What is the difference between d=, s=, bh= and b= tags?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
These are the core tags inside the DKIM-Signature: header that gets attached to every email you send with DKIM. They identify who signed the message, where to find the verification key, and carry the actual signature data.
Here's what each one does:
d= (signing domain) : The domain that vouches for this email. For example, d=deepcurrent.io means the entity controlling deepcurrent.io signed this message. This is the domain that DMARC checks for alignment: does the signing domain match the visible "From" domain? If not, DMARC alignment fails.
s= (selector) : A label that tells the receiving server where in DNS to find the public key for verification. If s=s1 and d=deepcurrent.io, the server looks up s1._domainkey.deepcurrent.io. The selector is how multiple DKIM keys can coexist under the same domain.
bh= (body hash) : A hash of the canonicalized message body. When the receiving server gets your message, it computes its own body hash and compares it to this value. If the message body was modified after signing, the hashes won't match and DKIM fails. This is the tamper-detection part of DKIM.
b= (signature) : The actual cryptographic signature. It's an encrypted hash of the signed headers (including the DKIM-Signature header itself, minus this field). The receiving server decrypts it using your public key and compares the result to its own computation. If it matches, the signature is valid.
You'll also see other tags in a DKIM-Signature header: v= (always 1), a= (the algorithm, like rsa-sha256), c= (canonicalization mode), h= (which headers were signed), and t= (timestamp). But d=, s=, bh=, and b= are the four that carry the essential identity and verification data.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.