The short answer is the t= tag. This tag specifies the signature creation time within a DKIM signature header.
When an email is sent, a DKIM signature is added as a header. This signature is essentially a long string of characters that contains several tag-value pairs, each providing a piece of information about the signature itself. As defined in RFC 4871, these tags create a verifiable link between an email and the domain it claims to come from, ensuring the message hasn't been altered in transit.
The `t=` tag explained
The t= tag is the signature timestamp. It marks the exact time the email was signed. The value of this tag is presented as an integer, specifically in the Unix time format. This format represents the number of seconds that have elapsed since January 1, 1970 (UTC).
While including the t= tag is technically optional, it is highly recommended for creating a robust DKIM signature. Not all senders include it, but its presence adds another layer of security and information for receiving mail servers to evaluate.
Why is the signature timestamp important?
The timestamp is crucial because it helps prevent a specific type of abuse known as a replay attack. This is where a malicious actor could capture a legitimately signed email and resend it much later. Without a timestamp, the signature would still be valid. However, with a timestamp, a receiving server can see the age of the signature and flag it as suspicious if it's too old.
The primary benefits of including the t= tag are:
- Temporal Context: It provides a clear timestamp for when the message was authenticated, which can be useful for logging and debugging.
- Replay Attack Mitigation: It makes it harder for old, signed messages to be maliciously reused, as a receiving server can set policies based on signature age.
- Enhanced Trust: A more complete DKIM signature, including optional tags like the timestamp, can be seen as a signal of a more diligent and secure sender.
The related expiration tag: `x=`
Working alongside the timestamp tag is the x= tag, which specifies an expiration time for the signature. This tag is also optional, but when used, it provides a definitive end to the signature's validity period.
When a receiving mail server sees both a t= (start time) and an x= (end time) tag, it can check if the current time falls within that window. If the message is received after the expiration time, the DKIM signature will fail validation, even if it is cryptographically correct. This creates a clear and enforceable lifetime for the signature, further strengthening the security provided by DKIM.
