Email authentication protocols like DKIM (DomainKeys Identified Mail) are crucial for verifying sender identity and preventing email spoofing. DKIM works by attaching a digital signature to outgoing emails, which receiving mail servers can then validate against a public key published in the sender's DNS. This process ensures that the email has not been tampered with in transit and truly originates from the claimed domain.
A core part of this digital signature is specifying which parts of the email are covered by the signature. This is where various tags within the DKIM-Signature header field come into play, each serving a specific function. Understanding these tags is fundamental to properly configuring DKIM and maintaining excellent email deliverability.
The correct configuration of DKIM, alongside SPF and DMARC, significantly impacts whether your emails land in the inbox or are flagged as spam. Ensuring your DKIM records are correctly set up and monitored is a vital step in protecting your domain's reputation.
The DKIM-Signature header field
When an email is signed with DKIM, a specific header field, DKIM-Signature, is added to the message. This header contains several tags, or key-value pairs, that provide details about the signature. These tags instruct the receiving mail server on how to verify the signature. Some tags define the signing domain, the selector used for the public key, the signing algorithm, and, critically, which email header fields were included in the calculation of the digital signature.
Without explicitly listing the signed headers, the receiving server wouldn't know which parts of the email should match the signature, leaving the door open for malicious actors to alter critical email components. This is why one particular tag is so essential.
Each tag within the DKIM-Signature header plays a vital role in the authentication process. For example, the d= tag specifies the domain signing the email, while the a= tag indicates the algorithm used for signing. All these pieces work together to form a robust authentication system.
The role of the 'h=' tag: specifying signed headers
The specific DKIM tag that defines the signed header fields is the h= tag. This tag lists the names of all the header fields that were included in the calculation of the DKIM signature. When a receiving server validates the DKIM signature, it recreates the signed portion of the email, including only the headers specified in the h= tag, and then compares its own calculated hash with the one provided in the signature. If they don't match, the DKIM authentication fails. More details about this can be found in RFC 6376, Section 3.5.
The purpose of the h= tag is to guarantee the integrity of critical email headers. Any modification to a signed header after the email has left the sending server will cause the DKIM validation to fail. This protects against phishing attempts and email tampering where attackers might try to alter the From, Subject, or other important headers.
Example of h= tag in a DKIM-Signature
h=From:To:Subject:Date:Message-ID:Content-Type
It's important to ensure that essential headers like From are always included in the h= tag. Failure to do so could mean that even if DKIM passes, DMARC might still fail due to a lack of proper alignment if the From header's domain doesn't align with the DKIM signing domain.
Important considerations for header signing
While DKIM primarily signs the headers and a hash of the email body, the selection of headers for inclusion in the h= tag is crucial for effective email authentication. The From, Subject, and Date headers are almost always included because they are critical for user perception and email filtering. If these are modified, the email is likely to be marked as spam or rejected. While DKIM signs headers, it's worth noting that it also signs the email body as well through a separate hash.
Recommended signing
Essential headers: Always include From, Subject, and Date in your h= tag to prevent spoofing.
Consistency: Sign all headers that are critical for routing, display, and integrity.
Headers to avoid or consider
Volatile headers: Headers that change in transit, like Received, should generally not be signed.
BCC header: The BCC header is usually removed before delivery and cannot be reliably signed.
However, it's also important not to sign headers that are frequently modified by intermediate mail servers (MTA) during transit. For instance, the Received header is almost always modified, so including it in the h= tag would inevitably lead to DKIM validation failures. A balanced approach is key to maximizing deliverability without compromising security.
Properly chosen headers ensure that the essential parts of your email, those that your recipients see and rely on for trust, are secured by the DKIM signature. This practice not only strengthens your email security posture but also significantly boosts your chances of achieving optimal inbox placement.
Monitoring DKIM alignment and issues
Even with DKIM properly configured, ongoing monitoring is essential to catch any issues that might arise. DMARC reports provide invaluable insight into your email streams, showing you exactly how many emails are passing or failing DKIM, and why. These reports allow you to identify if legitimate emails are failing authentication due to configuration errors or if malicious actors are attempting to spoof your domain.
A robust DMARC monitoring solution can simplify the complex data from DMARC reports. For instance, Suped offers AI-powered recommendations, providing actionable insights to fix issues and strengthen your policy automatically. We offer a unified platform for DMARC, SPF, and DKIM monitoring, alongside blocklist and deliverability insights, ensuring you have a complete picture of your email health. Many email providers like Microsoft strongly emphasize DKIM, as detailed in their guidance on email authentication.
Simplify DMARC with Suped
Our platform streamlines DMARC management with:
Real-time alerts: Get instant notifications for any DMARC failures or domain issues.
MSP and Multi-Tenancy Dashboard: Manage multiple domains easily from a single interface.
Generous free plan: Start securing your emails today without any upfront cost.
By actively monitoring your DKIM performance, you can quickly address any authentication failures, improve your email sending reputation, and prevent your legitimate emails from being incorrectly classified as spam. This proactive approach is key to maintaining consistent deliverability.
Ensuring email authenticity
The h= tag in a DKIM-Signature header is a small but mighty component in the email authentication ecosystem. It acts as a clear declaration of which parts of your email are protected by your digital signature, giving receiving mail servers the exact blueprint they need for validation.
By carefully selecting which headers to include, senders can ensure that critical information remains untampered and that their emails are trusted by recipient systems. This trust is invaluable for maintaining a strong sender reputation and achieving high email deliverability rates.
Ultimately, a well-configured DKIM record with an appropriate h= tag, combined with continuous monitoring through DMARC, forms a powerful defense against email fraud and ensures your messages reliably reach their intended audience.
