Appropriate email authentication plays a critical role in the success of any email marketing program. Email authentication allows receiving email servers to verify the legitimacy of an email message.
In 2024, major mailbox providers like Gmail and Yahoo began to enforce authentication standards as a requirement for successful deliverability.
One of the foundational email authentication protocols is DomainKeys Identified Mail (DKIM).
DKIM allows an organization to transmit a message in a way that their identity can be verified by mailbox providers (MBPs) using cryptographic authentication.
Understanding the DKIM record
Think of a DKIM record as a one-of-a-kind signature assigned to your domain that sits within a message’s header. Receiving email servers look for this digital signature as proof the content is coming from the domain claiming ownership of the message.
Senders implement DKIM, as well as Sender Policy Framework (SPF) to create a safe and secure email transmission. These protocols work together to protect email programs from spoofing, phishing, and other malicious attempts to impersonate a brand.
The DKIM signature header is made up of different informational elements that are represented using tag=value pairs. The tag is usually a single letter followed by an equal sign (=). Each tag indicates a specific piece of information about the sender, the message, and the public key location. There are numerous tags available for a DKIM record.
Some tags are required, and others are optional.
Problems with the DKIM tag: l=
The remainder of this article details one specific optional DKIM tag: l= (that’s a lowercase L). Who knew a few little characters could potentially cause so much trouble!
No sender should include the l= tag in their emails (promotional or transactional). The risks are just too great. Let’s dive into how this DKIM tag can expose your email program to abuse:
The l= tag specifies the length of the message body that should be signed by DKIM. The l= value is followed by a number. This number represents the number of bytes in the message body that are covered by the DKIM signature. For example, l=1000 means that the first 1000 bytes of the message body is signed by DKIM. Any additional bytes would not be signed.
Because the l=tag means that only a portion of the message body would be appropriately signed, including it allows malicious actors to send phishing emails, alter content or otherwise exploit emails—and still pass DKIM!
And if the message still passes DKIM, it can pass DMARC (Domain-based Message Authentication, Reporting & Conformance), too. For senders that have implemented Brand Indicators for Message Identification (BIMI), this means that both emails and the brand’s logo can be impersonated by including the l=tag within their DKIM records.
How does the l=tag impact BIMI?
As a quick recap, BIMI allows small logos to appear next to the name of the email sender in the recipient’s inbox. BIMI logos will only display if the email is authenticated by and passing SPF, DKIM and DMARC. BIMI should help to legitimize a sender in the eyes of mailbox providers and subscribers, but an l= tag allows for these logos to be forged.
There is a lengthy and well-documented history of email experts cautioning senders against using the l= tag. Analysts have recently published further research on the potential for exploitation that comes with using the l= tag.
Gmail has similarly cautioned against using this tag:
Next steps
Given the increased scrutiny of authentication standards by MBPs in recent years, it’s entirely possible that emails using the l= tag in their DKIM records could be considered unsigned (and therefore unauthenticated) in the near future.
Security vendors and mailbox providers alike agree the l= tag exposes a brand to exploitation, but some sending platforms continue to use it. Senders should be aware of their own DKIM records and confirm with their Email Service Provider (ESP) whether the l= tag is being used for their campaigns. The simplest way to avoid this vulnerability is to ensure there is no l= tag in your DKIM record.
For more tips to navigate the evolving email security landscape, watch this on-demand webinar, featuring Forrester: Deliverability Secured: Forrester on Protecting Your Email Campaigns From Security Threats.