When we talk about email authentication, protocols like SPF, DKIM, and DMARC are the cornerstones of a secure setup. DKIM (DomainKeys Identified Mail) is particularly interesting because it provides a cryptographic signature to verify that an email hasn't been tampered with. A key part of that signature is the h= tag, but its function isn't always obvious. Let's break down what it does and why it's so important.
At its core, the h= tag in a DKIM-Signature header is a list. It specifies exactly which email headers the sending server included when it created the digital signature. When a receiving mail server gets the email, it looks at the h= tag to know which headers it needs to use to recalculate the hash and verify the signature's authenticity.
Think of it as a table of contents for the signature. Without it, the receiving server would have no idea which parts of the email's header were originally signed. This prevents an attacker from adding, removing, or altering headers that weren't part of the original signature, as doing so would cause the DKIM check to fail.
Why the 'h=' tag is crucial for email integrity
The primary job of the h= tag is to protect the integrity of the most important email headers. If a malicious actor intercepted an email and changed the 'Subject' line or added a new 'Reply-To' address, the DKIM signature would become invalid if those headers were included in the h= list. This makes it a powerful tool against phishing and email spoofing.
By explicitly listing which headers are signed, the h= tag creates a clear, verifiable record of the message's key components at the time of sending. The receiving server doesn't have to guess; it simply follows the instructions laid out in the tag.
What headers should be included?
While you can technically sign any header, some are more important than others for ensuring authenticity and deliverability. The selection of headers is critical. A DKIM signature is only as strong as the headers it protects. Here are some of the most common and important headers to include in your h= tag:
- From: This is the most critical header. Signing it verifies the sender's identity, which is the main purpose of DKIM.
- To/Cc: Signing these headers prevents an attacker from adding or removing recipients from an email after it has been sent.
- Subject: This protects the subject line from being altered, which could drastically change the context of the message.
- Date: Protects the message's timestamp from being changed.
- Message-ID: This globally unique identifier helps ensure the integrity of the specific message being sent.
- List-Unsubscribe and List-Unsubscribe-Post: With recent sender requirements from Google and Yahoo, these headers are now mandatory for bulk senders. They must be signed by DKIM to be considered valid.
The takeaway
The h= tag is a mandatory and foundational component of the DKIM signature. It provides a clear, unchangeable manifest of the headers protected by the digital signature. By carefully selecting which headers to include, you ensure the integrity of your emails, protect your brand from spoofing, and improve your overall email deliverability. It’s a small piece of text that does a very big job in the world of email security.
