This article will list some of the Frequently Asked Questions ( FAQ ) on our Outbound DKIM Signing service, specifically about the DNS TXT record and the DKIM Signature Header.
Email Security.Cloud
v= ( Version ) ; k= ( Key type ); t= ( Flags ); p= ( Public-Key data )
v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgb3v9Ry217ttPTb12ETgic/jJymT9ihHJn5WutfKY+4vQmAlFUrqpILY6BjCMgIil7mwHZh4cY4FMYXFNBdRMFGbYix17TVr24efZp5srrZHUfOsZaDUFARvB+zP7tN4o0jY7upk1vBYgk6U+gK909LUA2seapfAPcA2KT1kACYAx1iVrJ4r+6T+F7fh0qrjr58LLvxRr7xqDwK6EdKKqwI/4GfDfh1sClrIBqTXXwQW4gs68eUj8rniP6uDKiNDjfcLq+x4uoItAgyotLW9cmAakTo3Yppo1W8InTUkoizx9FjkWFUUZNgBssZoS2DnRuFqYeqdS8ulzzjtSq6tkwIDAQAB
Any DKIM-Signature header fields using the "i=" tag MUST have
the same domain value on the right-hand side of the "@" in the
"i=" tag and the value of the "d=" tag. That is, the "i="
domain MUST NOT be a subdomain of "d=". Use of this flag is
RECOMMENDED unless subdomaining is required.
From: https://tools.ietf.org/html/rfc6376#section-3.6
Both, the header and body of the email are signed.
h=From:To:Subject:date:Message-ID:Content-Type:MIME-Version;
It is not possible to customize the DKIM signature header.
It is not possible to specify this tag or any other tag in the DKIM signature header.
It is set to c=relaxed/relaxed by default.
Yes, you may set it to t=y ( for test mode ) and then change to t=s once you are done testing.
The "t=s" tag indicates enforcing a domain match in the signature header between the "i=" and "d=" tags.
It is not necessary for the "i=" tag to be present in the DNS record. We do specify the "i=" tag when signing the mail, so it is present in the DKIM Signature Header by default.
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=example1;
t=1564078259; i=@example.com
; bh=fe9s1o5GOAujEajmhc/nEXj9ufcxnTe4o1bPY3zTcpo=; h=From:To:Subject:date:Message-ID:Content-Type:MIME-Version; b=hEfMOmb3+IcS66k9bGXIXYXpoEprlxoB+jnSngrOPOvhJq4O5M1YRkczUg7NhmxL7S7id2T1ulpfw4P53UEGmHSi/xupjw1j6s6JOgo1Y70skJhweh92pEv/JvdfoC2GGxPoFEQvTFsT/B3PovcqrV/SHiU7KAGwUgLgw+9wMA2U5fU93/PIlNVef59PUqdrZ2b/dT2FUZph6Za98TF5XcbLaxLTpk9oX1uidi+X3ZkVi2xyRBPRgnxx8TwF4nZQmtzecVADUjsAOT0uHA8YxOwzwu9osNjxVASTdqlUX6FTo87uzD2qIsZzz42IpWq/8rOKeKUptNI73AQvgJhyw==
Yes, although the use of these optional tags is very limited.
Because there is no longer a 1:1 match between the record provided in ClientNet and the record added in the DNS, it will continuously fail. You may still override this check and enable the setting anyway.