Understanding DKIM: syntax, tags, and email

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail.

DKIM is the authentication protocol that survives email forwarding, says Brad Slavin, General Manager of DuoCircle. When SPF fails because a forwarder’s IP isn’t in the original record, DKIM alignment is the only path to DMARC pass. That’s why we monitor DKIM alongside SPF in every DMARC Report dashboard.

					DMARC Report					

				

Understanding DKIM: syntax, tags, and email

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-14486">
						<source src="https://media.mailhop.org/dmarcreport/images/2024/07/Understanding-DKIM-syntax-tags-and-email.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H1M59S">1:59</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-14486" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-14486" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-14486" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-14486" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/understanding-dkim-syntax-tags-and-email/&t=Understanding DKIM: syntax, tags, and email" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/understanding-dkim-syntax-tags-and-email/&url=Understanding DKIM: syntax, tags, and email" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2024/07/Understanding-DKIM-syntax-tags-and-email.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/understanding-dkim-syntax-tags-and-email/" class="input-link input-link-14486" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-14486" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

/*! This file is auto-generated */ ’ title=“Embed Code” class=“input-embed input-embed-14486” readonly/>

					<button class="copy-embed copy-embed-14486" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

DKIM is a cryptography-based email authentication protocol that allows the receiving server to check whether an email coming from a specific domain is officially authorized to send emails. If your domain has DKIM, then whenever you send an email, your server will attach a digital signature to the header. This signature is produced using a private key that is known only to you.

The counterpart of the private key is a public key that is published in your **domain’s DNS so that any server on the internet can retrieve it for confirmation.

Once the **receiving server receives your email, it retrieves the public key to verify its legitimacy and ensure no alterations were made to the message in transit.

Is DKIM useful?

DKIM is indeed a useful email authentication protocol that verifies an email’s legitimacy. It protects against phishing and spoofing, which could otherwise leave negative financial and reputational footprints.

You know what’s an added advantage over and above email authentication? Well, DKIM helps enhance your sender’s reputation, which means mailboxes regard you as a genuine sender. Thus, most of your emails will land in the desired recipients’ inboxes instead of spam folders.

Deploying DKIM also helps your company comply with email security policies and standards, keeping you away from litigation.

DKIM syntax

DKIM publishes the public key and related information using a DNS TXT record. The syntax of a DKIM record includes several tags, each specifying a particular piece of information. Here are the most common tags used in DKIM records:

• v– It stands for the version tag, which specifies the DKIM version you are using. As of now, there is only one DKIM version, so its value is always v=DKIM1.

• a– This tells the algorithm you used to produce the DKIM signature. Common values are ‘rsa-sha256’ and ‘rsa-sha1.’

• b– It’s the actual digital signature of the email headers and body. This is a base64-encoded string generated using the private key.

• bh– It’s short for body hash, which is basically the hash of the canonicalized body part of the email. This is a base64 encoded hash value.

• c– This tag specifies the **canonicalization algorithms used for the header and body. Common values are ‘simple/simple,’ ‘relaxed/simple,’ and ‘relaxed/relaxed.’

• d– This is the domain name of the signing entity. So, if you are the one creating the DKIM record, **mention your domain name here. Please ensure the domain name exactly matches or is a subdomain of the domain used in the ‘From’ header of outgoing emails.

• h– It’s the list of signed header fields separated by colons. Example- h=from:to:subject:date

• i– It’s an optional identity of the user or agent on behalf of whom the email is signed. A general example can be- i=user@eng.example.com

• l– It’s called the body length count tag, which specifies the number of bytes of the body included in the hash.

All these DKIM tags help you mention important information that allows the receiving server to verify if the emails sent from your domain are genuine. So, ensure you carefully create a DKIM record. If you need any **assistance related to email authentication, please contact us.