What is DKIM oversigning, how does it work, and why is it important for email authentication?
Michael Ko
Co-founder & CEO, Suped
Published 26 May 2025
Updated 19 Aug 2025
7 min read
Email authentication is crucial for ensuring that messages reach their intended recipients and are not intercepted or spoofed. DKIM, or DomainKeys Identified Mail, is one of the foundational standards for this, working by digitally signing outgoing emails. This signature allows recipient mail servers to verify that the message was indeed sent by the authorized domain and that it hasn't been tampered with during transit.
While standard DKIM provides a strong layer of security, there's an advanced technique called DKIM oversigning that offers an even more robust defense against certain types of email attacks, particularly email replay attacks. Understanding how DKIM oversigning works and why it's important can significantly bolster your email security posture and improve deliverability.
DKIM oversigning involves including header fields in the DKIM signature's `h=` tag multiple times, even if those headers only appear once or not at all in the actual email message. This might seem counterintuitive at first glance, but it's a strategic move to prevent malicious actors from altering or inserting headers without invalidating the DKIM signature.
The DKIM signature itself, located in the `DKIM-Signature` header, contains a list of signed headers within its `h=` tag. Normally, these are the headers present in the email that you want to protect from alteration. For example, a standard DKIM signature might sign the From, Subject, and Date headers.
With oversigning, you would include headers like To or CC multiple times in the `h=` tag, even if only one To header exists. This prepares for a scenario where an attacker might try to insert a second, fraudulent To header. Here's an example of how the `h=` tag might look with oversigning:
Notice how To appears twice. This repetition is key to its effectiveness.
How DKIM oversigning works
The mechanism behind DKIM oversigning is rooted in how the cryptographic hash of the email headers is calculated. When a header field is listed more than once in the `h=` tag, the DKIM signature calculation process takes this into account. If the header appears only once in the actual email, the hash is calculated using the existing header's value and then, for each subsequent instance of that header in the `h=` tag, it's treated as if a null or empty header of that name was present.
This means that if a bad actor attempts a replay attack by adding a second, unauthorized instance of a header (e.g., another To header), the recipient server's DKIM verification process will catch it. The added header will cause the recalculated hash to differ from the original hash in the DKIM signature, leading to a DKIM authentication failure. This effectively invalidates the signature and prevents the tampered message from passing authentication checks, particularly with DMARC.
Standard DKIM
Signature scope: Signs only the headers that are explicitly present in the email and listed once in the `h=` tag.
Vulnerability: Susceptible to replay attacks if attackers insert new, unsigned header fields.
Hash calculation: Based solely on the actual values of the signed headers.
DKIM oversigning
Signature scope: Signs headers multiple times, including phantom instances for headers that only appear once.
Enhanced security: Mitigates replay attacks by invalidating the signature if new headers are introduced.
Hash calculation: Accounts for both existing and potential null instances of headers.
This method creates a robust defense, as any attempt to manipulate the headers, even by adding what seems like a harmless duplicate, will break the DKIM signature.
Why is DKIM oversigning important?
DKIM oversigning is important primarily for its role in preventing header replay attacks and strengthening the overall integrity of email communications. In a typical replay attack scenario, an attacker might capture a legitimate email and then re-send it, potentially with minor modifications to certain headers that are not part of the original DKIM signature. For instance, they might add a Reply-To header pointing to their own address, or a second To header to redirect responses.
By oversigning headers, even those that may not typically be present or are expected to appear only once, you create a safeguard. If an attacker introduces an additional instance of an oversigned header, the cryptographic hash that the recipient mail server calculates will no longer match the hash in the original DKIM signature. This immediate mismatch invalidates the signature, causing the email to fail DKIM authentication and subsequently, DMARC validation. This protection is vital for maintaining trust in your email communications and protecting your domain reputation.
Furthermore, oversigning contributes to a stronger overall email security posture by making it harder for spammers and phishers to spoof your domain. Even if they manage to send an email appearing to be from your domain, the lack of a valid DKIM signature (due to oversigning breaking any unauthorized header insertions) will lead to higher spam scores and potential rejection by recipient mail servers. This, in turn, helps in improving your email deliverability by signaling to receivers that your domain takes email security seriously.
Implementation considerations and challenges
While DKIM oversigning offers significant security benefits, implementing it requires careful consideration. One potential challenge arises from variations in how different email systems and libraries handle header parsing, particularly concerning capitalization. For instance, if you oversign a header like To and an upstream library used by a recipient server interprets to (lowercase) as a distinct header, it could inadvertently break the DKIM validation, even for legitimate emails. This highlights the importance of consistent header handling.
Many modern Mail Transfer Agents (MTAs) and email service providers (ESPs) are beginning to offer or plan to offer automatic oversigning as a default or optional feature. This simplifies the process for senders, as the MTA can automatically count the headers it signs and add an `n+1` (or more) instance of those headers to the DKIM `h=` tag. When considering providers for DKIM signing, it's worth inquiring about their support for oversigning and how they implement it to avoid unintended validation issues like DKIM temporary errors.
Careful testing and monitoring of your DMARC reports are essential when implementing oversigning. This will help you identify any unforeseen issues with DKIM body hash mismatches or other validation failures that could impact your email deliverability. A well-configured oversigning setup can be a powerful tool in your email security arsenal.
Best practices for implementing DKIM oversigning
Identify critical headers: Determine which headers are most likely targets for manipulation in replay attacks.
Test thoroughly: Send test emails to various mailbox providers to ensure consistent validation.
Monitor DMARC reports: Regularly review your DMARC aggregate and forensic reports for authentication failures.
Consistency in capitalization: Ensure that header names in the `h=` tag match their exact capitalization in the email.
Views from the trenches
Best practices
Always include 'From', 'Subject', and 'Date' headers in your oversigning configuration for maximum protection.
Regularly audit your email sending infrastructure to ensure that DKIM signatures are correctly generated.
Consult with your ESP or MTA vendor on their recommended oversigning practices and capabilities.
Prioritize headers that are frequently targeted in spoofing attempts, such as 'To' and 'Reply-To'.
Common pitfalls
Oversigning headers with inconsistent capitalization can lead to validation failures with some systems.
Not thoroughly testing oversigning across various recipient mail providers, causing unexpected deliverability issues.
Assuming oversigning alone is enough for email security; it should complement SPF and DMARC.
Failing to monitor DMARC reports, which can hide oversigning configuration errors.
Expert tips
Consider headers that might be inserted by intermediaries or mail clients that you want to prevent.
Implement automatic oversigning at the MTA level if your infrastructure supports it for efficiency.
Pay close attention to the canonicalization methods (relaxed/simple) when configuring DKIM oversigning.
If using multiple DKIM signatures, ensure consistent oversigning policies across all of them.
Expert view
Expert from Email Geeks says that oversigning is about invalidating a DKIM signature if headers are changed, rather than directly about DMARC, though it contributes to DMARC alignment.
2024-01-11 - Email Geeks
Expert view
Expert from Email Geeks says that the reason oversigning works is that hashes are calculated using the existing header and a second, null header. If bad actors add a second header during a replay attack, the hashes will no longer validate.
2024-01-12 - Email Geeks
Strengthening your email security
DKIM oversigning is a sophisticated yet powerful technique for enhancing email security beyond standard authentication protocols. By anticipating potential header manipulation and designing signatures to detect such changes, oversigning provides an additional layer of defense against sophisticated phishing and spoofing attempts. It helps ensure the integrity of your email messages and strengthens your sender reputation, leading to improved email deliverability.
While it requires careful implementation and monitoring, the benefits of preventing replay attacks and ensuring message authenticity make DKIM oversigning a valuable addition to any robust email authentication strategy. Combining it with a strong DMARC policy and SPF records creates a comprehensive shield against email fraud, protecting both your brand and your recipients.
