DomainKeys Identified Mail (DKIM) is a crucial tool for ensuring the authenticity and integrity of emails. By signing specific headers, DKIM helps recipients verify that the message hasn’t been altered during sending. After reviewing twelve different ESPs for their signing options and use of DKIM, it’s not surprising to find a wide variety of approaches among vendors.

The providers selected for this review were chosen somewhat randomly based on emails I receive in my inbox from subscriptions I’ve requested. Actual brands were not considered; only the h= portion of the DKIM signature was examined to assess the variation in options used by the ESPs.

Given the numerous options available for DKIM signatures, it’s important to quickly review the different elements that make up these signatures.

Here’s a quick overview of the common DKIM tags and their meanings:

  • `v` (Version): Specifies the DKIM version. Always `v=1`.
  • `a` (Algorithm): The algorithm used for signing, typically `rsa-sha256`.
  • `c` (Canonicalization): Determines how the email body and headers are normalized, commonly `relaxed/relaxed`.
  • `d` (Domain): The domain of the entity signing the email.
  • `s` (Selector): Helps locate the public key in DNS for the domain.
  • `q` (Query): Indicates the method to query the public key, usually `dns/txt`.
  • `t` (Timestamp): The creation time of the signature.
  • `x` (Expiration): When the signature expires.
  • `i` (Instance): Represents the identity of the user or agent on behalf of whom the email is signed.
  • `h` (Headers): Lists the headers included in the signature hash.
  • ‘b’ / ‘bh’: these are the hash values for the body and the headers being evaluated in the DKIM signature.

Some of these header options may appear more than once in the h= portion of a DKIM signature in an effort to ‘over sign’ and prevent DKIM replay attacks. 

What is over signing?

It is a security measure where specific headers are signed multiple times to make a message harder to modify and resend with new content. This technique ensures that critical headers like From, To, and Subject remain unaltered throughout the email’s journey. By verifying these headers at multiple points, over signing helps maintain email integrity and protects against header manipulation. Additionally, headers like t= and x= add a time element to prevent the message from being considered valid outside of its designated validity period. Based on our review, expiration times can range from a few hours to a month, depending on the provider sending the emails. However, it was also observed that many providers choose not to implement these timed variables.

In our review of the selected ESPs, we identified several common practices shared among their configurations and noted a variety of unique customization implemented by some providers:

  1. Common Headers:
    1. Essential headers like `From`, `To`, `Subject`, `List-Unsubscribe`, and `List-Unsubscribe-Post` are universally included. These headers are critical for verifying sender authenticity and managing unsubscribe requests.
  2. Over signing:
    1. Providers like MailGun, Netcore, Sparkpost, SendGrid, SocketLabs, and Klaviyo use over signing, enhancing security by signing headers multiple times.
  3. Unique Headers:
    1. Each provider includes specific headers tailored to their needs:
      1. MailGun: `Content-Transfer-Encoding`, `Content-Type`, `Sender`, `X-Feedback-Id`
      2. Netcore: `feedback-id`, `message-id`
      3. Sparkpost: `Cc`, `Date`, `Message-ID`
      4. SendGrid: `x-feedback-id`, `content-type`, `cc`
      5. SocketLabs: `x-thread-info`, `reply-to`, `cc`
      6. SFMC: `List-ID`, `MIME-Version`
      7. Emarsys: `List-Id`, `MIME-Version`
      8. ActiveCampaign: `Reply-To`, `Feedback-ID`, `Content-Transfer-Encoding`
      9. Constant Contact: `X-Feedback-ID`, `X-250ok-CID`
      10. ClickDimensions: Primarily standard headers

By examining all headers used across different providers and considering their unique elements, we can identify the ideal list of headers to sign and those to over sign. This approach would look something like this:

h=From: To: Subject: Date: List-Unsubscribe: List-Unsubscribe-Post: Content-Type: MIME-Version: Message-ID: Reply-To: Content-Transfer-Encoding: Feedback-ID/X-Feedback-ID: Cc: List-ID: From: To: Subject: Content-Type

Over signing these headers ensures enhanced security and integrity, protecting against potential tampering. Signing these headers not only authenticates emails but also secures them against tampering. Over signing further strengthens this security by providing multiple checkpoints for header verification. Understanding the importance of these headers and their roles enables organizations to improve their email security posture, safeguarding their brand and recipients.

Now it’s time to go and review your email headers and see which headers are being signed.