Which headers should be signed?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

DKIM signing locks specific headers into the tamper-evident seal. When a receiver verifies the signature, it checks that those headers weren't changed in transit. The ones you sign are recorded in the DKIM-Signature header's h= field.

Headers you should always sign

These are the identity-defining fields that phishers most want to manipulate and that receivers care about most:

  • From: the most important one. DMARC alignment checks the From domain, so this must be signed or alignment fails entirely.
  • Subject: your message title. Worth protecting against modification.
  • To: the recipient address.
  • Date: timestamps matter for replay attack prevention.
  • Message-ID: unique identifier for the message thread.
  • MIME-Version and Content-Type: structural headers that define the message format.

Headers to leave out

And don\'t sign anything that changes during delivery. Received headers are added by every mail relay in the chain and are different on arrival than at send. X-Forwarded-To, Return-Path, and other transit headers get written or rewritten en route. Signing them guarantees a broken signature before the message lands.

In practice, your ESP decides

But Most senders never manually choose which headers to sign. Your ESP or mail server handles this automatically. If you want to see exactly which headers are covered, paste a received email into our email header analyzer and look at the h= field in the DKIM-Signature. That list is what's protected.

If From isn't in that list, that's a problem worth fixing right away. DMARC alignment breaks without it.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check My Signed Headers

I just read the Email Almanac entry on which headers should be DKIM signed. Help me verify that my setup is signing the right headers and that From is covered for DMARC alignment. Walk me through: 1. Reading the h= field from a live DKIM-Signature header to see what's currently signed 2. Whether From is included (required for DMARC alignment) 3. Whether any transit headers like Received were accidentally included 4. What to do if my ESP doesn't let me configure the signed header list --- My details (fill in what applies): - Sending domain: your domain - DKIM selector: e.g. "k1", "s1" - ESP or mail platform: name - Current DMARC alignment status: aligned / failing / unsure - DKIM-Signature h= field from a recent email (paste if you have it): list of header names

Edit the yellow boxes, then send to the AI of your choice.