Understanding DKIM: syntax, tags, and email
DKIM is a cryptography-based email authentication protocol that allows the receiving server to check whether an email coming from a specific domain is officially authorized to send emails. If your domain has DKIM, then whenever you send an email, your server will attach a digital signature to the header. This signature is produced using a private key that is known only to you.
The counterpart of the private key is a public key that is published in your domain’s DNS so that any server on the internet can retrieve it for confirmation.
Once the receiving server receives your email, it retrieves the public key to verify its legitimacy and ensure no alterations were made to the message in transit.
Is DKIM useful?
DKIM is indeed a useful email authentication protocol that verifies an email’s legitimacy. It protects against phishing and spoofing, which could otherwise leave negative financial and reputational footprints.
You know what’s an added advantage over and above email authentication? Well, DKIM helps enhance your sender’s reputation, which means mailboxes regard you as a genuine sender. Thus, most of your emails will land in the desired recipients’ inboxes instead of spam folders.
Deploying DKIM also helps your company comply with email security policies and standards, keeping you away from litigation.
Image sourced from mailmunch.com
DKIM syntax
DKIM publishes the public key and related information using a DNS TXT record. The syntax of a DKIM record includes several tags, each specifying a particular piece of information. Here are the most common tags used in DKIM records:
- v– It stands for the version tag, which specifies the DKIM version you are using. As of now, there is only one DKIM version, so its value is always v=DKIM1.
- a– This tells the algorithm you used to produce the DKIM signature. Common values are ‘rsa-sha256’ and ‘rsa-sha1.’
- b– It’s the actual digital signature of the email headers and body. This is a base64-encoded string generated using the private key.
- bh– It’s short for body hash, which is basically the hash of the canonicalized body part of the email. This is a base64 encoded hash value.
- c– This tag specifies the canonicalization algorithms used for the header and body. Common values are ‘simple/simple,’ ‘relaxed/simple,’ and ‘relaxed/relaxed.’
- d– This is the domain name of the signing entity. So, if you are the one creating the DKIM record, mention your domain name here. Please ensure the domain name exactly matches or is a subdomain of the domain used in the ‘From’ header of outgoing emails.
- h– It’s the list of signed header fields separated by colons. Example- h=from:to:subject:date
- i– It’s an optional identity of the user or agent on behalf of whom the email is signed. A general example can be- i=user@eng.example.com
- l– It’s called the body length count tag, which specifies the number of bytes of the body included in the hash.
All these DKIM tags help you mention important information that allows the receiving server to verify if the emails sent from your domain are genuine. So, ensure you carefully create a DKIM record. If you need any assistance related to email authentication, please contact us.