DKIM Signature Tags
DKIM is a form of email authentication that allows an organization to claim responsibility for a message in a way that can be validated by the recipient.
DKIM tags are located within the actual DKIM-Signature header data. A tag is typically a single letter followed by an equal sign (=). The value of each DKIM tag denotes a specific piece of intel about the email sender, the message itself, and its public key location.
There are several tags available to an email sender using DKIM, with some being required and some being optional. If a required tag is omitted in the DKIM signature, a verification error with the mailbox provider will occur. Of note, tags included in the DKIM signature that do not have a value assessed are treated as having an empty value. However, tags not included in the DKIM signature are treated as having the default value.
Required DKIM Tags
Below are the required tags of a DKIM-Signature header. Any DKIM signatures missing these tags will produce an error during the verification process.
|
v=
|
version of DKIM standard being used. The value should always be set to 1.
|
|
a=
|
cryptographic algorithm used to generate the signature. The value should be rsa-sha256.
|
|
d=
|
domain used with the selector record (s=) to locate the public key. The value is a domain name owned by the sender.
|
|
s=
|
selector record name used with the domain to locate the public key in DNS. The value is a name or number created by the sender.
|
|
h=
|
list of headers that will be used in the signing algorithm to create the hash found in the b= tag. The order of the headers in the h= tag is the order in which they were presented during DKIM signing; therefore, it is also the order in which they should be presented during verification. The value is a list of header fields that will not change or be removed.
|
|
bh=
|
computed hash of the message body. The value is a string of characters representing the hash determined by the hash algorithm.
|
|
b=
|
cryptographic signature of the headers listed in the h= tag. This hash is also called the DKIM signature.
|
Optional DKIM Tags
Recommended
Below are the optional tags that are typically recommended in a DKIM-Signature header. DKIM signatures missing these tags will not produce an error during verification, but they are recommended as a means to help identify spam.
Note: Spammers do not normally set time values. Empty or incorrect time values, such as an expiration time dated before the email timestamp, will cause some mailbox providers to reject the message.
|
t=
|
DKIM signature timestamp. It is meant to indicate the time the message is sent. The format is the number of seconds from 00:00:00 on January 1, 1970 (UTC).
|
|
x=
|
DKIM signature expiration time in the same format as above. The value of this tag must be greater than the value of the timestamp tag if both are used in the DKIM signature. DKIM signatures could be considered invalid if the verification time at the verifier is past the expiration date, so be sure not to set the expiration date too soon.
|
Not Required
Below are the optional tags that are not required in the DKIM signature.
|
c=
|
canonicalization algorithm that defines to a mailbox provider what level of modifications may be present as the email is in transit to the mailbox provider. Modifications can include whitespace or line wrapping. Some email servers make minor modifications to the email during transit, which can invalidate the signature.
|
|
i=
|
identity of the user or agent. The value is an email address containing the domain or subdomain as defined in the d= tag.
|
Not Recommended
Below are the optional tags that are not recommended in any DKIM signature.
|
l=
|
number of characters from the message body that were used to compute the body hash (bh=). If this value is not present, it is assumed the entire message body was used. This tag can be difficult to control and could lead to verification errors.
|
|
z=
|
list of the message’s original headers and may differ from the headers listed in the h= tag. This tag may be used by some mailbox providers in the process of diagnosing a verification error. Its value is not well defined.
|