This article will list some of the Frequently Asked Questions ( FAQ ) on our Outbound DKIM Signing service, specifically about the DNS TXT record and the DKIM Signature Header.

Email Security.Cloud

1. The DNS TXT record generated by ClientNet consists of four tags. 

v=  ( Version ) ; k=  ( Key type ); t=   ( Flags ); p=  ( Public-Key data )

Sample DNS TXT record generated in ClientNet.

v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgb3v9Ry217ttPTb12ETgic/jJymT9ihHJn5WutfKY+4vQmAlFUrqpILY6BjCMgIil7mwHZh4cY4FMYXFNBdRMFGbYix17TVr24efZp5srrZHUfOsZaDUFARvB+zP7tN4o0jY7upk1vBYgk6U+gK909LUA2seapfAPcA2KT1kACYAx1iVrJ4r+6T+F7fh0qrjr58LLvxRr7xqDwK6EdKKqwI/4GfDfh1sClrIBqTXXwQW4gs68eUj8rniP6uDKiNDjfcLq+x4uoItAgyotLW9cmAakTo3Yppo1W8InTUkoizx9FjkWFUUZNgBssZoS2DnRuFqYeqdS8ulzzjtSq6tkwIDAQAB

2. What does "t=s"  ( flag ) signify ?

         Any DKIM-Signature header fields using the "i=" tag MUST have
         the same domain value on the right-hand side of the "@" in the
         "i=" tag and the value of the "d=" tag.  That is, the "i="
         domain MUST NOT be a subdomain of "d=".  Use of this flag is
         RECOMMENDED unless subdomaining is required.

From: https://tools.ietf.org/html/rfc6376#section-3.6

3.  Do we sign header only or header and body of the email?

Both, the header and body of the email are signed.

4. Which header fields are signed?

h=From:To:Subject:date:Message-ID:Content-Type:MIME-Version;

5. Can a customer decide which parts of the email header will be signed? Is it possible to specify "h=" tag fields? For instance,  h=from:to:date:subject:message-id

It is not possible to customize the DKIM signature header.

6. Can a customer decide what number of characters from the message body will be used to compute body hash? For instance l=50?

It is not possible to specify this tag or any other tag in the DKIM signature header.

7. Can a customer decide if validation will be relaxed or simple by specifying the c= tag?

It is set to c=relaxed/relaxed by default.

8. Is it possible to remove the  "t=s" tag or modify to "t=y" (as for testing purposes)?

Yes, you may set it to t=y ( for test mode ) and then change to t=s once you are done testing.

9. Why do we have t=s in the DNS record generated by ClientNet without the i= tag?

The "t=s" tag indicates enforcing a domain match in the signature header between the "i=" and "d=" tags.

It is not necessary for the "i=" tag to be present in the DNS record. We do specify the  "i=" tag when signing the mail, so it is present in the DKIM Signature Header by default.

Example of DKIM Signature Header:

Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=example1;
t=1564078259; i=@example.com; bh=fe9s1o5GOAujEajmhc/nEXj9ufcxnTe4o1bPY3zTcpo=; h=From:To:Subject:date:Message-ID:Content-Type:MIME-Version; b=hEfMOmb3+IcS66k9bGXIXYXpoEprlxoB+jnSngrOPOvhJq4O5M1YRkczUg7NhmxL7S7id2T1ulpfw4P53UEGmHSi/xupjw1j6s6JOgo1Y70skJhweh92pEv/JvdfoC2GGxPoFEQvTFsT/B3PovcqrV/SHiU7KAGwUgLgw+9wMA2U5fU93/PIlNVef59PUqdrZ2b/dT2FUZph6Za98TF5XcbLaxLTpk9oX1uidi+X3ZkVi2xyRBPRgnxx8TwF4nZQmtzecVADUjsAOT0uHA8YxOwzwu9osNjxVASTdqlUX6FTo87uzD2qIsZzz42IpWq/8rOKeKUptNI73AQvgJhyw==

10. Is it possible to add other optional tags to the DKIM DNS record such as:  "s=" "n=" "k=" "h=" "g="  without affecting email delivery ?

Yes, although the use of these optional tags is very limited.

11. Why does the DNS verification check does not successfully complete after adding optional tags?

Because there is no longer a 1:1 match between the record provided in ClientNet and the record added in the DNS, it will continuously fail. You may still override this check and enable the setting anyway.