DKIM glossary

What does the h= tag list in a DKIM signature?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

The h= tag is the colon-separated list of header fields a DKIM signature covers — From is mandatory. Any header not listed can be changed or added after signing without breaking the signature, which is why careful signers oversign critical headers. A minimal h= is a quiet security gap.

h= at a glance
Tagh (signed header fields)
Valid valuesA colon-separated list of header field names, e.g. from:to:subject:date
DefaultRequired in the signature; the From field MUST be included.
Where it goesIn the DKIM-Signature header.

How h= works

h= lists, colon-separated, exactly which header fields the signature covers — for example from:to:subject:date. Only the headers named here are protected by the signature, and From is mandatory and must always appear.

The subtle part is what's not listed. A header field left out of h= can be altered, or a fresh copy added, after signing without breaking the signature — because the hash never covered it. A stingy h= is therefore a quiet security gap: an attacker could inject or replace unsigned headers and the DKIM check would still pass.

Careful signers defend against this by oversigning: listing a critical header like From twice in h=. That extra slot means adding another From header after signing breaks the signature, blocking a header-injection trick. If you can choose what your signer covers, sign the headers that matter and oversign the ones an attacker would target.

Correct record vs common mistake

Correct

DKIM-Signature: ...; h=from:from:to:subject:date; ...

From is signed and oversigned (listed twice), so adding a second From header after signing breaks the signature — closing a header-injection gap.

Common mistake

DKIM-Signature: ...; h=from; ...

Only From is signed. Subject, To, and everything else can be changed or added after signing without breaking DKIM — a minimal h= that leaves real headers unprotected.

Troubleshooting h=

IssueLikely causeFix
Injected or duplicate headers still pass DKIMCritical headers aren't oversigned in h=Oversign From (list it twice) and cover the headers an attacker would target
Signature breaks when a header is added in transitA signed header was duplicated or modified downstreamSign only stable headers; avoid signing ones that relays legitimately add or rewrite
From not protectedh= omits From (invalid) or covers only trivial fieldsEnsure From is in h=, then add To, Subject, and Date, and oversign From

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Signers you don't control — an ESP or appliance with a minimal, non-oversigned h= — leave client mail open to header-injection tricks that still pass DKIM. Across a fleet you can't audit every platform's signing config by hand, so weak header coverage is an easy blind spot.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

Header-injection risks hang on the From address — which is exactly the identity DMARC locks down. Palisade drives every client domain to enforced DMARC, so a message can't claim your From domain and land unless it authenticates and aligns.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

It's the colon-separated list of header fields the signature covers. Only those headers are protected; From is mandatory and must always be included.

Listing a header more times in h= than it appears in the message — usually From twice. It blocks an attacker from adding a second copy of that header after signing without breaking the signature.

At least From (required), plus the ones that carry meaning or risk — typically To, Subject, Date, and Reply-To — and oversign From to prevent header injection.

Yes. Any header not listed in h= isn't covered by the signature, so it can be altered or added in transit without breaking DKIM — which is why coverage matters.

Related terms

What is DKIM? DomainKeys Identified Mail explained