What are DKIM Tags?
If you’re reading this, you want to learn about DKIM tags but first: What is DKIM? It’s an email verification standard that uses an encrypted digital signature. It’s also a critical component of any DMARC authentication policy.
A properly configured DKIM signature helps email service providers verify your domain. Companies like Google and Yahoo use DKIM! And others to check whether messages are authentic.
Recipient servers use data in the header of an email and a domain’s DKIM record to ascertain the legitimacy of a message.
A DKIM signature header goes at the top of the message. Thanks to several DKIM tags containing information about the sender, receiving servers know where to look to verify an email.
The tags are informational elements representing specific values. Each value indicates bits of information detailing everything there is to know about the body of the message.
All DomainKeys included in DKIM have a private key to encrypt the digital DKIM signature and a public key published in a domain’s DNS.
When a message is sent from your domain, the private key in your emails must match the public key for delivery to the recipient’s inbox.. This process doesn’t take more than a few seconds, but it only works if you create a DKIM record with the correct DKIM signature tags.
What is a Tag in the DKIM Record?
DKIM signature tags are single letters used as commands, followed by an equal sign. Each letter included in a DKIM tag has a designated value denoting different pieces of intel about an email sender. These tags also offer details about the message contained in the email and the location of the public key used to authenticate the message.
DKIM Tag Types
As you learn more about how DKIM records work and DKIM DNS record tags, you’ll find there are many informal elements. The best way to classify them is by required tags and optional tags.
The value of each determines its usefulness in your DKIM record. There are also a few tags that can be categorized as ‘not required’ or ‘not recommended.’ They get these denominations depending on the instances of their use or the requirements of your domain.
When you add a DKIM record to your DNS, you’ll need the correct DKIM DNS tags. Below you’ll find what each one means and how it’s used.
Required DKIM signature tags are essential to any DKIM signature header. If you don’t include these tags, your messages will fail verification and be discarded.
- v= is the DKIM version tag indicating the DKIM standard being used. The value should always be set to 1.
- a= is a DKIM tag representing the cryptographic algorithm used to generate the signature. The usual value is rsa-sha256. If you’re using equipment with reduced CPU capabilities, you can opt to use rsa-sha1, although it’s not recommended due to security concerns.
- s= is a DKIM tag indicating the selector record name used to locate the public key in a domain’s DNS. The value is usually a name or a number chosen by the sender.
- d= defines the domain used with the selector record to locate public keys. The value for this tag is the domain name used by the sender.
- b= is used for the hash data of the headers. It’s usually combined with the h= tag to create the DKIM signature and should be encoded in Base64.
- bh= contains the computed hash of the message’s body. Its value is defined by a series of characters representing a hash determined by an algorithm.
- h= lists the headers used in the signing algorithm to create the hash in the b= tag. The value of this tag can’t be removed or altered. The placement order of each header in the h=tag is the same order presented in a DKIM signature, so the same order should be presented during verification.
Besides the main DKIM signature tags, there’s a series of optional tags. If you have a DKIM signature missing any of these tags, no errors will occur during verification. Still, it’s best to use these tags as they can help weed out spam.
Remember, spammers don’t typically set time values on their messages, unlike regular corporate email. If your inbox notices incorrect time values for a sender, it’s more likely to reject the message.
- g= is a DKIM tag that works as the granularity of your public key. The value should always match the local part of the i=tag in your DKIM signature field. You can also add an asterisk (*) as a wildcard. This tag constrains the signing addresses from using the selector records. An email with a signing address that doesn’t match this tag fails verification.
- h= indicates acceptable hash algorithms. It has a set of default values set to “sha1” and “sha256,” which are required by both signers and verifiers.
- k= indicates the key type. It has a default value at “rsa” that must be supported by signers and verifiers as well.
- n= is used by administrators. The default value is empty since the administrator uses it to place human-readable notes.
- t= is one of the most useful DKIM signature tags. It works as a signature timestamp indicating the time the message is sent. The format of this tag is in numbered seconds from 00:00:00 on January 1st, 1970 (UTC).
- x= is used as an expiration date for the signature; it complements the t= tag by imposing a due date for delivery. The value is also presented in numbered seconds, but it must be greater than the value of the timestamp if they’re used in the same DKIM signature.
- t=y is used to indicate a domain testing DKIM signatures. It’s used by senders when DKIM is configured for the first time to ensure the verification goes swiftly. It’s recommended because some mailbox providers ignore DKIM signatures in test mode. Remove the tag before full deployment.
- t=s is the replacement of t=y. It indicates that any DKIM signature using the i= tag needs to have the same domain value as the main domain. (example: [email protected]). This tag doesn’t work with subdomains.
If you’re creating a DKIM header for the first time, you don’t need these tags. They can prove too technical and make your DKIM signature more complex than it should be.
- c= is a DKIM tag that works as the canonicalization algorithm. It defines the modification levels included in an email mid-transit to another mailbox provider. It’s placed because some email servers do minor modifications to emails in transit, which can result in a failed verification. Changes include white spaces or line wrappings.
The setting for this tag is presented at two values: value1/value2. Value1 is for the message’s header, while value2 is for the body. You can set both values to “simple” or “relaxed” to indicate tolerance to modifications in the email. Simple tends to be stricter, while the relaxed setting allows more changes.
- i= is a DKIM tag indicating the identity of the user or agent sending the message. The value is an email address that contains the domain or subdomain to your website, as defined in the d=tag.
The following DKIM signature tags are unnecessary in any DKIM header. You don’t have to use them unless you need to control any of the specs indicated in the description of these tags.
- l= indicates the number of characters from the message used to compute the body hash. The lack of this value leads to the assumption that the whole body of the message is used. It’s tricky to control and almost always leads to verification errors.
- z= is a DKIM tag listing the original headers of any message. z= is used by mailbox providers to process diagnosis verifications errors. It usually differs from the headers listed in the h=tag. Since the tag’s value is not defined, it is best to keep it out of your DKIM signature.
If your DKIM signature has unrecognized tags, you’ll likely get errors in the verification process. All the DKIM signature tags we listed are specified and detailed in RFC 6376.
Any dangling letter you see included in a DKIM signature doesn’t add anything to the header and should be ignored. Most email service providers hardly detect unrecognized tags, but some are pretty strict.
Your DKIM signature must be accurate by design. These digital signatures are a big part of DMARC protocols and enforce the authentication of all email messages on the internet.
Poor DKIM configuration can lead to deliverability failures and constant error messages. Ensure your IT team understands the meaning behind all DKIM signature tags for successful verification.
If you want to learn more about email security like DKIM vs. SPF, check out our blog posts. You can also find out about DMARC deployment, DNS records, DKIM vs. DMARC, and much more.
We have the most comprehensive guides on how to use DKIM to your advantage. Make sure you have a DKIM record with our DKIM lookup tool. If you don’t have one, you can always use our DKIM generator and improve the security of your website.