DKIM, or DomainKeys Identified Mail, is a cornerstone of modern email authentication. It allows a receiving mail server to verify that an email was genuinely sent from the domain it claims to be from and that its content hasn't been tampered with in transit. It achieves this by adding a digital signature to the email's headers. This signature is made up of various components, known as tags, each serving a specific purpose. One of the lesser-known, and more dangerous, tags is the body length tag, or 'l' tag.
At its core, the 'l' tag is straightforward. It's a value within the DKIM signature that tells the receiving server how much of the email's body, in bytes, was used to create the signature. The official specification, RFC 6376, defines it as the "body length count", which allows a sender to sign only a portion of the message body.
The original intent was to handle cases where email content might be slightly modified in transit, for example, by mailing list servers that append footers to messages. By only signing the initial part of the email, the sender could ensure the core message passed DKIM validation even if a footer was added later. However, this flexibility introduces a significant security flaw.
The primary danger of using the 'l' tag is that it opens the door for content injection attacks. Because only a part of the email body is cryptographically signed, an attacker can intercept the email and append malicious content after the signed portion. When the receiving mail server checks the signature, it only validates the part of the body specified by the 'l' tag. The signature will appear perfectly valid, and the server may deliver the email, completely unaware of the harmful content tacked on at the end.
Imagine an email from a bank with a legitimate transaction notice. If the sender uses the 'l' tag to only sign the first few lines:
Absolutely not. The security risks associated with the 'l' tag far outweigh any perceived benefits. In today's email ecosystem, it's considered a dangerous and outdated practice. Major mailbox providers like Gmail and Outlook rely on the integrity of the entire message, and allowing parts of it to be unsigned undermines the trust that DKIM is designed to build.
For robust email security and deliverability, you should always ensure that the entire body of your email is signed. This means not including the 'l' tag in your DKIM signature at all. By default, most modern email sending platforms and libraries will sign the entire message body, which is the correct and secure approach. The role of the 'l' tag today is largely as a historical footnote and a cautionary tale in email security.