Suped

What DKIM tag specifies the time the signature was created?

The short answer is the t= tag. This tag specifies the signature creation time within a DKIM signature header.

When an email is sent, a DKIM signature is added as a header. This signature is essentially a long string of characters that contains several tag-value pairs, each providing a piece of information about the signature itself. As defined in RFC 4871, these tags create a verifiable link between an email and the domain it claims to come from, ensuring the message hasn't been altered in transit.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

The `t=` tag explained

The t= tag is the signature timestamp. It marks the exact time the email was signed. The value of this tag is presented as an integer, specifically in the Unix time format. This format represents the number of seconds that have elapsed since January 1, 1970 (UTC).

www.dmarcdirector.com logo
DMARC Director says:
Visit website
t= This is an important Tag as it works as a signature timestamp showing the time the email is sent. The format of this tag is in numbered…

While including the t= tag is technically optional, it is highly recommended for creating a robust DKIM signature. Not all senders include it, but its presence adds another layer of security and information for receiving mail servers to evaluate.

www.techtarget.com logo
TechTarget says:
Visit website
Signature timestamp. This optional but recommended tag contains the time the signature was created, in the form of an integer that represents…

Why is the signature timestamp important?

The timestamp is crucial because it helps prevent a specific type of abuse known as a replay attack. This is where a malicious actor could capture a legitimately signed email and resend it much later. Without a timestamp, the signature would still be valid. However, with a timestamp, a receiving server can see the age of the signature and flag it as suspicious if it's too old.

blog.kickbox.com logo
Kickbox Blog says:
Visit website
What we have today is a signature that is intended to take a snapshot of a message at a given point in time. As the message passes through the…

The primary benefits of including the t= tag are:

  • Temporal Context: It provides a clear timestamp for when the message was authenticated, which can be useful for logging and debugging.
  • Replay Attack Mitigation: It makes it harder for old, signed messages to be maliciously reused, as a receiving server can set policies based on signature age.
  • Enhanced Trust: A more complete DKIM signature, including optional tags like the timestamp, can be seen as a signal of a more diligent and secure sender.

Working alongside the timestamp tag is the x= tag, which specifies an expiration time for the signature. This tag is also optional, but when used, it provides a definitive end to the signature's validity period.

www.duocircle.com logo
DuoCircle says:
Visit website
'x' tag (optional). It stands for the 'expiry' tag and specifies the expiration time for the signature in Unix time format.

When a receiving mail server sees both a t= (start time) and an x= (end time) tag, it can check if the current time falls within that window. If the message is received after the expiration time, the DKIM signature will fail validation, even if it is cryptographically correct. This creates a clear and enforceable lifetime for the signature, further strengthening the security provided by DKIM.

Start improving your email deliverability today

Get started