Email authentication protocols like DKIM (DomainKeys Identified Mail) are crucial for verifying sender identity and protecting against phishing and spoofing. These protocols add a layer of trust to your emails, helping mailbox providers distinguish legitimate messages from malicious ones. Without proper authentication, your emails are at a higher risk of being flagged as spam or rejected outright.
A DKIM signature is a digital signature added to the email headers, allowing receiving servers to verify that the email was sent by an authorized sender and that its content hasn't been tampered with in transit. This verification process relies on a pair of cryptographic keys, one public (published in your DNS) and one private (used by your sending server).
Within a DKIM record, various tags convey specific information about the signature and the sending domain. These tags are essential for the proper functioning of DKIM, guiding receiving servers on how to validate the email. One such tag, though less common today, indicates the service type for which the DKIM selector is intended.
Understanding the 's=' tag
The DKIM tag that indicates the service type is the s= tag. This tag, specified in RFC 6376, Section 3.6.1, is designed to provide a list of service types to which a particular selector may apply. In essence, it tells a receiving server whether the DKIM record is relevant for a specific communication type.
While the s= tag exists within the DKIM specification, its practical usage has become quite limited. Most modern DKIM implementations either omit this tag entirely or set it to a general value. The primary purpose of DKIM is for email authentication, and thus, a specific service type declaration is often redundant.
The values permitted for the s= tag are typically * (representing all service types) or email (specifically for email). As SparkPost notes, "email" is currently the only defined service type for DKIM. Therefore, including s=email or s=* often amounts to the same thing in practice when dealing with email.
The 's=' (service type) tag in detail
Recommended 's=' tag values
While the s= tag exists, many DKIM setups, particularly those managed by email service providers, might not explicitly include it. If you need to specify a service type, using s=email is the most appropriate value for standard email traffic. Alternatively, s=* can be used as a wildcard, indicating that the selector applies to all services. Often, omitting the tag completely is also acceptable, as most receiving mail servers will assume email as the implied service type.
The primary role of the s= tag is tied to the DKIM selector, which is itself indicated by the s= tag within the DKIM-Signature header, not the DNS record. It is sometimes confused with the selector itself, which specifies which public key to retrieve from the DNS for verification. The service type tag, by contrast, provides additional context for that particular key. However, given that DKIM is almost exclusively used for email, this context is rarely critical.
Example DKIM DNS TXT Record with an 's=' tagDNS
selector1._domainkey.example.com. IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDg
+d...; s=email;"
If you encounter a DKIM validation failure with a message like "bad service type," it usually means the s= tag has been explicitly included with a value that the receiving server does not recognize or expects to be absent. In such cases, the simplest fix is often to remove the s= tag from your DKIM DNS record entirely, allowing mail servers to default to the 'email' service type.
Practical implications and best practices
For most organizations, the service type tag has minimal practical impact on email deliverability. Since DKIM is almost exclusively employed for email, receiving mail servers generally assume that any valid DKIM record is intended for the email service. Focusing on ensuring your DKIM record is correctly published and its other essential tags are accurate will yield greater benefits.
Legacy Usage
Explicitly defined s=email: Historically, some implementations might have included s=email to clarify the service type, especially in earlier days of DKIM adoption.
Specific service declarations: The idea was to support DKIM for other services beyond email, though this never gained traction.
Modern Practice
Omission of the tag: The s= tag is commonly omitted from DKIM DNS records today without any negative impact.
Implied email service: Mail servers automatically assume the 'email' service type if the tag is not present.
When configuring your DKIM records, it is generally recommended to focus on other critical tags like the version tag (v=), the public key (p=), and the signing algorithm (a=). These tags are far more instrumental in ensuring successful DKIM validation and improving your email deliverability. Incorrect configuration of these elements can lead to DKIM authentication failures, which can severely impact your sender reputation.
Monitoring DKIM and overall email health
Even with DKIM, SPF, and DMARC properly configured, consistent monitoring is key to maintaining optimal email deliverability. Email systems are dynamic, and changes in your sending infrastructure, third-party senders, or even recipient mail server policies can lead to authentication issues. Proactive monitoring helps you catch these problems before they impact your email campaigns and sender reputation.
Tools like Suped offer comprehensive DMARC monitoring and reporting, providing clear visibility into your email authentication status. We don't just show you data, our AI provides actionable recommendations to fix issues and strengthen your policy. This unified platform brings together DMARC, SPF, and DKIM monitoring with blocklist and deliverability insights, making it easy to keep track of all your email security protocols. Our free plan is one of the most generous in the market, making advanced email security accessible to everyone.
By actively monitoring your DKIM, SPF, and DMARC reports, you can identify and troubleshoot issues like DKIM temporary errors (temperrors) or alignment failures. This proactive approach ensures that your emails consistently reach their intended inboxes, protecting your brand reputation and improving communication effectiveness.
Key takeaways for DKIM service types
The s= tag in a DKIM record is designed to indicate the service type for which a selector is applicable. While its historical intent was to allow DKIM to be used for various services, in practice, it is almost exclusively associated with email. Therefore, most modern DKIM implementations either omit this tag or set it to s=email or s=*.
Focusing on the accurate configuration and ongoing monitoring of your core DKIM, SPF, and DMARC settings is paramount for robust email security and reliable deliverability. Utilizing comprehensive DMARC monitoring solutions can provide the insights and tools needed to proactively manage and optimize your email authentication, ensuring your messages always reach their intended recipients.
