When you're digging into the technical details of email authentication, you'll find that DKIM (DomainKeys Identified Mail) uses a series of tags to construct its signature. Each tag serves a specific purpose, from identifying the signing algorithm to listing the headers included in the signature. A common question that comes up is how to specify an expiration time for a signature.
The short answer is that the x= tag is used in a DKIM signature to indicate its expiration time. This tag is optional and isn't always present in every DKIM signature you'll encounter.
How the x= tag works
The x= tag, as defined in the DKIM specification (RFC 6376), sets a definitive expiration date and time for the signature. Its value is a number representing the time in the Unix time format (seconds since the epoch of January 1, 1970).
When a receiving mail server verifies a DKIM signature that includes this tag, it compares the value of the x= tag with the current time. If the current time is past the expiration time, the signature is considered invalid, and the DKIM check will fail. This is an important security feature to prevent old, signed messages from being maliciously resent or replayed long after they were originally sent.
While useful, it's worth noting that this tag is not universally used. Many email service providers do not set an expiration time on their DKIM signatures by default.
Expiration vs. timestamp tag
It's easy to confuse the expiration tag (x=) with the timestamp tag (t=). The t= tag indicates when the signature was created, not when it expires. The expiration value in the x= tag must always be greater than the timestamp value.
Both tags work together. The t= tag provides a starting point (the signing time), and the x= tag provides an endpoint (the expiration time), creating a validity window for the signature.
Other common DKIM signature tags
To give you a better sense of where the x= tag fits, here are some of the other core components of a DKIM signature:
- v= (Version): The DKIM version. This is almost always v=1.
- a= (Algorithm): The algorithm used to generate the signature, such as rsa-sha256.
- s= (Selector): The selector used to find the public key in the domain's DNS records.
- d= (Domain): The domain that signed the email.
- h= (Signed Headers): A list of the email headers that are included in the signature's hash.
- bh= (Body Hash): A hash of the email's body content.
- b= (Signature): The actual digital signature data.
In summary, the x= tag is a specific, optional tool within the DKIM standard for setting a signature's lifespan. While not always implemented, it provides an additional layer of security by ensuring a signature cannot be validated indefinitely.
