What is the primary purpose of the 'h=' tag in a DKIM signature?

The h= tag lists all the email headers that were included when the DKIM signature was created. This ensures that any modification to these specific headers after signing will invalidate the DKIM authentication, protecting the email's integrity.

Why is DKIM alignment with the 'From' header domain important?

DKIM alignment is crucial for DMARC. DMARC requires that the domain in the 'From' header (what recipients see) matches the domain that DKIM asserts signed the email (the d= or i= tag). Without this alignment, even if DKIM passes, DMARC will fail, impacting deliverability and sender reputation. Learn more about DKIM alignment .

Does DKIM protect against all types of email spoofing?

DKIM primarily protects against email content and header tampering for the signed headers, as well as verifying the sending domain. However, it's not a standalone solution. Combined with SPF and DMARC, it forms a robust email authentication framework that significantly reduces the chances of spoofing and phishing, but no single protocol offers 100% protection against all attack vectors. For a more comprehensive understanding, explore a simple guide to DMARC, SPF, and DKIM .

What happens if the 'Return-Path' header is not signed by DKIM?

The 'Return-Path' header, also known as the Envelope From, is primarily authenticated by SPF, not DKIM. While it can theoretically be included in a DKIM signature, it's not a common practice or a requirement for DMARC alignment. The key focus for DMARC with DKIM is the From header. For details on how the Return-Path works with DKIM, see related articles.

Does a DKIM signature include the 'From' header by default? - DKIM - Email authentication - Knowledge base

An email envelope with a digital signature icon, symbolizing DKIM authentication.

When delving into email authentication, one question that frequently arises concerns the exact scope of a DKIM signature. Specifically, whether the 'From' header, which is so crucial for how recipients perceive an email, is automatically included in the digital signature. It is a nuanced but incredibly important aspect of email security and deliverability.

DKIM, or DomainKeys Identified Mail, provides a way for senders to digitally sign emails, allowing receiving mail servers to verify that the email truly originated from the claimed domain and that it hasn't been tampered with in transit. This digital signature is embedded within the email's headers, and its integrity is verified using cryptographic keys.

The short answer is that a DKIM signature doesn't inherently include the 'From' header by default. Instead, the specific headers that are signed by DKIM are explicitly listed within the DKIM-Signature header itself. This control allows for flexibility but also introduces potential pitfalls if not configured correctly. For robust email security, especially in the context of DMARC, ensuring the 'From' header is signed is paramount.

The choice of which headers to sign significantly impacts an email's authenticity and how it is treated by receiving mail servers. Missing critical headers from the signature can undermine the entire authentication process, leading to delivery issues.

The mechanics of DKIM signatures

At its core, DKIM involves creating a cryptographic hash (a unique fingerprint) of selected email headers and a portion or all of the email body. This hash, along with a digital signature, is then appended to the email in a DKIM-Signature header. The public key, published in the sender's DNS records, allows receiving servers to decrypt this signature and verify the email's authenticity.

The key to understanding which headers are signed lies in the h= tag within the DKIM-Signature header. This tag contains a colon-separated list of all headers included in the digital signature. If a header is modified after the signature is applied, or if it's not listed in the h= tag, the DKIM validation will fail. This mechanism prevents unauthorized alterations to essential parts of the email.

For example, if the From header is not included in the h= list, an intermediary could theoretically change the sender's display name or even the email address in the From header without invalidating the DKIM signature. This would completely undermine the purpose of DKIM, which is to verify the sender's identity and message integrity. You can find more details on the structure of the DKIM-Signature header in this Broadcom knowledge article.

Example DKIM-Signature header with signed headerstext

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
  s=selector1; t=1678886400; bh=...;
  h=From:To:Subject:Date; b=...

The 'From' header and DMARC alignment

The 'From' header, specifically the RFC5322.From header, is arguably the most visible and critical header for end-users. It's what people see in their inbox as the sender. Because of its prominence, email authentication protocols like DMARC place significant emphasis on its authenticity. DMARC's primary function is to check the alignment between the domain in the 'From' header and the domains used in SPF and DKIM authentication.

For DKIM, DMARC alignment means that the domain found in the d= tag of the DKIM signature (the signing domain) or the i= tag (the agent or user ID) must match the organizational domain in the email's From header. Without this alignment, even if DKIM passes authentication, the email can still fail DMARC, leading to potential rejection or quarantine. This is why DKIM alignment is crucial.

The i= tag, often referred to as header.i, specifies the Mail-From address from which the email was signed. If this tag is present, DMARC will typically use the domain within i= for alignment checking against the From header. If i= is absent, the d= tag is used. This distinction is vital for proper DMARC enforcement.

Therefore, to achieve DMARC compliance via DKIM, two things are non-negotiable: the 'From' header must be explicitly included in the DKIM signature's h= tag, and the domain specified by DKIM's d= or i= tag must align with the From header's organizational domain. Without this, your messages are at risk of failing authentication and not reaching their intended inboxes.

Why signing the 'From' header matters for deliverability

The deliverability of your emails hinges significantly on proper email authentication. If the 'From' header isn't signed by DKIM or if the domains don't align as required by DMARC, your emails are much more likely to be flagged as suspicious. This can lead to them being sent to spam folders, quarantined, or even outright rejected by receiving mail servers.

Major Mailbox Providers (MBPs) like

Google,

Yahoo, and

Microsoft are increasingly strict about DMARC compliance. They use DMARC authentication, which relies on both SPF and DKIM, to combat phishing and spoofing. Emails that fail these checks are often penalized, regardless of their content or sender reputation, so it’s not enough for the DKIM signature to exist, it needs to be properly configured.

Best practice: essential headers

It is considered a best practice to always include critical headers like From, To, Subject, and Date in your DKIM signature. This prevents malicious actors from altering these visible elements. You can learn more about what DKIM tags specify signed fields.

Scenario	DKIM Authentication	DMARC Alignment	Deliverability Impact
'From' header signed and aligned	Pass	Pass	High chance of inbox delivery
'From' header signed, but not aligned	Pass	Fail	Likely to be sent to spam or rejected
'From' header not signed by DKIM	Pass (for other headers)	Fail	High risk of spoofing and deliverability issues

How to ensure your 'From' header is signed and aligned

An email with a padlock icon, symbolizing secure DKIM authentication for email headers.

Ensuring your 'From' header is correctly signed and aligned typically involves configuring your Email Service Provider (ESP) or mail server. Most reputable ESPs will automatically include common headers like From, Subject, and Date in the DKIM signature by default. However, it's always wise to verify this yourself by inspecting the email headers of messages you send, or by using an email deliverability test tool.

If you're managing your own mail server, you'll need to explicitly configure your DKIM signing software (like OpenDKIM for Postfix) to include the 'From' header in the h= tag. Additionally, you must ensure that the domain signing the email (the DKIM d= or i= tag) aligns with the 'From' header domain. This often means setting up DKIM for your primary sending domain.

Simplify DKIM and DMARC with Suped

Manually verifying DKIM configurations can be complex and time-consuming. A dedicated DMARC monitoring tool like Suped provides comprehensive insights into your email authentication status. We offer:

AI-Powered Recommendations: Suped doesn't just show you data; it provides actionable steps to fix issues and strengthen your email authentication policies.
Real-Time Alerts: Get immediate notifications about DKIM failures, DMARC alignment issues, or potential spoofing attempts.
Unified Platform: Monitor DKIM, SPF, and DMARC together with blocklist and deliverability insights from a single dashboard.
SPF Flattening: Avoid the 10-lookup limit and keep your SPF records optimized.
MSP and Multi-Tenancy Dashboard: Easily manage multiple client domains with a centralized, scalable interface.

Common DKIM configuration issues

Missing 'From' header: The 'From' header is not specified in the h= tag of the DKIM-Signature.
Domain misalignment: The DKIM signing domain (d= or i=) does not match the 'From' header domain.
Incorrect canonicalization: Differences in whitespace or header casing can cause DKIM body hash mismatch failures.
Third-party senders: When using an ESP, ensure they are correctly signing emails on your behalf, aligning with your domain.

Resolving DKIM and alignment issues

Update DKIM policy: Adjust your DKIM configuration to explicitly include the 'From' header in the h= tag.
Configure alignment: Ensure the domain in DKIM's d= or i= matches the organizational domain of your 'From' address. You can refer to Microsoft's DKIM setup guide.
Monitor DMARC reports: Regularly review your DMARC reports to identify authentication failures and sources of non-compliance. These reports are invaluable for diagnosing issues with DMARC authentication.
Consult ESP support: If you use an ESP, reach out to their support for assistance with DKIM setup and DMARC alignment.

Ensuring the integrity of your email's 'From' header

While a DKIM signature doesn't automatically include the 'From' header by default, its inclusion is absolutely critical for effective email authentication and DMARC compliance. The h= tag within the DKIM-Signature header explicitly lists the signed headers, and the 'From' header must be among them.

Proper DKIM configuration, ensuring both signing of the 'From' header and its alignment with the DKIM signing domain, is fundamental to maintaining a strong sender reputation and achieving optimal email deliverability. Leveraging tools like Suped for DMARC monitoring can significantly simplify this process, providing visibility and actionable insights to keep your emails secure and in the inbox.