Does DKIM prevent email content tampering?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Yes. That's one of the two main things DKIM is designed to do: prove the message wasn't modified after your server signed it. If anyone changes even a single character in the body or any signed header while the email is in transit, the signature breaks and receivers know something went wrong.

Here's how the protection actually works.

The body hash

When your server sends a DKIM-signed email, it hashes the message body using SHA-256 and stores that hash in the bh= field of the DKIM-Signature header. The receiving server independently hashes the body it received and compares the two. If they match, the body is intact. If even a space was added or a character changed, the hashes don't match and DKIM fails.

Signed headers

DKIM also signs a list of specific headers you choose: usually From, Subject, To, Date, and others. If any of those headers get modified after the message is signed, the same verification check fails. An attacker can't change your subject line or swap out the From address without breaking the signature.

What it doesn't protect against

DKIM isn't bulletproof. A few things it won't catch:

  • A compromised sending server. If an attacker has your private key, they can sign anything.
  • Unsigned headers. Headers not included in the signed list can be added or modified without breaking DKIM.
  • Mailing list footers and forwarding rewrites. Some mail systems modify the body to add unsubscribe links or footers. This breaks DKIM every time, regardless of intent. It's a known limitation, not a bug.

So DKIM is strong protection against in-transit tampering but it's not a substitute for controlling your private key and signing configuration carefully.

You can verify your DKIM is signing correctly with our DKIM checker. If you're seeing dkim=fail and can't track down why, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Verify My DKIM Signature Integrity

I just read the Email Almanac entry on DKIM and content tampering. Help me verify that my DKIM is signing correctly and that the right headers and body are protected. Walk me through: 1. Confirming my DKIM is passing end-to-end (body hash matching) 2. Which headers my DKIM is signing and whether the list is appropriate 3. Whether any mail path changes (forwarding, mailing lists) are breaking my signatures 4. What to do if DKIM is failing specifically at forwarded destinations --- My details (fill in what applies): - Sending domain: your domain - DKIM selector: e.g. "k1", "s1" - Current dkim= result from test sends: pass / fail / none / mixed - Whether you use mailing lists or forward through other systems: yes / no - Which providers are failing vs passing: e.g. "fails at Yahoo, passes at Gmail" - Canonicalization mode (if you know): simple / relaxed / unsure

Edit the yellow boxes, then send to the AI of your choice.