Suped

What DKIM tag specifies the body hash?

The DKIM tag that specifies the body hash is the bh= tag. This is a fundamental and mandatory component of a DKIM signature, playing a crucial role in verifying the integrity of an email's content.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

Understanding the `bh=` tag in DKIM

The bh= tag stands for "body hash". As the name suggests, it contains a cryptographic hash of the email's body. A hash is essentially a unique digital fingerprint. The sending mail server calculates this hash from the body of the message and includes it in the DKIM-Signature header. When the receiving server gets the email, it independently calculates its own hash of the message body and compares it to the value in the bh= tag. If they match, it's a strong indicator that the email body has not been altered in transit.

www.dmarcdirector.com logo
DMARC Director says:
Visit website
bh= The DKIM body hash Tag has the computed hash of the email. Its value is a string of characters denoting a hash determined by an algorithm.

It's important to note that this hash is calculated on the canonicalized version of the email body. Canonicalization is a process of standardizing the email content before hashing. This process ensures that minor, often benign, changes made by intermediate mail servers don't invalidate the signature. As DuoCircle explains, the bh= tag contains "the hash of the canonicalized email body, encoded as a base64 value."

Why is the body hash critical for email authentication?

The body hash is at the heart of what DKIM (DomainKeys Identified Mail) aims to achieve: content integrity. While other parts of the DKIM signature verify the sender's identity and the integrity of selected headers, the bh= tag specifically protects the message's content. It's the mechanism that proves the email you receive, including all its text and attachments, is exactly what the sender wrote.

www.metaspike.com logo
Metaspike says:
Visit website
The DKIM-Signature header field includes the body hash (the “bh=” tag). So, although we are not including the body itself in the sign/verify process, we are cryptographically binding the body to the signature.

Without the body hash, a malicious actor could intercept an email, change its content, and forward it to the recipient. For example, they could alter a link to point to a phishing site or change payment details in an invoice. Because the bh= tag creates a verifiable fingerprint of the original content, any such tampering would cause the DKIM check to fail on the receiving server, alerting it to a potential security risk. This is a key defense against many forms of email fraud.

How the `bh=` tag works with other DKIM components

The bh= tag doesn't work in isolation. It's one piece of the larger DKIM-Signature header. The body hash itself is included in the data that gets signed to create the final digital signature, which is stored in the b= tag.

www.emailonacid.com logo
Email on Acid says:
Visit website
b = the actual digital signature of the contents (headers and body) of the mail message ; bh = the body hash ; d = the signing domain ; s = the selector

Here’s a simplified breakdown of how it fits together:

  • First, the sending server takes the email body and applies a canonicalization algorithm, which is defined by the c= tag.
  • Next, it computes a hash of this canonicalized body. This hash becomes the value for the bh= tag.
  • Finally, the server takes selected email headers (defined by the h= tag) and the bh= tag itself, and cryptographically signs them using a private key. This signature is placed in the b= tag.

This layered process, described in detail in documents like RFC 6376, ensures that both the message content and key header information are protected from tampering. The canonicalization step is vital because email systems can sometimes make small changes, like converting tabs to spaces. The c= tag specifies how to normalize the email before hashing to account for these minor changes.

Is the `bh=` tag always required?

Yes, the bh= tag is a mandatory component of a DKIM signature. According to the DKIM specification, every signature must include it. Its presence is non-negotiable for a valid DKIM signature. As many guides point out, the bh= tag is mandatory, just like other core tags. Its absence would render the entire signature invalid, as there would be no way for a receiving server to verify the integrity of the message body.

In summary, the bh= tag is the specific part of a DKIM signature responsible for carrying the body hash. It is an essential element that allows receiving mail servers to confirm that an email's content has not been altered since it was sent, providing a critical layer of security and trust in email communication. Understanding its role is key to understanding how DKIM works to protect everyone's inboxes.

Start improving your email deliverability today

Get started