When we talk about email authentication, protocols like SPF, DKIM, and DMARC are the cornerstones of a secure setup. DKIM (DomainKeys Identified Mail) is particularly interesting because it provides a cryptographic signature to verify that an email hasn't been tampered with. A key part of that signature is the h= tag, but its function isn't always obvious. Let's break down what it does and why it's so important.
At its core, the h= tag in a DKIM-Signature header is a list. It specifies exactly which email headers the sending server included when it created the digital signature. When a receiving mail server gets the email, it looks at the h= tag to know which headers it needs to use to recalculate the hash and verify the signature's authenticity.
Think of it as a table of contents for the signature. Without it, the receiving server would have no idea which parts of the email's header were originally signed. This prevents an attacker from adding, removing, or altering headers that weren't part of the original signature, as doing so would cause the DKIM check to fail.
The primary job of the h= tag is to protect the integrity of the most important email headers. If a malicious actor intercepted an email and changed the 'Subject' line or added a new 'Reply-To' address, the DKIM signature would become invalid if those headers were included in the h= list. This makes it a powerful tool against phishing and email spoofing.
By explicitly listing which headers are signed, the h= tag creates a clear, verifiable record of the message's key components at the time of sending. The receiving server doesn't have to guess; it simply follows the instructions laid out in the tag.
While you can technically sign any header, some are more important than others for ensuring authenticity and deliverability. The selection of headers is critical. A DKIM signature is only as strong as the headers it protects. Here are some of the most common and important headers to include in your h= tag:
The h= tag is a mandatory and foundational component of the DKIM signature. It provides a clear, unchangeable manifest of the headers protected by the digital signature. By carefully selecting which headers to include, you ensure the integrity of your emails, protect your brand from spoofing, and improve your overall email deliverability. It’s a small piece of text that does a very big job in the world of email security.