Which headers should be signed?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
DKIM signing locks specific headers into the tamper-evident seal. When a receiver verifies the signature, it checks that those headers weren't changed in transit. The ones you sign are recorded in the DKIM-Signature header's h= field.
Headers you should always sign
These are the identity-defining fields that phishers most want to manipulate and that receivers care about most:
- From: the most important one. DMARC alignment checks the From domain, so this must be signed or alignment fails entirely.
- Subject: your message title. Worth protecting against modification.
- To: the recipient address.
- Date: timestamps matter for replay attack prevention.
- Message-ID: unique identifier for the message thread.
- MIME-Version and Content-Type: structural headers that define the message format.
Headers to leave out
And don\'t sign anything that changes during delivery. Received headers are added by every mail relay in the chain and are different on arrival than at send. X-Forwarded-To, Return-Path, and other transit headers get written or rewritten en route. Signing them guarantees a broken signature before the message lands.
In practice, your ESP decides
But Most senders never manually choose which headers to sign. Your ESP or mail server handles this automatically. If you want to see exactly which headers are covered, paste a received email into our email header analyzer and look at the h= field in the DKIM-Signature. That list is what's protected.
If From isn't in that list, that's a problem worth fixing right away. DMARC alignment breaks without it.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.