transport rules that modify the message body after it has been signed.

In CDS reflect mode, the message body is not modified, only headers are adjusted. Since the DKIM body hash is based solely on the message body, CDS itself should not cause a body hash mismatch.