Why is the DKIM 'b=' tag so long?

The 'b=' tag contains a cryptographic signature, which is typically a Base64 encoded, encrypted hash. The length is necessary to provide a strong, unique, and collision-resistant signature, making it extremely difficult for attackers to forge.

What happens if the 'b=' tag verification fails?

If the 'b=' tag verification fails, it means the email's signature is invalid. This could be due to tampering, an incorrect private key, or a mismatch with the public key in DNS . Such failures often lead to emails being marked as spam or rejected, especially if you have a strict DMARC policy.

Is the 'b=' tag the same as the 'bh=' tag?

No, they are different. The 'bh=' tag (body hash) is a hash of just the email body, used for verifying body integrity. The 'b=' tag is the actual digital signature, an encrypted hash of selected headers and the body , encrypted with the private key.

How does the 'b=' tag contribute to DMARC?

DMARC requires either SPF or DKIM to pass alignment checks . A valid 'b=' tag is crucial for DKIM to pass, which then allows DMARC to authenticate the email. If DKIM fails, DMARC might also fail, leading to enforcement of your domain's DMARC policy (e.g., quarantine or reject).

What is the purpose of the DKIM 'b=' tag? - DKIM - Email authentication - Knowledge base

An email being digitally signed with a private key and verified with a public key, illustrating DKIM security.

When you delve into the technical details of email authentication, you'll encounter various DKIM tags within the signature header. Among these, the 'b=' tag plays a central, often overlooked, role. It’s not just another piece of data; it's the heart of the DKIM signature, holding the cryptographic proof that an email hasn't been tampered with in transit.

Understanding what the 'b=' tag represents is fundamental to grasping how DomainKeys Identified Mail (DKIM) works to prevent email spoofing and phishing. Without this tag, the entire mechanism of cryptographic email signing would fall apart, leaving your communications vulnerable. Let's break down its purpose and how it fits into the broader email security landscape.

The core of DKIM: the digital signature

The 'b=' tag in a DKIM signature header carries the actual digital signature of the email. This signature is a cryptographic hash of selected email headers and the email body, encrypted using the sender's private key. When a receiving mail server gets an email, it extracts this 'b=' value and attempts to decrypt it using the sender's public key.

Its primary purpose is to provide assurance that the email has not been altered since it was signed by the sender and that it genuinely originates from the domain claiming to send it. This cryptographic integrity check is vital for email trust. If the 'b=' tag’s signature cannot be verified, it signals a potential spoofing attempt or tampering.

Example DKIM-Signature Header with 'b=' tag

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com; s=selector1; h=from:to:subject:date; bh=bodyhashvalue; b=digital_signature_value

The value after 'b=' is a long string of characters, typically Base64 encoded, which represents the encrypted hash. This hash is generated by taking specific parts of the email, hashing them, and then encrypting that hash with the domain's private key. This is distinctly different from the body hash ('bh=') which is merely a hash of the email body used for verification, not an encrypted signature of the entire email content.

Creating the unique signature

The process of creating the digital signature in the 'b=' tag involves several steps. First, the sending mail server identifies the headers to include (specified by the 'h=' tag) and the email body that will be hashed. These parts are canonized according to the 'c=' (canonicalization) tag rules, which standardize whitespace and casing to prevent minor alterations from breaking the signature.

Next, a cryptographic hash function, indicated by the algorithm in the 'a=' tag, is applied to the canonized headers and body. This produces a fixed-size string, a hash, unique to that specific content. Any change, even a single character, in the hashed content would result in a completely different hash.

Private key security

The private key used to encrypt the hash for the 'b=' tag is extremely sensitive. It must be kept secure and private by the sending domain to prevent unauthorized email signing. Compromise of this key could allow attackers to forge emails appearing to be from your domain, passing DKIM checks.

Finally, this hash is encrypted using the sending domain's private key. The encrypted result is what becomes the value of the 'b=' tag. This entire process ensures that only the legitimate sender, possessing the private key, can generate a valid 'b=' signature for their emails, making it a robust defense against email impersonation.

Verifying email authenticity

Upon receiving an email with a DKIM signature, the recipient's mail server initiates a verification process. It first extracts key information from the DKIM-Signature header, including the 'd=' (signing domain) and 's=' (selector) tags. These tags tell the receiving server where to find the corresponding public key in the DNS.

Sender actions

Hashes relevant email parts. Selects headers and body for hashing.
Encrypts hash with private key. Uses a cryptographic private key to encrypt the resulting hash value.
Inserts 'b=' tag. Adds the encrypted hash as the 'b=' tag in the DKIM-Signature header.

Receiver actions

Retrieves public key. Uses the selector ('s=') and domain ('d=') to find the DNS public key.
Decrypts 'b=' tag. Decrypts the 'b=' value using the retrieved public key.
Re-hashes and compares. Computes its own hash of the email and compares it to the decrypted 'b=' value. A match means the email is authentic.

The receiving server then performs the same hashing algorithm on the received email's headers and body, using the same canonicalization rules. It then decrypts the 'b=' tag's value using the public key it fetched. If the decrypted value matches the newly computed hash, the DKIM signature is valid, confirming the email's integrity and origin. This complex handshake happens instantly for every DKIM-signed email.

Two mail servers exchanging a message, with the 'b=' tag being verified for secure email authentication.

Any mismatch indicates that either the email was tampered with after signing, the private key used for signing was incorrect, or the public key found in DNS is not the correct one for verification. Such failures can lead to the email being flagged as spam, quarantined, or outright rejected.

Impact on email deliverability and security

A correctly implemented and verified 'b=' tag is crucial for establishing and maintaining a strong email domain reputation. It tells receiving mail servers that your emails are trustworthy and haven't been modified by malicious actors. This directly impacts your email deliverability rates, helping your legitimate emails reach the inbox instead of the spam folder.

Benefit	Description
Anti-Spoofing	Prevents unauthorized senders from forging emails using your domain.
Data Integrity	Ensures email content remains unaltered from sender to receiver.
Improved Deliverability	Increases trust with Google and Yahoo and other mailbox providers, reducing spam flagging.
DMARC Alignment	Essential for DMARC compliance, allowing you to enforce policies against unauthenticated emails.

Beyond deliverability, a robust DKIM setup, driven by the 'b=' tag, is a cornerstone of a strong DMARC policy. DMARC relies on either SPF or DKIM to align the sending domain with the 'From' address. If your DKIM signature (and thus the 'b=' tag) is consistently valid and aligned, DMARC will pass, giving you control over how unauthenticated emails claiming to be from your domain are handled.

Ensuring your DKIM signatures are valid

Ensuring the validity of your DKIM 'b=' tag requires careful monitoring and setup. Common issues include DKIM body hash mismatches and DNS issues where the public key isn't accessible. DMARC reports provide invaluable insight into DKIM authentication results, showing you exactly when and why signatures are failing.

Monitor your DKIM health

To ensure your 'b=' tag is consistently passing authentication, robust DMARC monitoring

is essential. Platforms like Suped provide AI-powered recommendations to help you fix issues and strengthen your policy. We offer a unified platform for DKIM, SPF, and DMARC monitoring, along with real-time alerts to keep your email secure.

In summary, the DKIM 'b=' tag is not merely a string of characters; it's the cryptographic seal that authenticates your emails. Its proper generation and successful verification are paramount for safeguarding your domain from impersonation and ensuring your messages reliably reach their intended recipients.