When you look into the technical details of email authentication, you'll find a lot of different components working together. DKIM, or DomainKeys Identified Mail, is one of the foundational standards that protects against email spoofing. It works by adding a digital signature to your outgoing emails. This signature is contained in a special email header, and it’s made up of several parts called 'tags'.
As Hostinger explains, a tag is a single letter followed by an equals sign, and its value provides specific details about the email sender, the message, and the public key used for verification.
While some tags are required for a DKIM signature to be valid, others are optional. The i= tag is one of these optional, and less common, components. Let's explore what it does.
What is the DKIM 'i' tag?
The i= tag in a DKIM signature stands for 'Identity'. It's an optional tag that asserts the identity of the user or agent on whose behalf the email was signed. The value is typically an email address, like i=user@example.com.
According to the official DKIM specification (RFC 6376), the domain part of the identity in the i= tag must be the same as, or a subdomain of, the domain specified in the required d= (domain) tag. This links the specific sender identity back to the signing domain, adding a potential layer of granularity to the signature.
How is the 'i' tag used?
The main purpose of the i= tag is to specify who signed the message. While the d= tag tells receiving servers which domain's DNS to check for the public key, the i= tag can provide more specific information. For example, if a third-party service sends email on your behalf, they might use d=yourdomain.com but specify i=user@yourdomain.com in the signature.
In practice, the i= tag is not widely used or enforced by many mailbox providers today. Most systems rely on the d= tag for domain-level authentication, which is the primary goal of DKIM. The complexity of managing user-level identities can outweigh the benefits for most sending infrastructures.
Comparison with other DKIM tags
To understand the i= tag's role, it helps to see it alongside the core required tags in a DKIM signature:
- v= (Version): Specifies the DKIM version being used. The value is almost always 1.
- a= (Algorithm): The algorithm used to generate the signature, such as rsa-sha256.
- d= (Domain): The signing domain, which is responsible for the message.
- s= (Selector): A string that helps locate the public key in the domain's DNS records.
- h= (Signed Headers): A list of the email headers included in the signature hash.
- bh= (Body Hash): A hash of the email's body content.
- b= (Signature Data): The actual digital signature itself.
The i= tag, when present, provides an extra layer of identity information but is not essential for the core function of DKIM, which is domain-level authentication.
Final thoughts
In summary, the i= tag in a DKIM signature is an optional field for declaring the identity of the user or agent signing the email. While it offers a way to be more specific about the sender's identity, its use is uncommon, and most email systems focus on the mandatory d= tag for validation. For most senders, a standard DKIM setup without the i= tag is perfectly sufficient for achieving robust email authentication.
