• Log In
  • Sign Up
  • Contact Us
PowerDMARC
  • Features
    • PowerDMARC
    • Hosted DKIM
    • PowerSPF
    • PowerBIMI
    • PowerMTA-STS
    • PowerTLS-RPT
    • PowerAlerts
  • Services
    • Deployment Services
    • Managed Services
    • Support Services
    • Service Benefits
  • Pricing
  • Power Toolbox
  • Partners
    • Reseller Program
    • MSSP Program
    • Technology Partners
    • Industry Partners
    • Find a partner
    • Become a Partner
  • Resources
    • DMARC: What is it and How does it Work?
    • Datasheets
    • Case Studies
    • DMARC in Your Country
    • DMARC by Industry
    • Support
    • Blog
    • DMARC Training
  • About
    • Our company
    • Clients
    • Contact us
    • Book a demo
    • Events
  • Menu Menu

What are DKIM Tags?

Blogs
What are DKIM Tags

DKIM tags are mechanisms or commands used in the DKIM record denoting specific pieces of information about the sender’s configured DKIM protocol. DKIM is short for DomainKeys Identified Mail, an email authentication protocol that works by using an encrypted digital signature. It’s also crucial for implementing and properly working the DMARC policy. 

A properly aligned DKIM signature allows email service providers to verify your domain. Tech giants like Google and Yahoo use this protocol to prevent phishing and spoofing. 

How DKIM Works?

The receiver’s server uses data in the email header and the domain’s official DKIM record to verify the authenticity of email messages. A DKIM signature header is placed at the top of an email. There are multiple DKIM tags that carry information about the sender so that the recipient’s server knows where to look to verify an email.

These tags are the informational component that displays specific values, each representing details about the body of the email. All the DomainKeys have a private key used for encrypting digital DKIM signatures. Apart from this, they also have a public key published in the domain’s DNS.

So, whenever emails are sent from your domain, the private key in the emails should match the public key. Otherwise, the message won’t reach the recipients’ mailboxes. This is a very quick process and doesn’t consume more than a few seconds. However, it only operates if you generate a DKIM record and add the correct DKIM authentication tags.

What is a Tag in the DKIM Record?

DKIM record tags are single letters used as commands and followed by an equal sign. All the letters have a DKIM tag that designated specific values representing pieces of information about the sender. Each tag includes details about the location of the public key used to encrypt the messages.

DKIM Tag Types 

You can classify DKIM tags by ‘required tags’ and ‘optional tags’ and the value of each is important in generating a DKIM record. There are some other DKIM tags that are classified as ‘not required’ or ‘not recommended’. You can set them depending upon the instances of their utility or requirements of each domain. You require the right DKIM authentication tags while adding a DKIM record to your DNS. Let’s know about these tags in detail.

Required Tags 

The Required DKIM tags are so important for the DKIM signature header that your message won’t pass the verification test without them. The recipient’s mailbox will discard emails without these tags. 

  • v= It is the version tag that denotes the DKIM standard being used. Its value is always set to 1.
  • a= This DKIM tag indicates the cryptographic algorithm used for creating the signature. The value used is rsa-sha256. If your computer has reduced CPU capabilities, you can use rsa-sha1. However, it isn’t recommended due to security reasons. 
  • s= It indicates the selector record name used for finding the public key in a domain’s DNS. You’ll enter a name or a number in this field.
  • d= It displays the domain used with the selector record to locate public keys. Its value is the same as the domain name used by the sender.
  • b= This DKIM tag is used for the header’s hash data. It’s usually paired with the h= tag for drafting the DKIM signature. It’s always encoded in Base64. 
  • bh= It has the computed hash of emails. Its value is a string of characters denoting a hash determined by an algorithm.
  • h= This tag enlists the headers seen in the signing algorithm to generate the hash in the b=tag. Its value can neither be removed nor changed. 

Optional Tags

Apart from DKIM signature tags, there are several optional tags. This means if your DKIM signature misses these tags, no error will occur at the time of verification. However, experts recommend using them to avoid email spoofing. 

Spoofers don’t assign time values, unlike genuine corporate emails. So, if your inbox notices incorrect time values for a sender, it’s more likely to reject the email completely. 

Recommended Tags

It’s encouraged to use the Recommended DKIM record tags as they assist the recipient’s server in the process. 

  • g= It works as the granularity of your public key and its value is the same as the local part of the i=tag. You can also enter an asterisk (*) as a wildcard. This DKIM tag blocks the signing addresses from using the selector records. Any email having a signing address not matching this tag fails verification. 
  • h= It denotes an acceptable hash algorithm and has specific values set to ‘sha1’ and ‘sha256’. These are needed by signers and verifiers.
  • k= It’s the key type. Its default value is set to ‘rsa’, which should be supported by signers and verifiers.
  • n= Administrators use this tag to add human-readable notes.
  • t= This is an important tag as it works as a signature timestamp showing the time the email is sent. The format of this tag is in numbered seconds from 00:00:00 on January 1st, 1970 (UTC).
  • x= This tag tells the signature’s expiry date. It complements the t=tag by assigning a delivery date. 
  • t=y It’s used to specify a domain testing signature and is used by senders when DKIM is set for the first time. It’s suggested as some mailbox providers overlook DKIM signatures in test mode. You must remove the tag before the complete deployment.
  • t=s is the replacement ofthe  t=y tag. It says that any DKIM signature using the i=tag must have the same domain value as the primary domain.

Not Required

You don’t need these DKIM tags if you’re creating a DKIM header for the first time. They tend to make your DKIM signature technical and complex. 

  • c= is a DKIM record tag that works as the canonicalization algorithm and describes the modification levels of an email mid-transit to another mailbox provider. It’s used to avoid minor modifications to emails in transit. This can otherwise cause a failed verification. Changes include white space or line wrappings.

Its value is set to either value1 or value2. Value1 is meant for the header while Value2 is for the message body. These can be set to ‘simple’ or ‘relaxed’ to specify the tolerance to modifications in the email. 

  • i= represents the user’s or agent’s identity. Its value is the email address having a domain and subdomain to your website, which is the same as the d=tag.

Not Recommended

These DKIM tags aren’t necessary for any DKIM header. These are used only when you’ve to control any of the specs mentioned below;

  • I= It specifies the number of characters from the message used to count the body hash. Without this value, you’ll have to assume that the whole body of the message is used.
  • z= It enlists the original headers of messages and is used by mailbox providers to operate diagnosis verification errors.

DKIM tags

  • About
  • Latest Posts
Ahona Rudra
Digital Marketing & Content Writer Manager at PowerDMARC
Ahona works as a Digital Marketing and Content Writer Manager at PowerDMARC. She is a passionate writer, blogger, and marketing specialist in cybersecurity and information technology.
Latest posts by Ahona Rudra (see all)
  • Methods To Protect Yourself From Identity Theft - September 29, 2023
  • The Role of DNS in Email Security - September 29, 2023
  • New Age Phishing Threats and How to Plan Ahead - September 29, 2023
January 2, 2023/by Ahona Rudra
Tags: DKIM authentication tags, DKIM record tags, DKIM tags
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail

Secure Your Email

Stop Email Spoofing and Improve Email Deliverability

15-day Free trial!


Categories

  • Blogs
  • News
  • Press Releases

Latest Blogs

  • Methods To Protect Yourself From Identity Theft
    Methods To Protect Yourself From Identity TheftSeptember 29, 2023 - 12:11 pm
  • The Role of DNS in Email Security
    The Role of DNS in Email SecuritySeptember 29, 2023 - 12:08 pm
  • New Age Phishing Threats and How To Plan Ahead
    New Age Phishing Threats and How to Plan AheadSeptember 29, 2023 - 12:06 pm
  • How to View and Analyze Message Headers Online
    How to View and Analyze Message Headers Online?September 26, 2023 - 12:59 pm
logo footer powerdmarc
SOC2 GDPR PowerDMARC GDPR comliant crown commercial service
global cyber alliance certified powerdmarc csa

Knowledge

What is Email Authentication?
What is DMARC?
What is DMARC Policy?
What is SPF?
What is DKIM?
What is BIMI?
What is MTA-STS?
What is TLS-RPT?
What is RUA?
What is RUF?
AntiSpam vs DMARC
DMARC Alignment
DMARC Compliance
DMARC Enforcement
BIMI Implementation Guide
Permerror
MTA-STS & TLS-RPT Implementation Guide

Tools

Free DMARC Record Generator
Free DMARC Record Checker
Free SPF Record Generator
Free SPF Record Lookup
Free DKIM Record Generator
Free DKIM Record Lookup
Free BIMI Record Generator
Free BIMI Record Lookup
Free FCrDNS Record Lookup
Free TLS-RPT Record Checker
Free MTA-STS Record Checker
Free TLS-RPT Record Generator

Product

Product Tour
Features
PowerSPF
PowerBIMI
PowerMTA-STS
PowerTLS-RPT
PowerAlerts
API Documentation
Managed Services
Email Spoofing Protection
Brand Protection
Anti Phishing
DMARC for Office365
DMARC for Google Mail GSuite
DMARC for Zimbra
Free DMARC Training

Try Us

Contact Us
Free Trial
Book Demo
Partnership
Pricing
FAQ
Support
Blog
Events
Feature Request
Change Log
System Status

  • Français
  • Dansk
  • Nederlands
  • Deutsch
  • Русский
  • Polski
  • Español
  • Italiano
  • 日本語
  • 中文 (简体)
  • Português
  • Norsk
  • Svenska
  • 한국어
© PowerDMARC is a registered trademark.
  • Twitter
  • Youtube
  • LinkedIn
  • Facebook
  • Instagram
  • Contact us
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • Security Policy
  • Compliance
  • GDPR Notice
  • Sitemap
How To Export DNS Records?How to export DNS recordsWhat is a TLS HandshakeWhat is a TLS Handshake?
Scroll to top