The short answer is: yes, DKIM can sign the 'Subject' header. However, the more accurate answer is that it doesn't always, and whether it does or not is a choice made by the sending mail server.
DKIM, which stands for DomainKeys Identified Mail, acts as a digital seal for your emails. As Mailmodo puts it, "DKIM acts like a digital signature for your emails." It adds a special encrypted header to your message that allows the recipient's mail server to verify that the email truly came from the domain it claims to and that certain parts of it haven't been altered in transit. The key part of that sentence is "certain parts."
How DKIM decides what to sign
DKIM doesn't just sign the entire email in one go. Instead, it's configured to sign specific header fields. The choice of which headers to include in this signature is crucial. The list of signed headers is specified in the DKIM-Signature header itself, under the h= tag.
When I'm debugging an email, I can look at its raw source code and find the DKIM signature. A typical h= tag might look something like this:
h=From:To:Subject:Date:From:Reply-To:To:List-Unsubscribe
In this example, you can see that Subject is included in the list. This means the DKIM signature for this specific email does cover the subject line. If the subject were to be changed after the email was sent, the DKIM check would fail.
Should the 'Subject' header be signed?
This is a classic email deliverability question, and the answer involves a trade-off between security and compatibility.
- The case for signing: Security. Signing the 'Subject' header prevents bad actors from intercepting an email and changing its subject to something malicious. Imagine an invoice email with the subject "Your invoice #123 is attached" being changed to "Urgent: Security alert, update your password now" to trick the recipient. Signing the subject prevents this kind of attack.
- The case against signing: Compatibility. Some legitimate services, like mailing lists or email forwarding systems, automatically modify subject lines by adding a prefix (e.g., `[MyFavoriteList] Your original subject`). If the 'Subject' header is signed by DKIM, this modification will cause the signature to break, potentially leading to the email being marked as spam or rejected.
Because of this trade-off, some email sending platforms and server configurations choose not to sign the 'Subject' by default. For example, some default configurations of mail servers like Zimbra OpenDKIM need to be manually configured to sign the subject. Other providers, especially large ones like Google and Microsoft, generally do sign the 'Subject' header.
How to check for yourself
The only way to know for sure whether a specific email has its subject line signed is to inspect the email's headers. In most email clients, you can find an option like "Show Original," "View Source," or "View Message Details." This will show you the raw content of the email.
Once you have the source, look for the DKIM-Signature header. Within that block of text, find the h= tag. Read through the list of colon-separated headers. If you see Subject in that list, then the subject for that email was signed.
Final thoughts
So, while DKIM is capable of signing the 'Subject' header, it's not a mandatory part of the specification. The decision rests with the administrator of the sending domain. Generally, I recommend signing the 'Subject' header for enhanced security, as long as you understand the potential for issues with archaic mail forwarders or mailing lists. For most modern email sending, the security benefits outweigh the compatibility risks.
Does DMARC authenticate the 'From' header directly?
Does DKIM sign the email body or just the headers?
What DKIM tag specifies the domain signing the email?
Does DKIM ensure sender identity verification?
Does a DKIM signature include the 'From' header by default?
What DKIM tag indicates the signature itself?
