The short answer is: the d= tag. This tag is a mandatory component of a DKIM signature and explicitly states the domain that is taking responsibility for the message.
When a receiving mail server processes an incoming email, it looks for the DKIM-Signature header. Within this header, it finds the d= tag to identify the Signing Domain Identifier (SDID). This tells the server which domain's DNS it needs to query to retrieve the public key required for verification. Without this tag, the entire DKIM authentication process would fail, as the verifier wouldn't know where to look for the key.
How the signing domain works with other DKIM tags
The d= tag doesn't work alone. It's part of a collection of tags within the DKIM signature that provide instructions to the receiving server. As DMARC Director explains, these tags specify all the details needed for verification. Some of the most crucial tags that work alongside d= include:
- s= (selector): This is another mandatory tag. It specifies which public key record to use from the domain's DNS. A domain can have multiple DKIM keys for different sending services, and the selector tells the server which one is correct for this specific email.
- b= (body hash): This tag contains the actual digital signature. It's a hash of the email's headers (specified by the h= tag) and body, encrypted with the private key.
- h= (signed headers): This tag lists which email headers were included in the digital signature (the b= tag). This is important because it prevents attackers from adding or changing unsigned headers after the email has been sent.
- p= (public key): Found within the DNS record itself, not the email header. This is the public key that receiving servers use to decrypt and validate the signature.
The importance of domain alignment in DMARC
The d= tag is especially critical for DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC checks to see if the domain in the d= tag aligns with the domain in the 'From' header, the one the recipient sees.
If they don't match, DMARC will fail the DKIM check, even if the signature itself is technically valid. This alignment is a key security feature that prevents spoofing, where a malicious actor might use a valid DKIM signature from their own domain on an email pretending to be from your domain. Correctly configuring the domain in your DKIM setup ensures that your legitimate emails pass DMARC, protecting your domain against spoofing and improving your overall deliverability.
In summary, while a DKIM signature contains many parts, the d= tag is the anchor. It directly names the domain signing the email, enabling the entire verification process and forming the foundation for DMARC alignment.
