search cancel

Frequently Asked Question (FAQ) on Outbound DKIM Signing

book

Article ID: 175581

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

This article will list some of the Frequently Asked Questions ( FAQ ) on our Outbound DKIM Signing service, specifically about the DNS TXT record and the DKIM Signature Header.

Environment

Email Security.Cloud

Resolution

1. The DNS TXT record generated by ClientNet consists of four tags. 

v=  ( Version ) ; k=  ( Key type ); t=   ( Flags ); p=  ( Public-Key data )

Sample DNS TXT record generated in ClientNet.

v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgb3v9Ry217ttPTb12ETgic/jJymT9ihHJn5WutfKY+4vQmAlFUrqpILY6BjCMgIil7mwHZh4cY4FMYXFNBdRMFGbYix17TVr24efZp5srrZHUfOsZaDUFARvB+zP7tN4o0jY7upk1vBYgk6U+gK909LUA2seapfAPcA2KT1kACYAx1iVrJ4r+6T+F7fh0qrjr58LLvxRr7xqDwK6EdKKqwI/4GfDfh1sClrIBqTXXwQW4gs68eUj8rniP6uDKiNDjfcLq+x4uoItAgyotLW9cmAakTo3Yppo1W8InTUkoizx9FjkWFUUZNgBssZoS2DnRuFqYeqdS8ulzzjtSq6tkwIDAQAB

2. What does "t=s"  ( flag ) signify ?

         Any DKIM-Signature header fields using the "i=" tag MUST have
         the same domain value on the right-hand side of the "@" in the
         "i=" tag and the value of the "d=" tag.  That is, the "i="
         domain MUST NOT be a subdomain of "d=".  Use of this flag is
         RECOMMENDED unless subdomaining is required.

From: https://tools.ietf.org/html/rfc6376#section-3.6

3.  Do we sign header only or header and body of the email?

Both, the header and body of the email are signed.

4. Which header fields are signed?

h=From:To:Subject:date:Message-ID:Content-Type:MIME-Version;

5. Can a customer decide which parts of the email header will be signed? Is it possible to specify "h=" tag fields? For instance,  h=from:to:date:subject:message-id

It is not possible to customize the DKIM signature header.

6. Can a customer decide what number of characters from the message body will be used to compute body hash? For instance l=50?

It is not possible to specify this tag or any other tag in the DKIM signature header.

7. Can a customer decide if validation will be relaxed or simple by specifying the c= tag?

It is set to c=relaxed/relaxed by default.

8. Is it possible to remove the  "t=s" tag or modify to "t=y" (as for testing purposes)?

Yes, you may set it to t=y ( for test mode ) and then change to t=s once you are done testing.

9. Why do we have t=s in the DNS record generated by ClientNet without the i= tag?

The "t=s" tag indicates enforcing a domain match in the signature header between the "i=" and "d=" tags.

It is not necessary for the "i=" tag to be present in the DNS record. We do specify the  "i=" tag when signing the mail, so it is present in the DKIM Signature Header by default.

Example of DKIM Signature Header:

Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=esstrain7.cloud; s=atester;
t=1564078259; [email protected]; bh=fe9s1o5GOAujEajmhc/nEXj9ufcxnTe4o1bPY3zTcpo=;
h=From:To:Subject:date:Message-ID:Content-Type:MIME-Version;
b=hEfMOmb3+IcS66k9bGXIXYXpoEprlxoB+jnSngrOPOvhJq4O5M1YRkczUg7NhmxL7S7id2T1ulpfw4P53UEGmHSi/xupjw1j6s6JOgo1Y70skJhweh92pEv/JvdfoC2GGxPoFEQvTFsT/B3PovcqrV/SHiU7KAGwUgLgw+9wMA2U5fU93/PIlNVef59PUqdrZ2b/dT2FUZph6Za98TF5XcbLaxLTpk9oX1uidi+X3ZkVi2xyRBPRgnxx8TwF4nZQmtzecVADUjsAOT0uHA8YxOwzwu9osNjxVASTdqlUX6FTo87uzD2qIsZzz42IpWq/8rOKeKUptNI73AQvgJhyw==

10. Is it possible to add other optional tags to the DKIM DNS record such as:  "s=" "n=" "k=" "h=" "g="  without affecting email delivery ?

Yes, although the use of these optional tags is very limited.

11. Why does the DNS verification check does not successfully complete after adding optional tags?

Because there is no longer a 1:1 match between the record provided in ClientNet and the record added in the DNS, it will continuously fail. You may still override this check and enable the setting anyway.