When we talk about email authentication, DomainKeys Identified Mail (DKIM) is a critical standard. It provides a way for receiving mail servers to check that an email was indeed sent and authorized by the owner of that domain. This is achieved through a cryptographic signature added to the email headers. A key part of this signature is identifying who the signer is. While it might seem straightforward, there are actually two tags in a DKIM signature that relate to identity: one is required, and one is optional.
Let's break down which DKIM tag denotes the signer's identity and explore the nuance between them.
The primary identity tag: d=
The primary and mandatory tag that specifies the signer's identity is the d= tag.
This tag indicates the domain of the signing entity, often referred to as the Signing Domain Identifier (SDID). When a receiving server validates a DKIM signature, it uses the domain specified in the d= tag, along with the selector from the s= tag, to perform a DNS lookup for the public key. This public key is then used to verify the signature's authenticity.
The d= tag is non-negotiable for a valid DKIM signature. It directly ties the email to a specific domain, allowing that domain to take responsibility for the message content. This is the core of how DKIM works to build a domain's reputation.
The optional identity tag: i=
While the d= tag identifies the signing domain, there is another, optional tag that can specify the identity of the user or agent on whose behalf the message is signed: the i= tag.
The value of the i= tag is typically an email address. According to the DKIM specification, if the i= tag is present, its domain part must match the domain in the d= tag, or be a subdomain of it. If this tag isn't included, the identity is assumed to be @d= (e.g., an unspecified user at the signing domain).
For example, if you send an email from newsletter@marketing.example.com, your DKIM signature might look something like this:
- d=example.com (The responsible signing domain is the parent domain)
- i=newsletter@marketing.example.com (The specific agent identity, which is on a subdomain of example.com, meeting the alignment requirement)
Summary of identity tags
To summarize, both the d= and i= tags in a DKIM signature relate to the sender's identity, but they serve different functions:
- d= (Domain): This tag is mandatory. It specifies the domain that is taking responsibility for the email and publishing the signing key. This is the identity that mailbox providers use for reputation assessment.
- i= (Identity): This tag is optional. It provides a more specific identity, like a user's email address, on whose behalf the signing domain is sending the message. Its domain part must align with the d= tag.
In most modern email sending scenarios, the d= tag is the most important one for deliverability. Mailbox providers focus heavily on the domain's reputation, which is directly tied to the d= tag. While the i= tag adds a layer of specificity, its use is less common and its absence does not impact DKIM validation.
What DKIM tag indicates the algorithm used for signing?
What DKIM tag specifies the domain signing the email?
What DKIM tag specifies the time the signature was created?
What DKIM tag is used to specify the public key?
What is the 'i' tag in a DKIM signature?
What DKIM tag indicates the signature itself?
