When you look at the source of an email, the DKIM signature can seem like a jumble of random characters. It's actually a highly structured set of tags and values that receiving mail servers use to verify an email's authenticity. DKIM, which stands for DomainKeys Identified Mail, uses these tags to create a cryptographic signature. Each tag provides a piece of information, like the signing domain (d=), the selector (s=), and the algorithm used (a=). One tag that often causes confusion is the t= tag, primarily because it can have different meanings depending on where you find it.
The t= tag can appear in two places: within the DKIM-Signature header of an email, or within the DKIM record published in your domain's DNS. Let's break down both.
The 't' tag in the DKIM-Signature header
Most commonly, you'll see the t= tag inside the actual DKIM signature added to an email's headers. In this context, t stands for timestamp.
This optional tag specifies the time the email was signed. As Hostinger explains, the value is a number representing the seconds that have passed since 00:00:00 UTC on January 1, 1970, also known as Unix time. For example, a tag might look like t=1731545600.
Here are the key things to know about the timestamp tag:
- It's optional. According to the official DKIM specification (RFC 6376), the t= tag is not required for a DKIM signature to be valid.
- It marks the signing time. It indicates precisely when the signature was created by the sending mail server.
- It has a companion tag. There's also an x= tag for expiration time, but according to Kickbox, it is not widely used.
The 't' tag in the DKIM DNS record
Less frequently, you might encounter a t= tag within the public key record for DKIM, which is stored in your domain's DNS as a TXT record. Here, the tag serves a completely different purpose. It's used to set flags that tell receiving mail servers how to interpret the DKIM setup for your domain.
The two primary flags you can set with this tag are y (testing) and s (same domain).
Testing mode (t=y): Setting t=y in your DKIM DNS record signals that your domain is currently in a testing phase for DKIM. The intention is that receivers might not treat DKIM failures as strictly for a domain in testing mode. This is useful when you are first setting up DKIM and want to ensure everything is configured correctly without risking deliverability.
Strict mode (t=s): The t=s flag is a security enhancement. It dictates that the domain specified in the identity tag (i=) of the DKIM signature must be the same as, or a subdomain of, the signing domain (d=). This prevents certain types of abuse where a third-party service might sign an email with your domain while using a different identity. By default, this check is not enforced, making t=s a valuable, though rarely used, setting.
Conclusion
In summary, the t= tag in DKIM is all about context. If you see it in an email header's DKIM-Signature, it's a timestamp. If you see it in a DNS record, it's a flag for testing or strict domain matching. Understanding this distinction is key to correctly interpreting DKIM records and troubleshooting email authentication issues.
