DomainKeys Identified Mail, or DKIM, is a form of email authentication that allows an organization to claim responsibility for a message. It works by adding a digital signature to the header of an email. This signature acts like a tamper-proof seal, letting receiving mail servers verify that the email came from who it says it came from and that its content hasn't been altered in transit.
The specific tag within the DKIM-Signature header that contains the actual digital signature is the b= tag. This tag holds the computed signature data, which is the core component verified by the recipient's mail server.
Understanding the DKIM-Signature header
When an email is signed with DKIM, a special header called the DKIM-Signature is added to the message. This isn't something you typically see in your inbox; it's part of the email's underlying source code. According to an article on Metaspike, this header field contains the signature of the message and important information about how that signature was created. This header is made up of several tag-value pairs, each providing a piece of the puzzle for the receiving server.
Some of the most important tags you will find are:
- v=: This is the version tag. The value is almost always 1.
- a=: The signing algorithm used to create the signature. A common value is rsa-sha256.
- d=: The signing domain, which is the domain that is taking responsibility for the email.
- s=: The DKIM selector. This tells the receiving server where to look in the DNS for the public key.
- h=: A list of the headers from the email that have been included in the cryptographic signature. For example, 'From', 'To', 'Subject', and 'Date'.
- bh=: The body hash. This is a hash of the email's body content.
- b=: The digital signature itself. This is a base64 encoded string representing the hash of the items in the h= tag, encrypted with the private key.
How the 'b=' tag enables verification
The b= tag is the linchpin of the entire DKIM process. Without it, there is no signature to verify. When a mail server receives an email with a DKIM signature, it performs a series of steps to authenticate it:
First, it extracts the domain from the d= tag and the selector from the s= tag. It combines these to query the DNS for a specific TXT record, which contains the public key for that domain and selector combination. The server then takes the headers listed in the h= tag and computes its own hash using the algorithm specified in the a= tag. Finally, it uses the public key from the DNS to decrypt the signature found in the b= tag. If the decrypted value matches the hash it just computed, the DKIM check passes.
This successful verification proves that the email was sent by an authorized server for the domain and that the signed parts of the email, like the 'From' address and 'Subject', were not altered after the signature was applied. In short, the b= tag carries the cryptographic proof that underpins DKIM's value in fighting email spoofing and phishing.
What DKIM tag indicates the algorithm used for signing?
What DKIM tag specifies the domain signing the email?
What DKIM tag specifies the time the signature was created?
What DKIM tag is used to specify the public key?
What DKIM tag indicates the expiration time of the signature?
What DKIM tag indicates the service type?
