DKIM tags are mechanisms or commands used in the DKIM record denoting specific pieces of information about the sender’s configured DKIM protocol. DKIM is short for DomainKeys Identified Mail, an email authentication protocol that works by using an encrypted digital signature. It’s also crucial for implementing and properly working the DMARC policy

A properly aligned DKIM signature allows email service providers to verify your domain. Tech giants like Google and Yahoo use this protocol to prevent phishing and spoofing

How DKIM Works?

The receiver’s server uses data in the email header and the domain’s official DKIM record to verify the authenticity of email messages. A DKIM signature header is placed at the top of an email. There are multiple DKIM tags that carry information about the sender so that the recipient’s server knows where to look to verify an email.

These tags are the informational component that displays specific values, each representing details about the body of the email. All the DomainKeys have a private key used for encrypting digital DKIM signatures. Apart from this, they also have a public key published in the domain’s DNS.

So, whenever emails are sent from your domain, the private key in the emails should match the public key. Otherwise, the message won’t reach the recipients’ mailboxes. This is a very quick process and doesn’t consume more than a few seconds. However, it only operates if you generate a DKIM record and add the correct DKIM authentication tags.

What is a Tag in the DKIM Record?

DKIM record tags are single letters used as commands and followed by an equal sign. All the letters have a DKIM tag that designated specific values representing pieces of information about the sender. Each tag includes details about the location of the public key used to encrypt the messages.

DKIM Tag Types 

You can classify DKIM tags by ‘required tags’ and ‘optional tags’ and the value of each is important in generating a DKIM record. There are some other DKIM tags that are classified as ‘not required’ or ‘not recommended’. You can set them depending upon the instances of their utility or requirements of each domain. You require the right DKIM authentication tags while adding a DKIM record to your DNS. Let’s know about these tags in detail.

Required Tags 

The Required DKIM tags are so important for the DKIM signature header that your message won’t pass the verification test without them. The recipient’s mailbox will discard emails without these tags. 

  • v= It is the version tag that denotes the DKIM standard being used. Its value is always set to 1.
  • a= This DKIM tag indicates the cryptographic algorithm used for creating the signature. The value used is rsa-sha256. If your computer has reduced CPU capabilities, you can use rsa-sha1. However, it isn’t recommended due to security reasons. 
  • s= It indicates the selector record name used for finding the public key in a domain’s DNS. You’ll enter a name or a number in this field.
  • d= It displays the domain used with the selector record to locate public keys. Its value is the same as the domain name used by the sender.
  • b= This DKIM tag is used for the header’s hash data. It’s usually paired with the h= tag for drafting the DKIM signature. It’s always encoded in Base64. 
  • bh= It has the computed hash of emails. Its value is a string of characters denoting a hash determined by an algorithm.
  • h= This tag enlists the headers seen in the signing algorithm to generate the hash in the b=tag. Its value can neither be removed nor changed. 

Optional Tags

Apart from DKIM signature tags, there are several optional tags. This means if your DKIM signature misses these tags, no error will occur at the time of verification. However, experts recommend using them to avoid email spoofing. 

Spoofers don’t assign time values, unlike genuine corporate emails. So, if your inbox notices incorrect time values for a sender, it’s more likely to reject the email completely. 

Recommended Tags

It’s encouraged to use the Recommended DKIM record tags as they assist the recipient’s server in the process. 

  • g= It works as the granularity of your public key and its value is the same as the local part of the i=tag. You can also enter an asterisk (*) as a wildcard. This DKIM tag blocks the signing addresses from using the selector records. Any email having a signing address not matching this tag fails verification. 
  • h= It denotes an acceptable hash algorithm and has specific values set to ‘sha1’ and ‘sha256’. These are needed by signers and verifiers.
  • k= It’s the key type. Its default value is set to ‘rsa’, which should be supported by signers and verifiers.
  • n= Administrators use this tag to add human-readable notes.
  • t= This is an important tag as it works as a signature timestamp showing the time the email is sent. The format of this tag is in numbered seconds from 00:00:00 on January 1st, 1970 (UTC).
  • x= This tag tells the signature’s expiry date. It complements the t=tag by assigning a delivery date. 
  • t=y It’s used to specify a domain testing signature and is used by senders when DKIM is set for the first time. It’s suggested as some mailbox providers overlook DKIM signatures in test mode. You must remove the tag before the complete deployment.
  • t=s is the replacement ofthe  t=y tag. It says that any DKIM signature using the i=tag must have the same domain value as the primary domain.

Not Required

You don’t need these DKIM tags if you’re creating a DKIM header for the first time. They tend to make your DKIM signature technical and complex. 

  • c= is a DKIM record tag that works as the canonicalization algorithm and describes the modification levels of an email mid-transit to another mailbox provider. It’s used to avoid minor modifications to emails in transit. This can otherwise cause a failed verification. Changes include white space or line wrappings.

Its value is set to either value1 or value2. Value1 is meant for the header while Value2 is for the message body. These can be set to ‘simple’ or ‘relaxed’ to specify the tolerance to modifications in the email. 

  • i= represents the user’s or agent’s identity. Its value is the email address having a domain and subdomain to your website, which is the same as the d=tag.

Not Recommended

These DKIM tags aren’t necessary for any DKIM header. These are used only when you’ve to control any of the specs mentioned below;

  • I= It specifies the number of characters from the message used to count the body hash. Without this value, you’ll have to assume that the whole body of the message is used.
  • z= It enlists the original headers of messages and is used by mailbox providers to operate diagnosis verification errors.