The short answer is the h= tag. Within a DKIM (DomainKeys Identified Mail) signature, this tag explicitly lists which header fields of the email have been included in the cryptographic signature.
Understanding how DKIM works requires a look at its various components, which are defined by tags in the DKIM-Signature header. These tags are simple, single-letter identifiers followed by an equals sign and a value. The h= tag is one of the most critical parts of this system, as it determines the scope of the signature's integrity check.
The role of the h= tag
The primary purpose of DKIM is to allow a receiving mail server to verify that an email claiming to come from a specific domain was indeed authorized by the owner of that domain. It also provides a way to check that key parts of the message, including certain headers and the body of the email, have not been altered in transit.
The h= tag lists these signed header fields as a colon-separated list. When a receiving server validates a DKIM signature, it takes the headers specified in the h= tag, along with the email body, and generates its own hash. It then compares this hash to the one provided in the signature's b= tag (the signature data). If they match, the email passes DKIM authentication.
What headers should be signed?
Not all email headers are stable. Some, like Received or Return-Path, are often added or modified by mail servers as the email travels to its destination. Signing these headers would cause DKIM to fail. Therefore, it's essential to only sign headers that are expected to remain unchanged.
The most commonly signed headers are:
- From: This is the most crucial header to sign, as it identifies the sender.
- To/Cc: Signing these helps prevent recipients from being maliciously added or removed.
- Subject: This ensures the subject line isn't altered to trick the recipient.
- Date: Verifies when the message was originally sent.
- Message-ID: A unique identifier for the message.
An example h= tag might look like this inside a DKIM-Signature header:
h=From:To:Subject:Date:Message-ID:Content-Type;
This shows a colon-separated list of the headers that contribute to the signature. According to the official RFC 6376 specification, the DKIM-Signature header itself must not be included in its own h= list, which prevents a self-referential loop.
Conclusion
In summary, the h= tag is a fundamental component of the DKIM standard. It specifies exactly which parts of the email's header are cryptographically signed, ensuring their integrity and protecting against common forms of email spoofing and phishing. By correctly configuring which headers are signed, you strengthen your domain's email security posture and improve email deliverability.
What DKIM tag specifies the domain signing the email?
What DKIM tag specifies the time the signature was created?
What DKIM tag is used to specify the public key?
What DKIM tag specifies the body hash?
What DKIM tag indicates the signature itself?
What DKIM tag indicates the version of the specification?
