Suped

Log inGet started
Knowledge base
/
Email authentication
/
DKIM

What is the DKIM 'h=' tag used for?

Matthew Whittaker profile picture
Matthew Whittaker
Co-founder & CTO, Suped
Published 23 Apr 2025
Updated 30 Oct 2025
5 min read
Abstract illustration of email security with a shielded envelope, representing DKIM's role in protecting emails.
DomainKeys Identified Mail (DKIM) is a vital email authentication standard designed to detect email spoofing and tampering. It relies on cryptographic signatures embedded within email headers. Within these signatures, various tags serve specific purposes, each contributing to the overall security mechanism.
Among these tags, the h= tag plays a particularly crucial role. Its primary function is to specify which header fields of an email are included in the cryptographic signature, thereby protecting their integrity from the moment the email is signed until it reaches the recipient.

The role of the 'h=' tag in DKIM signatures

The h= tag is an essential component of the DKIM-Signature header field itself. It contains a colon-separated list of the names of the header fields that have been cryptographically signed. When an email is sent, the sending mail server (or a signing service) calculates a hash of these specified header fields and a portion of the email body.
This hash, along with other information like the selector (specified by the s= tag), is then encrypted using the sender's private key. The resulting encrypted hash forms the b= tag, which is the actual DKIM signature itself. The h= tag effectively tells the receiving mail server exactly what was signed.
When a receiving mail server processes an incoming email, it looks at the h= tag to determine which header fields it needs to re-hash. It then compares this newly calculated hash with the decrypted hash from the b= tag. If they match, the DKIM signature passes, indicating that the specified header fields have not been altered in transit.

Preventing header tampering

Proper use of the h= tag is crucial for preventing header tampering, a common tactic in phishing and spoofing attacks. By signing critical headers such as From, Subject, and Date, the sender ensures that any modification to these fields will invalidate the DKIM signature, alerting the recipient server to potential foul play. This directly impacts email deliverability and security.

Best practices for 'h=' tag configuration

To maximize security, always include the most user-visible and important headers in your h= tag. This includes the From, Subject, and Date headers. Failing to sign these leaves your emails vulnerable to display name spoofing and other social engineering attacks, even if other authentication checks pass.
The significance of the h= tag extends to the broader email ecosystem. By ensuring the integrity of critical headers, DKIM, in conjunction with SPF and DMARC, helps receiving mail servers make informed decisions about whether to trust an incoming email. This reduces the likelihood of legitimate emails being marked as spam or rejected. The DKIM specifications provide more detail on these mechanisms.

Signed headers impact

  1. Data integrity: Ensures that the content of listed headers has not been altered after the email was sent.
  2. Anti-spoofing: Protects against malicious actors changing sender names or subjects to deceive recipients.
  3. Trust establishment: Boosts recipient confidence in the email's authenticity and origin.

Unsigned headers risk

  1. Vulnerability: Headers not listed in h= can be modified without breaking the DKIM signature.
  2. Spoofing opportunities: An attacker could alter an unsigned header, like the display name in the From field, to trick recipients.
  3. Reduced deliverability: Emails with easily modifiable headers might be viewed with suspicion by recipient mail servers.

How verification works with 'h='

The verification process initiated by a receiving mail server relies heavily on the information provided by the h= tag. When an email arrives, the server extracts the DKIM-Signature header and identifies the list of headers specified in the h= tag. These are the exact headers it needs to re-evaluate.
Using these specified headers, the receiving server retrieves the sender's public key from the DKIM DNS record and proceeds to perform its own hashing calculation. This calculation involves canonicalizing the identified headers and a portion of the email body, according to the canonicalization algorithm (specified by the c= tag) found in the DKIM-Signature header. The calculated hash is then compared against the decoded value of the b= tag (the body hash) in the original signature.
Example DKIM-Signature header with 'h=' tag
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com;
	s=selector1; h=From:To:Subject:Date:MIME-Version:Content-Type;
	bh=somebodyhash; b=somesignaturevalue
If the re-calculated hash matches the one provided in the b= tag, the DKIM signature is considered valid, and the email is likely authentic and untampered. If they do not match, it indicates that either the email's headers or body (or both) have been altered since the signature was applied, or there's a DKIM misconfiguration, leading to authentication failure.

Best practices and common misconfigurations

Careful selection of headers for the h= tag is crucial. Including too few headers can leave critical information vulnerable to tampering, while including headers that are legitimately modified in transit (such as certain Received headers by intermediate mail servers) will cause the DKIM signature to break, leading to authentication failures and potential delivery issues.

Header field

Recommendation for 'h='

From
Always sign (critical for identity)
Subject
Always sign (prevents subject line spoofing)
Date
Always sign (helps detect delayed or replayed messages)
To
Usually sign (ensures intended recipient isn't changed)
Received
Do not sign (often modified by intermediate servers)
Return-Path
Do not sign (added/modified by recipient server)
Retro illustration of a mail server inspecting email headers according to the 'h=' tag.

Enhanced email security through proper DKIM configuration

The DKIM h= tag is a foundational element of email authentication, providing critical integrity checks for email headers. By explicitly listing which headers are part of the cryptographic signature, it directly combats email spoofing and tampering attempts, safeguarding both sender reputation and recipient trust.
Ensuring your h= tag is correctly configured and that relevant headers are signed is paramount for maintaining strong email deliverability. Platforms like Suped offer comprehensive DMARC monitoring, which includes insights into DKIM authentication results, helping you identify and fix any issues related to the h= tag and improve your overall email security posture.

Frequently asked questions

Related pages

What DKIM tag specifies the signed header fields?
What is the purpose of the DKIM 'b=' tag?
What DKIM tag specifies the body hash?
A practical guide to DKIM selector name examples
A simple guide to DMARC, SPF, and DKIM
List of DMARC tags and their meanings
How to fix DKIM body hash mismatch failures
Diagnosing and reducing DKIM temporary error rates with Microsoft
Decoding DKIM temperror: what it is and how to fix it
How to fix “DKIM record published no DKIM record found” errors
DMARC monitoring

Start monitoring your DMARC reports today

Suped DMARC platform dashboard

What you'll get with Suped

Real-time DMARC report monitoring and analysis
Automated alerts for authentication failures
Clear recommendations to improve email deliverability
Protection against phishing and domain spoofing
Get started - free
Product
DMARC monitoring
SPF flattening
Blocklist monitoring
MSP
Pricing
Tools
DMARC record generator
Blocklist checker
Email tester
Resources
API docs
Customers
Blog
Guides
Knowledge base
Company
About
Trust and security

Suped

Privacy policy
Terms of service
© 2025 Suped Pty Ltd
LinkedInX