DKIM is short for DomainKeys Identified Mail, an email authentication protocol that works by using an encrypted digital signature. It’s also a complementary protocol that can be paired with your DMARC policy.

The DKIM protocol can be implemented by setting a record in your DNS, made from a combination of DKIM tags and their corresponding values. In this blog, we are diving into detailed explanations of required, optional, recommended, and discouraged DKIM signature tags with examples.

What are DKIM Tags?

DKIM tags are instructions in the DKIM record specifying details about the sender for digital signature verification.

A properly configured DKIM signature tags allow email service providers to authenticate your email messages. Tech giants like Google and Yahoo have mandated this protocol for email senders to prevent spam, phishing and spoofing.

How DKIM Signature Tags Work

The receiver’s server uses data in the email header and the domain’s official DKIM record to verify the authenticity of email messages. A DKIM signature header is appended to the outgoing email. Multiple DKIM signature tags carry information about the sender so that the recipient’s server knows where to look to verify an email.

These DKIM signature tags are the informational component that displays specific values, each representing details about the body of the email. All the DomainKeys have a private key used for encrypting digital DKIM signatures. Apart from this, they also have a public key published in the domain’s DNS.

So, whenever emails are sent from your domain, the private key in the emails should match the public key. Otherwise, the message won’t reach the recipients’ mailboxes. This is a very quick process and doesn’t consume more than a few seconds. However, it only operates if you generate a DKIM record and add the correct DKIM DNS tags.

DKIM Record Tags Explained

DKIM DNS record tags are single letters used as commands and followed by an equal sign. All the letters have a DKIM tag that designated specific values representing pieces of information about the sender. Each DKIM signature tag includes details about the location of the public key used to encrypt the messages.

DKIM Tag Types

You can classify DKIM signature tags by ‘required tags’ and ‘optional tags’ and the value of each is important in generating a DKIM record. There are some other DKIM signature tags that are classified as ‘not required’ or ‘not recommended’. You can set them depending upon the instances of their utility or requirements of each domain. You require the right DKIM authentication tags while adding a DKIM record to your DNS. Let’s know about these tags in detail.

Mandatory DKIM Tags

The Required DKIM tags are so important for the DKIM signature header that your message won’t pass the verification test without them. The recipient’s mailbox will discard emails without these tags.

v= It is the DKIM version tag that denotes the DKIM standard being used. Its value is always set to 1.
a= This DKIM tag indicates the cryptographic algorithm used for creating the signature. The value used is rsa-sha256. If your computer has reduced CPU capabilities, you can use rsa-sha1. However, it isn’t recommended due to security reasons.
s= It indicates the DKIM selector tag used for finding the public key in a domain’s DNS. You’ll enter a name or a number in this field.
d= The DKIM domain tag displays the domain used with the selector record to locate public keys. Its value is the same as the domain name used by the sender.
b= The DKIM body tag is used for the header’s hash data. It’s usually paired with the h= tag for drafting the DKIM signature. It’s always encoded in Base64.
bh= The DKIM body hash tag has the computed hash of emails. Its value is a string of characters denoting a hash determined by an algorithm.
h= This tag enlists the headers seen in the signing algorithm to generate the hash in the b=tag. Its value can neither be removed nor changed.

Optional DKIM Tags

Apart from DKIM signature tags, there are several optional tags. This means if your DKIM signature misses these tags, no error will occur at the time of verification. However, experts recommend using them to avoid email spoofing.

Spoofers don’t assign time values, unlike genuine corporate emails. So, if your inbox notices incorrect time values for a sender, it’s more likely to reject the email completely.

Optional Yet Recommended DKIM Tags

It’s encouraged to use these recommended DKIM record tags as they assist the recipient’s server in the verification process.

g= It works as the granularity of your public key and its value is the same as the local part of the i=tag. You can also enter an asterisk (*) as a wildcard. This DKIM tag blocks the signing addresses from using the selector records. Any email having a signing address not matching this tag fails verification.
h= It denotes an acceptable hash algorithm and has specific values set to ‘sha1’ and ‘sha256’. Signers and verifiers need these.
k= It’s the key type. Its default value is set to ‘rsa’, which should be supported by signers and verifiers.
n= Administrators use this tag to add human-readable notes.
t= This is an important tag as it works as a signature timestamp showing the time the email is sent. The format of this tag is in numbered seconds from 00:00:00 on January 1st, 1970 (UTC).
x= This tag tells the signature’s expiry date. It complements the t=tag by assigning a delivery date.
t=y It’s used to specify a domain testing signature and is used by senders when DKIM is set for the first time. It’s suggested since some mailbox providers overlook DKIM signatures in test mode. You must remove the tag before the complete deployment.
t=s is the replacement of the t=y tag. It says that any DKIM signature using the i=tag must have the same domain value as the primary domain.

Not Required

You don’t need these DKIM signature tags if you’re creating a DKIM header for the first time. They tend to make your DKIM signature technical and complex.

c= is a DKIM record tag that works as the canonicalization algorithm and describes the modification levels of an email mid-transit to another mailbox provider. It’s used to avoid minor modifications to emails in transit. This can otherwise cause a failed verification. Changes include white space or line wrappings.

Its value is set to either value1 or value2. Value1 is meant for the header while Value2 is for the message body. These can be set to ‘simple’ or ‘relaxed’ to specify the tolerance to modifications in the email.

i= represents the user’s or agent’s identity. Its value is the email address having a domain and subdomain to your website, which is the same as the d=tag.

Not Recommended

These DKIM DNS tags aren’t necessary for any DKIM header. These are used only when you’ve to control any of the specs mentioned below;

l= The DKIM length tag facilitates partial signing of the message body denoted by the number of bits to be signed. This tag is not recommended as it leaves your message vulnerable to tampering.
z= It enlists the original headers of messages and is used by mailbox providers to operate diagnosis verification errors.

Final Takeaways

Implementing and Managing your DKIM protocol may require expertise, time, and effort, which is often times far beyond your bandwidth. That is why organizations choose our hosted DKIM solution. We help generate DKIM records, set up your DKIM signature tags, and manage your DKIM selectors and keys on a single platform!

Furthermore, we provide expert assistance in configuring complementary protocols like DMARC and SPF to strengthen your defenses against email-based attacks.

To learn more, and get a customized domain security strategy for organizations that are tried and tested to improve your deliverability – contact us today!

About
Latest Posts

Ahona Rudra

Domain & Email Security Expert at PowerDMARC

Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.

DKIM Tags: Required & Optional Tags