DKIM, which stands for DomainKeys Identified Mail, is a critical email authentication standard that helps prevent email spoofing. It works by adding a digital signature to outgoing emails. This signature is contained within a special header, DKIM-Signature, which is composed of several tag-value pairs, each denoted by a letter. While tags like d= (domain) and s= (selector) point to the public key for verification, the b= tag contains the core of the signature itself.
Let's dive into the specific purpose of this mandatory and crucial tag.
The b= tag in a DKIM signature header contains the actual digital signature of the email. This isn't just a simple piece of text; it's a cryptographic, base64-encoded string that acts as a tamper-proof seal. Its value is the result of a process that involves both the email's content and a secret, private key that only the sending server should possess.
Essentially, this tag carries the verifiable proof that the email headers and body have not been altered in transit and that the email originates from a server authorized to send on behalf of the domain.
Creating the value for the b= tag is a multi-step cryptographic process performed by the sending mail server. Here's a simplified breakdown of how it works:
When a receiving mail server gets the email, it uses the b= tag to verify the message's integrity. As described in this guide on manually verifying signatures, the server essentially reverses the signing process.
The receiving server uses the domain (d=) and selector (s=) from the DKIM signature to look up the public key in DNS. It then uses this public key to decrypt the value of the b= tag, which reveals the original hash of the headers calculated by the sender.
Next, the server independently calculates its own hash of the received headers (using the list from the h= tag). If this newly calculated hash matches the decrypted hash from the b= tag, the DKIM check passes. This confirms that the signed parts of the email have not been altered since they were signed by the sender, proving the message's authenticity.
In short, the b= tag is the linchpin of the entire DKIM system. It holds the cryptographic proof that connects the message content to the sending domain, making it a fundamental component of modern email security.