Structure of the DKIM-Signature header
search cancel

Structure of the DKIM-Signature header


Article ID: 152351


Updated On:


Messaging Gateway


You need to analyze the contents of a DKIM-Signature header in order to investigate an issue with Messaging Gateway DKIM signatures


DKIM Authentication operates by decrypting a cryptographic signature of the email message using a key stored in the DNS and comparing it to a hash of the message headers and body. In order for this to work the sender needs to not only include the signature with the message but details on how to find the correct public key, how it computed the hash and what information needs to be included when checking the signature. All that is wrapped up in the DKIM-Signature message header.

DKIM-Signature: v=1; a=rsa-sha256;; s=selector1;
   c=relaxed/simple;q=dns/txt; [email protected]; t=1255993973;      
   List-Archive; bh=+7qxGePcmmrtZAIVQAtkSSGHfQ/ftNuvUTWJ3vXC9Zc=;

Separators: The DKIM signature header isn’t immediately clear but with a little slicing and dicing will tell us everything we need to know about how to validate the message but it’s important to know where to make the cuts. The header is composed of multiple “tag=value” pairs separated by the semicolon. When taking apart the header, always cut at the semicolon.


  • Version. This is always 1


  • This is the hashing algorithm used to generate the message digest. It will usually be either rsa-sha or rsa-sha256. Other algorithms are possible but not always supported.

  • The DNS domain of the signer.


  • This defines which value is used in the DNS lookup to determine which public key was used to sign the message. In this case public key would be stored in


  • Message canonicalization identifies the scheme used to prepare the headers and body prior to running it through the hashing algorithm. Some MTAs make small changes to the headers and occasionally the body when relaying messages and message canonicalization can help ensure that this doesn’t negatively impact the DKIM signature. If you’re interested in the gory details please see RFC 4871 or the SBG Admin Guide.


  • The q field defines the query method(s) used to retrieve the DKIM public key. It doesn’t have to be present and defaults to “dns/txt”. Currently dns/txt is the only supported method but other methods may be added at a later date.

[email protected]

  • This is the identity of the user or program for which the message has been signed. This can be omitted but if present the domain must match `d` although the username before the `@` may be dropped.


  • The epoch timestamp marking when the message was signed.


  • The `h` tag contains a colon separated list of the headers included when signing the message headers. Significant modification to these headers while the message is in transit will cause DKIM authentication to fail.


  • This is the base64 encoded hash of the message body after it has been canonicalized via the method in `c` and then run through the hash function in `a`.


  • Finally, this is the heart of the DKIM signature itself. Everything else up to this point has been meta information on how this value was calculated.


Additional Information