Can DKIM sign other headers besides 'Subject'?

Yes, DKIM can sign almost any header. Common headers included in the signature are 'From', 'Date', 'Message-ID', 'To', and 'Content-Type'. The specific headers chosen are listed in the 'h=' tag within the DKIM-Signature header .

What happens if a signed 'Subject' header is changed in transit?

If the 'Subject' header is signed by DKIM and then altered during transit, the receiving mail server's DKIM verification will fail. This is because the re-calculated hash of the message's headers will not match the original hash embedded in the DKIM signature. A failed DKIM check can lead to the email being flagged as suspicious, quarantined, or moved to the spam folder.

Is signing the 'Subject' header mandatory for DMARC?

Signing the 'Subject' header itself is not mandatory for DMARC. However, for DMARC to pass, an email must have either SPF or DKIM alignment . If DKIM is chosen for alignment, and the 'Subject' header is signed, then any modification to it would cause a DKIM failure, potentially leading to a DMARC failure if SPF also doesn't align.

How do I know which headers my emails are signing?

You can inspect the raw email headers of a sent message. Look for the 'DKIM-Signature' header, and within it, locate the 'h=' tag. This tag explicitly lists all the headers that were included in the digital signature. Tools like Suped also offer comprehensive DMARC reports that detail DKIM authentication results, including signed headers.

What are the risks of not signing the 'Subject' header?

Not signing the 'Subject' header leaves a significant vulnerability for attackers to modify the subject line. This could be used for phishing attempts, deceptive messaging, or to bypass spam filters. Such tampering can erode recipient trust, damage your domain's reputation, and increase the likelihood of your emails being delivered to the spam folder or blocked (blacklisted).

Does DKIM sign the 'Subject' header? - DKIM - Email authentication - Knowledge base

Digital signature icon overlaying an email envelope, symbolizing DKIM email security.

When delving into email authentication, a common question arises regarding what parts of an email are actually protected by DKIM (DomainKeys Identified Mail). Specifically, does DKIM sign the 'Subject' header? The short answer is yes, DKIM can and often does sign the 'Subject' header, which plays a crucial role in maintaining email integrity and preventing malicious tampering.

Signing the 'Subject' header is not universally mandated, but it is a widely adopted best practice among legitimate email senders. By including the subject line in the DKIM signature, email receivers can verify that this critical part of your message has not been altered since it left your sending infrastructure. This greatly enhances trust and contributes significantly to your overall email deliverability.

The role of DKIM in email authentication

DKIM is an email authentication standard designed to let the receiver of an email verify that a message was authorized by the owner of that sending domain. It achieves this by attaching a digital signature to the email header. This signature is created using a private key unique to the sender's domain. The corresponding public key is published in the sender's DNS records, allowing receiving mail servers to perform the verification.

When an email is sent, specific headers and a portion of the email body are selected and hashed together. This hash is then encrypted with the sender's private key to form the DKIM signature. The resulting signature is added as a DKIM-Signature header to the message. The purpose is to ensure that the email has not been tampered with in transit and that it genuinely originates from the claimed sender, thereby ensuring sender identity verification.

Upon arrival, the recipient's mail server retrieves the public key from DNS using information provided in the DKIM selector. It then re-calculates the hash of the relevant email headers and body parts. This newly calculated hash is compared against the decrypted hash from the original signature. If they match, the email's integrity is confirmed, and the sender's authenticity is validated.

Decoding the DKIM-Signature header

The key to understanding which headers are signed lies within the tag of the DKIM-Signature header. This tag, typically denoted as 'h=', contains a colon-separated list of all the header fields that were included in the signature calculation. If 'Subject' is listed here, it means the subject line was part of the cryptographic hash and is protected by DKIM.

Example DKIM-Signature Header with Signed SubjectDNS

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=s1; h=from:subject:date:message-id:to;
  bh=...; b=...

In the example above, the 'h=' tag explicitly lists 'subject' among the signed headers. This configuration means that any modification to the 'Subject' header after the email has been signed will cause the DKIM verification to fail. This ensures that the message's stated topic remains untampered. Similarly, the 'From' header is almost always included, as outlined in discussions about whether a DKIM signature includes the From header by default.

Why the 'Subject' header is crucial for DKIM signing

Signing the 'Subject' header with DKIM is a critical layer of defense against email spoofing and phishing attacks. Attackers often attempt to alter subject lines to make malicious emails appear more legitimate or urgent, enticing recipients to open links or disclose sensitive information. When the 'Subject' header is signed, any such alteration is immediately flagged during DKIM verification, helping recipient systems identify and quarantine fraudulent messages.

For DMARC (Domain-based Message Authentication, Reporting, and Conformance) to pass, an email must achieve alignment with either SPF or DKIM. If an email fails DKIM authentication because its 'Subject' header was modified, and it also fails SPF, it will likely result in a DMARC failure. This can significantly impact your email's ability to reach the inbox, potentially leading to messages being rejected or sent to spam folders. This is also important for other headers like the 'Return-Path' header. and whether DKIM authenticates it.

Subject header is signed

When the 'Subject' header is signed, it provides strong assurance that the subject line has not been tampered with. This enhances recipient trust and helps maintain a positive sending reputation with mailbox providers like

Microsoft.

Subject header is not signed

If the 'Subject' header is not signed, it creates a vulnerability where attackers can alter the subject line to trick recipients. This can damage your sending reputation and lead to emails being filtered as spam or blocked (blacklisted).

An email icon protected by a green shield, with a red X symbolizing blocked threats.

Strategic header signing for deliverability

Senders have control over which headers are included in the DKIM signature. While 'Subject' is highly recommended, it is important to carefully select all headers to sign. Signing too few headers leaves your emails vulnerable, but signing too many can sometimes cause DKIM to fail if intermediary systems (like mailing lists or forwarders) modify those specific headers, even legitimately. The general recommendation is to sign stable headers crucial for identifying the message and sender, such as 'From', 'Subject', 'Date', and 'Message-ID'.

Best practices for DKIM header selection

Include essential headers: Always sign critical headers like 'From', 'Subject', 'Date', and 'Message-ID' to ensure core message integrity.
Avoid volatile headers: Be cautious about signing headers that might legitimately change in transit, such as those added by mailing lists or proxies, to avoid DKIM validation issues.
Monitor DKIM results: Regularly monitor your DMARC reports from Google and Yahoo to identify any DKIM failures and adjust your header signing policies as needed, referring to resources like Microsoft's guidance on configuring DKIM.

Platforms like Suped offer robust DMARC monitoring tools that provide clear visibility into your DKIM authentication results. Our AI-powered recommendations can help you pinpoint exactly which headers are causing issues or if your 'Subject' header isn't being signed correctly, allowing you to implement fixes efficiently and improve your deliverability rates.

The continuous effort of email security

In summary, DKIM can indeed sign the 'Subject' header, and for optimal email security and deliverability, it is a recommended practice. By including the 'Subject' header in your DKIM signature, you significantly reduce the risk of tampering and enhance recipient trust. This practice is a key component in a comprehensive email authentication strategy, working in tandem with SPF and DMARC.

Understanding and properly configuring your DKIM records, including the selection of signed headers, is vital for maintaining a strong sender reputation and ensuring your emails reach their intended inboxes. Regularly reviewing your authentication results with a DMARC monitoring tool like Suped can provide the insights needed to keep your email streams secure and efficient.