DKIM Tags

DKIM Tags are commands which are used in the DKIM record. These commands are in the form of letters followed by an equal sign. Each letter or group of letters in a DKIM tag has a designated value which denotes different pieces of information about the sender's configured DKIM protocol.

There are different types of tags, according to their importance. These listed below.

Required Tags

The Required DKIM tags are an obligatory part of the DKIM record. The absence of these tags will result in your emails failure to verify.

v= is the DKIM version tag indicating the DKIM standard being used. The value should always be set to 1.

a= is a DKIM tag representing the cryptographic algorithm used to generate the signature. The usual value is rsa-sha256. If you’re using equipment with reduced CPU capabilities, you can opt to use rsa-sha1, although it’s not recommended due to security concerns.

s= is a DKIM tag indicating the selector record name used to locate the public key in a domain’s DNS. The value is usually a name or a number chosen by the sender.

d= defines the domain used with the selector record to locate public keys. The value for this tag is the domain name used by the sender.

b= is used for the hash data of the headers. It’s usually combined with the h= tag to create the DKIM signature and should be encoded in Base64.

bh= contains the computed hash of the message’s body. Its value is defined by a series of characters representing a hash determined by an algorithm.

h= lists the headers used in the signing algorithm to create the hash in the b= tag. The value of this tag can’t be removed or altered. The placement order of each header in the h=tag is the same order presented in a DKIM signature, so the same order should be presented during verification.

Optional Tags

As the title suggests, these tags are just recommended, not required and their absence from a DKIM record will not cause the emails to fail verification.

g= is a DKIM tag that works as the granularity of your public key. The value should always match the local part of the i=tag in your DKIM signature field. You can also add an asterisk (*) as a wildcard. This tag constrains the signing addresses from using the selector records. An email with a signing address that doesn’t match this tag fails verification.

h= indicates acceptable hash algorithms. It has a set of default values set to “sha1” and “sha256,” which are required by both signers and verifiers.

k= indicates the key type. It has a default value at “rsa” that must be supported by signers and verifiers as well.

n= is used by administrators. The default value is empty since the administrator uses it to place human-readable notes.

t= is one of the most useful DKIM signature tags. It works as a signature timestamp indicating the time the message is sent. The format of this tag is in numbered seconds from 00:00:00 on January 1st, 1970 (UTC).

x= is used as an expiration date for the signature; it complements the t= tag by imposing a due date for delivery. The value is also presented in numbered seconds, but it must be greater than the value of the timestamp if they’re used in the same DKIM signature.

t=y is used to indicate a domain testing DKIM signatures. It’s used by senders when DKIM is configured for the first time to ensure the verification goes swiftly. It’s recommended because some mailbox providers ignore DKIM signatures in test mode. Remove the tag before full deployment.

t=s is the replacement of t=y. It indicates that any DKIM signature using the i= tag needs to have the same domain value as the main domain. This verification is also called exact domain match. This tag doesn’t work with subdomains.

Not Recommended Tags

The below DKIM tags are unnecessary in any DKIM header.

l= indicates the number of characters from the message used to compute the body hash. The lack of this value leads to the assumption that the whole body of the message is used. It’s tricky to control and almost always leads to verification errors.

z= is a DKIM tag listing the original headers of any message. z= is used by mailbox providers to process diagnosis verifications errors. It usually differs from the headers listed in the h=tag. Since the tag’s value is not defined, it is best to keep it out of your DKIM signature.

Unrecognized Tags

If your DKIM signature has unrecognized tags, you’ll likely get errors in the verification process.

All the DKIM tags listed above are specified and detailed in RFC 6376.