The short answer is yes, absolutely. For a DKIM signature to be valid and serve its purpose, the 'From' header field must be included in the set of signed headers. It's not just a recommendation; it's a fundamental requirement of the DKIM standard.
DKIM, or DomainKeys Identified Mail, works by adding a digital signature to email messages. This signature acts as a tamper-proof seal, allowing the receiving mail server to verify that the email was actually sent from the domain it claims to be from and that its content hasn't been altered in transit. As TechTarget explains, this signature is attached to the email's header.
Without signing the 'From' header, the entire authentication process would be compromised.
Understanding the DKIM-Signature header
When an email is signed with DKIM, a DKIM-Signature header is added to the message. This header contains several tags, each providing a piece of information for the verification process. One of the most important tags is the h= tag, which is a colon-separated list of the header fields that have been included in the cryptographic signature.
According to the official standard, RFC 6376, the 'From' field is mandatory and must be present in this list. While many other headers can also be signed to enhance security, the 'From' header is the non-negotiable foundation. Some other headers that are typically signed include:
- To
- Cc
- Date
- Subject
- Message-ID
Why is signing the 'From' header critical?
The entire point of DKIM is to prevent email spoofing by verifying the sender's domain. The 'From' header is what the recipient sees as the sender of the email. If this header weren't signed, a spoofer could send a DKIM-valid email that passes verification, then simply modify the 'From' header to impersonate a legitimate sender. Signing it locks it in, ensuring its integrity.
This becomes even more important when you consider DMARC (Domain-based Message Authentication, Reporting, and Conformance). For DMARC to pass, it requires something called "identifier alignment." For DKIM alignment, this means the domain in the d= tag of the DKIM signature (the signing domain) must match the domain in the 'From' header. If the 'From' header wasn't part of the signature, its contents couldn't be trusted, making the alignment check impossible and rendering DMARC ineffective.
In summary, the inclusion of the 'From' header is not an optional feature of DKIM; it is the core component that enables it to function as a reliable email authentication standard. Every valid DKIM signature is built upon the promise that the 'From' field, among other headers and the message body, has been verified and secured.
Does DMARC authenticate the 'From' header directly?
Does DMARC policy apply to the header 'From' address?
Does DMARC apply to the envelope 'From' address?
Does DKIM sign the email body or just the headers?
What DKIM tag specifies the domain signing the email?
Does DKIM ensure sender identity verification?
