When we look at email authentication, DKIM (DomainKeys Identified Mail) plays a crucial role. It acts like a digital seal on your emails, allowing receiving servers to verify that the message genuinely came from your domain and hasn't been tampered with. This verification process relies on a cryptographic signature added to the email's headers. A critical piece of information within this signature is the specific algorithm used to create it, and that's where DKIM tags come in.
The specific DKIM tag that indicates the algorithm used for signing is the a= tag. This tag is a mandatory part of any DKIM signature and explicitly declares the method used to generate the digital seal on the email.
Supported algorithms for the `a=` tag
The value of the a= tag specifies a pair of algorithms: one for the public-key cryptography (like RSA) and one for the secure hash function (like SHA-256). While older configurations might use rsa-sha1, the widely accepted and recommended standard today is rsa-sha256. This is because SHA-256 is significantly more secure than its predecessor, SHA-1, which is now considered vulnerable.
Using a strong algorithm like rsa-sha256 is vital for ensuring the integrity and security of your email authentication, which in turn helps protect your domain's reputation and improves email deliverability.
How the algorithm tag fits into the full DKIM signature
The a= tag is just one component of the full DKIM-Signature header. It works in concert with several other tags to form a complete, verifiable signature. According to the official RFC 6376 documentation, the receiving server uses the algorithm specified in the a= tag to compute the message hash and validate the signature. Some of the other key tags you will see include:
- v=: The version of the DKIM standard being used. This is almost always v=DKIM1.
- d=: The domain that is signing the email. This is the domain the recipient's mail server will query for the public key.
- s=: The selector. This tells the receiving server where to find the public key in the domain's DNS records (e.g., selector._domainkey.example.com).
- h=: The list of headers that have been included in the cryptographic signature.
- b=: The actual digital signature of the headers listed in the h= tag.
- bh=: The hash of the email's body.
In short, the a= tag is the linchpin that defines the strength of your DKIM signature. By ensuring you're using a=rsa-sha256, you are following modern security best practices and giving your emails the best chance of being trusted by receiving mail servers.
