DKIM Signature Tags, A Primer

DKIM is a form of email authentication that allows an organization to claim responsibility for a message by signing it in a way that can be validated by the recipient. DKIM Authentication is an important part of DMARC compliance and obtaining the best email deliverability possible for your domain.

DKIM tags are located within the actual DKIM-Signature header data. A tag is typically a single letter followed by an equal sign (=). The value of each DKIM tag denotes a specific piece of intel about the email sender, the message itself, and its public key location.

There are several tags available to an email sender using DKIM, with some being required and some being optional. If a required tag is omitted in the DKIM signature, a verification error with the mailbox provider will occur. Of note, tags included in the DKIM signature that do not have a value assessed are treated as having an empty value. However, tags not included in the DKIM signature are treated as having the default value.

Required DKIM Tags

Below are the required tags of a DKIM-Signature header. Any DKIM signatures missing these tags will produce an error during the verification process.

  • v= version of DKIM standard being used. The value should always be set to 1.  
  • a= cryptographic algorithm used to generate the signature. The value should be rsa-sha256.
  • d= domain used with the selector record (s=) to locate the public key. The value is a domain name owned by the sender.
  • s= selector record name used with the domain to locate the public key in DNS. The value is a name or number created by the sender.
  • h= list of headers that will be used in the signing algorithm to create the hash found in the b= tag. The order of the headers in the h= tag is the order in which they were presented during DKIM signing; therefore, it is also the order in which they should be presented during verification. The value is a list of header fields that will not change or be removed.
  • bh= computed hash of the message body. The value is a string of characters representing the hash determined by the hash algorithm.
  • b= cryptographic signature of the headers listed in the h= tag. This hash is also called the DKIM signature.

Optional DKIM Tags


Below are the optional tags that are typically recommended in a DKIM-Signature header. DKIM signatures missing these tags will not produce an error during verification, but they are recommended as a means to help identify spam.

Note: Spammers do not normally set time values. Empty or incorrect time values, such as an expiration time dated before the email timestamp, will cause some mailbox providers to reject the message.

  • t= DKIM signature timestamp. It is meant to indicate the time the message is sent. The format is the number of seconds from 00:00:00 on January 1, 1970 (UTC).
  • x= DKIM signature expiration time in the same format as above. The value of this tag must be greater than the value of the timestamp tag if both are used in the DKIM signature. DKIM signatures could be considered invalid if the verification time at the verifier is past the expiration date, so be sure not to set the expiration date too soon.

Not Required

Below are the optional tags that are not required in the DKIM signature.

  • c= canonicalization algorithm that defines to a mailbox provider what level of modifications may be present as the email is in transit to the mailbox provider. Modifications can include whitespace or line wrapping. Some email servers make minor modifications to the email during transit, which can invalidate the signature.
  • i= identity of the user or agent. The value is an email address containing the domain or subdomain as defined in the d= tag.

Not Recommended

Below are the optional tags that are not recommended in any DKIM signature.

  • l= number of characters from the message body that were used to compute the body hash (bh=). If this value is not present, it is assumed the entire message body was used. This tag can be difficult to control and could lead to verification errors.
  • z= list of the message’s original headers and may differ from the headers listed in the h= tag. This tag may be used by some mailbox providers in the process of diagnosing a verification error. Its value is not well defined.

MxToolbox Delivery Center helps you with DKIM Compliance

To maintain the highest levels of email deliverability using DKIM, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
  • Manage the on-going requirements of maintaining high levels of email deliverability