What is the difference between d=, s=, bh= and b= tags?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

These are the core tags inside the DKIM-Signature: header that gets attached to every email you send with DKIM. They identify who signed the message, where to find the verification key, and carry the actual signature data.

Here's what each one does:

d= (signing domain) : The domain that vouches for this email. For example, d=deepcurrent.io means the entity controlling deepcurrent.io signed this message. This is the domain that DMARC checks for alignment: does the signing domain match the visible "From" domain? If not, DMARC alignment fails.

s= (selector) : A label that tells the receiving server where in DNS to find the public key for verification. If s=s1 and d=deepcurrent.io, the server looks up s1._domainkey.deepcurrent.io. The selector is how multiple DKIM keys can coexist under the same domain.

bh= (body hash) : A hash of the canonicalized message body. When the receiving server gets your message, it computes its own body hash and compares it to this value. If the message body was modified after signing, the hashes won't match and DKIM fails. This is the tamper-detection part of DKIM.

b= (signature) : The actual cryptographic signature. It's an encrypted hash of the signed headers (including the DKIM-Signature header itself, minus this field). The receiving server decrypts it using your public key and compares the result to its own computation. If it matches, the signature is valid.

You'll also see other tags in a DKIM-Signature header: v= (always 1), a= (the algorithm, like rsa-sha256), c= (canonicalization mode), h= (which headers were signed), and t= (timestamp). But d=, s=, bh=, and b= are the four that carry the essential identity and verification data.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a walkthrough of your specific DKIM header and what it means.

I read this on the Email Almanac about DKIM signature tags. I'm looking at a DKIM-Signature header that contains [paste the relevant part if you have it, or describe what you're trying to understand]. I want to understand [describe e.g., "why my d= domain doesn't match my From address and whether that's causing DMARC failures" or "what the b= value means and whether it's correct" or "how to read a DKIM header to verify it's valid"].

Edit the yellow boxes, then send to the AI of your choice.