What happens if the 'a=' tag is missing from a DKIM signature?

If the a= tag is missing, the receiving mail server cannot determine the cryptographic algorithm used to sign the email. This will lead to a DKIM authentication failure, likely resulting in the email being flagged as suspicious, sent to spam, or rejected entirely, impacting your email deliverability.

Should I use 'rsa-sha1' or 'rsa-sha256' for my DKIM signatures?

You should always use rsa-sha256 for your DKIM signatures. rsa-sha1 is an older algorithm with known vulnerabilities and is being deprecated by major email providers, which can negatively affect your email deliverability and security.

Does the DKIM algorithm affect DMARC alignment?

While the specific algorithm ( rsa-sha256 vs. rsa-sha1 ) doesn't directly affect DMARC alignment , a successful DKIM authentication is required for DMARC to pass. If your DKIM signature fails due to an outdated or misconfigured algorithm, it will lead to a DMARC failure, impacting your email security and deliverability.

How can I check the DKIM signing algorithm for my emails?

You can check the DKIM signing algorithm by inspecting the raw email headers of a message you've sent. Look for the DKIM-Signature header field and locate the a= tag, which will specify the algorithm (e.g., a=rsa-sha256 ). Many email clients provide an option like "Show original" or "View source" to access these headers.

What DKIM tag indicates the algorithm used for signing? - DKIM - Email authentication - Knowledge base

Stylized hand holding an email envelope with security symbols

When an email is sent, it goes through a series of checks to verify its authenticity and ensure it hasn't been tampered with. DomainKeys Identified Mail (DKIM) is a vital part of this process, acting as a digital signature that confirms the email originated from the stated domain and that its content remained unchanged during transit. These digital signatures rely on cryptographic algorithms to secure your messages.

Every DKIM signature, which is part of the email's header, contains various tags that provide specific details about the signature itself. These tags are key-value pairs, much like DNS records, that convey essential information for mail servers to validate the email. One of these tags is particularly important for indicating the cryptographic method used to create the signature.

Understanding these tags is crucial for maintaining good email deliverability and protecting your domain from spoofing and phishing attacks. Properly configured DKIM, along with SPF and DMARC, forms a robust email authentication framework that helps legitimate emails reach their intended recipients rather than being flagged as spam or blocked (blacklisted) by receiving mail servers.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

The a= tag: specifying the signing algorithm

The DKIM tag that indicates the algorithm used for signing the email is the a= tag. This tag specifies the algorithm that was used by the sending domain to generate the DKIM signature itself. When a receiving mail server performs a DKIM verification, it looks at this tag to know which algorithm to use to decrypt and verify the signature against the public key stored in the sender's DNS records.

The a= tag is a mandatory component of a DKIM-Signature header field, meaning it must always be present for a valid signature. Without it, the receiving server wouldn't know how to process the signature, leading to a DKIM authentication failure. This would likely result in the email being treated with suspicion, potentially impacting your domain reputation and future deliverability.

For a comprehensive understanding of DKIM and its various tags, referring to the official specifications, such as RFC 6376, can provide deeper insights. This document outlines the technical details and requirements for DKIM implementations, ensuring interoperability and security across mail systems.

Understanding rsa-sha256 and rsa-sha1

Currently, the a= tag typically specifies one of two main algorithms: rsa-sha256 or rsa-sha1. Both are RSA (Rivest-Shamir-Adleman) public-key cryptography algorithms combined with a SHA (Secure Hash Algorithm) hashing function.

rsa-sha256

Recommended: This is the strongly recommended algorithm for DKIM signatures due to its enhanced security.
Stronger Hash: Uses SHA-256 for hashing, which provides a more robust cryptographic hash compared to SHA-1.
Future-proof: Less susceptible to collision attacks, making it a safer choice for long-term email authentication.

rsa-sha1

Older Standard: While still supported by some systems, it is considered less secure than SHA-256.
Vulnerabilities: SHA-1 has known theoretical collision vulnerabilities, though practical attacks are still complex.
Deprecation: Many email providers, including Google and Yahoo, are actively phasing out support for SHA-1.

While rsa-sha1 might still be encountered in older DKIM implementations, it is crucial to migrate to rsa-sha256 to maintain optimal email security and deliverability. Many mail providers are tightening their requirements, and using outdated algorithms can negatively impact how your emails are perceived and delivered. If you're concerned about your recommended DKIM key algorithm, it is best to consult your email service provider or refer to the latest DKIM guidelines.

Where to find the a= tag in a DKIM record

The a= tag is found within the DKIM-Signature header field of an email. This header is added by the sending mail server after it signs the email. It's not part of the DNS record, but rather part of the email's metadata that recipients' mail servers inspect.

Example DKIM-Signature header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com;
  s=s1; h=from:to:subject:date; bh=HASH_VALUE;
  b=SIGNATURE_VALUE

In this example, a=rsa-sha256 clearly indicates that the RSA algorithm with SHA-256 hashing was used to generate the signature. Other tags, such as s= specify the selector used, while d= specifies the signing domain. If you ever need to inspect these details, you can view the raw headers of an email in most email clients.

Monitoring your DKIM authentication results, along with SPF and DMARC, is essential for identifying potential issues. Tools like Suped's DMARC monitoring provide a unified platform to track all these metrics, offering AI-powered recommendations to fix problems like misconfigured algorithms or DKIM temperror errors, which can arise from algorithm mismatches or other configuration errors.

Importance of algorithm choice for email security

Choosing the right DKIM algorithm is more than just a technical detail, it's a critical aspect of your email security posture and overall email deliverability. Using a weaker or outdated algorithm like rsa-sha1 can leave your domain vulnerable to spoofing and phishing attempts, even if you have DKIM implemented.

Abstract representation of secure data flow with a shield icon

The risks of outdated algorithms

Reduced Trust: Receiving mail servers may flag emails signed with weaker algorithms as suspicious.
Deliverability Issues: Increased likelihood of emails landing in spam folders or being outright rejected (blacklisted).
Security Vulnerabilities: Potential for attackers to forge valid signatures, leading to successful phishing or brand impersonation.

By consistently using rsa-sha256 for your DKIM signatures, you reinforce the authenticity of your emails, improve deliverability, and bolster your domain's reputation. This commitment to modern cryptographic standards is essential for all senders, from small businesses to large enterprises. Always ensure your email infrastructure is up-to-date with the latest security protocols to prevent issues like emails failing DMARC verification.

Key takeaway

The a= tag in a DKIM signature is a small but mighty component that explicitly declares the cryptographic algorithm used for signing your emails. By specifying rsa-sha256, you ensure your email authentication aligns with modern security standards, significantly reducing the risk of your emails being rejected or marked as spam. It's a fundamental part of maintaining a trustworthy email presence.

For ongoing email security and deliverability, continuously monitor your DKIM performance and DMARC reports. Tools like Suped offer detailed insights and actionable guidance to help you keep your email infrastructure healthy and secure, ensuring your messages always reach the inbox.