Is header.i (or the 'i=' tag) always optional in email headers?

No, header.i (or the i= tag in a DKIM signature) is not optional for all emails. It is generally optional within the DKIM standard (RFC 6376), but some email service providers or mail systems may add it automatically. Its presence provides a more granular identity for the signing domain. Even if optional, its correct use is important for DKIM alignment with DMARC .

How do DKIM selectors relate to header.i and sender reputation?

DKIM selectors are used in the DNS record name (e.g., s1._domainkey.example.com ) to locate the public key for verification. While the selector itself doesn't directly affect sender reputation , its correct configuration is crucial for DKIM authentication to pass. Failed DKIM authentication due to incorrect selectors can negatively impact reputation.

What does it mean if my email header shows DKIM as 'none'?

When your Authentication-Results header shows DKIM as 'none', it means the receiving server did not find a valid DKIM signature or could not verify it. This can be caused by various issues, such as incorrect DNS records, a mismatched header.i or d= domain, or a modified message body after signing. You can troubleshoot DKIM issues by checking your DNS records, reviewing your sending platform's DKIM settings, and analyzing DMARC reports.

What is header.i in email headers, how does it relate to DKIM, and does it affect sender reputation? - Technical - Email deliverability - Knowledge base

When delving into email headers, you might encounter various fields and tags that seem complex at first glance. One such element is header.i, which often appears within the Authentication-Results header. Understanding what this tag signifies, how it relates to DKIM, and its potential impact on your sender reputation is crucial for optimal email deliverability. Let's unravel these intricacies.

Email headers contain a wealth of information about a message's journey and authentication status. Being able to interpret these headers is a key skill for diagnosing deliverability issues and ensuring your emails reach their intended recipients. The header.i tag provides insight into the specific identity asserted by the sending domain for DKIM authentication, which plays a significant role in how mailbox providers trust your messages.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DKIM and the 'i=' tag

DKIM, or DomainKeys Identified Mail, is an email authentication method that uses a digital signature to verify the sender's identity and ensure that the email content has not been tampered with in transit. This signature is added to the email headers and is validated by the receiving mail server using a public key published in the sender’s DNS records. It’s a critical component for email authentication, alongside SPF and DMARC, helping mailbox providers determine if an email is legitimate or potential spam.

Within a DKIM signature, two important tags are d= and i=. The d= tag specifies the domain responsible for signing the email, often the organizational domain. The i= tag, or header.i as seen in Authentication-Results, indicates the Agent or User Responsible (AUR) for the message, which can be an email address or a subdomain of the d= domain. For a more detailed look at the purpose of the i= and d= tags, you can refer to this explanation of DKIM tags.

Example DKIM signature with 'i=' tagplaintext

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=s1024; h=From:To:Subject:MIME-Version:Content-Type:Message-ID:Date;
 bh=xxxxxxxxxxxxxxxxxxxxxx;
 b=xxxxxxxxxxxxxxxxxxxxxx;
 i=@sub.example.com;

The i= tag is often optional, but it provides a more granular level of identity within the DKIM signature. For instance, if your organizational domain is example.com and emails are sent from info.example.com, the i= tag might reflect @info.example.com. This level of detail helps receiving servers understand exactly which part of your domain hierarchy is responsible for sending the email, contributing to the overall authentication verdict.

Header.i, header.from, and DKIM alignment

The header.i tag is distinct from the header.from field (RFC 5322.From), which is the human-readable 'From' address displayed in email clients. While header.i pertains to the signing domain in DKIM, header.from is what your recipients actually see. For proper DMARC alignment, the domain in your header.from must align with either the SPF MailFrom domain or the DKIM d= domain.

The 'i=' tag can become dynamic, changing based on prefixes of the friendly 'From' address, such as karen@info.example.com or john@info.example.com. This flexibility allows different sub-entities within an organization to be identified as the signer. However, it's important that this dynamic 'i=' value remains aligned with the 'd=' domain for successful DKIM validation. If the header.from is the organizational domain (e.g., example.com) while the email is sent from a subdomain (e.g., info.example.com), and header.i refers to the sending subdomain, this setup is typically fine as long as alignment is maintained. What is key is that the i= domain is a subdomain or the same as the d= domain.

DKIM d= tag

This specifies the domain that holds the public key used to verify the DKIM signature. It represents the organizational domain responsible for the email. This is typically the primary domain for your email sending, like

example.com.

DKIM i= tag

This identifies the agent or user responsible for sending the email, often a subdomain of the d= domain, or even a specific user's email address. For example, @marketing.example.com or @john.example.com.

Maintaining a consistent approach to your DKIM configuration is vital. While using different prefixes in the display name or friendly 'From' address is common, ensure that the underlying DKIM i= domain consistently aligns with the d= domain to prevent authentication failures. This consistency helps to improve your email reputation.

Impact on sender reputation

Every element within an email, including the header.i tag, can indirectly influence your sender reputation. Reputation is a cumulative score based on how recipients interact with your emails and how well your sending practices adhere to established standards. When emails consistently pass DKIM (and SPF/DMARC) authentication, it builds trust with mailbox providers, leading to better inbox placement. Conversely, authentication failures can negatively impact your sender reputation, making it more likely for your emails to land in the spam folder or be rejected. You can read more about this on EmailLabs' explanation of sender reputation and deliverability.

Mailbox providers assess reputation by observing user interactions. If emails with specific header.i values consistently generate negative user feedback (e.g., spam complaints, low open rates), those specific identifiers, and by extension the entire sending domain, may face a negative impact on their reputation. This is why consistent, positive engagement and proper authentication are paramount.

Best practices for DKIM and reputation

Align domains: Ensure your header.from domain aligns with your DKIM d= and i= domains to pass DMARC checks.
Monitor reports: Regularly review Google Postmaster Tools and DMARC reports for authentication failures or issues with DKIM temporary errors.
Manage sender reputation: A proactive approach to email domain reputation includes managing recipient engagement and avoiding spam traps.

Keeping your email authentication in order is a fundamental part of successful email deliverability. Neglecting these standards can lead to your emails being filtered as spam or even getting your domain (or IP) placed on a blocklist (or blacklist).

While header.i itself doesn't directly 'ding' your sender reputation, its proper configuration within DKIM contributes to the overall trust signals that mailbox providers use. Any element in your email headers, including the subtle details of your DKIM signature, can become a factor in how your messages are perceived. Therefore, understanding and correctly implementing these technical aspects is essential for maintaining a strong sender reputation and ensuring your emails consistently reach the inbox.

Views from the trenches

Best practices

Ensure your DKIM 'i=' tag is consistently a subdomain of your 'd=' domain for proper alignment.

Regularly review your DMARC reports to identify any DKIM authentication failures.

Use a dedicated email sending domain or subdomain for marketing emails to isolate its reputation.

Maintain high engagement rates to positively influence your sender reputation with mailbox providers.

Common pitfalls

Mismatching the 'i=' and 'd=' domains can lead to DKIM authentication failures and impact deliverability.

Ignoring DMARC reports means you miss critical insights into authentication issues.

Not monitoring for blocklist (or blacklist) listings can lead to widespread email rejection.

Sending to unengaged or old email lists can generate spam complaints and damage reputation.

Expert tips

The 'i=' tag is primarily an internal identifier and usually doesn't need external scrutiny for reputation.

Focus on the overarching DKIM and DMARC alignment, rather than hyper-focusing on 'i=' in isolation.

Sender reputation is complex; it's influenced by many factors beyond just email headers.

Consistent email practices and positive user interaction are the best ways to build and maintain reputation.

Expert view

Expert from Email Geeks says the 'i=' tag allows a more specific identity to take responsibility for the DKIM signature and can be an email address or a subdomain of the 'd=' domain. It is optional and often appears due to the specific setup of the filter doing the authenticating.

2019-08-13 - Email Geeks

Expert view

Expert from Email Geeks says the 'i=' tag is set by the sending server when creating the DKIM signature.

2019-08-14 - Email Geeks

Key takeaways

The header.i tag within email headers provides a specific identity for a DKIM signature, often indicating a subdomain or specific sending agent. While distinct from the visible header.from address, its proper alignment with the DKIM d= domain is vital for successful email authentication.

Ultimately, every component of an email, including the subtle details in its headers, contributes to your sender reputation. Ensuring all authentication mechanisms are correctly configured and consistent is paramount. Continuous monitoring and adherence to best practices will help guarantee your emails are not only authenticated but also successfully delivered to the inbox, avoiding blocklists (or blacklists) and maintaining trust with mailbox providers.