Subject to DKIM
“Subject to DKIM” means an email’s subject line is protected by DKIM authentication. Learn how signing the Subject header prevents tampering and spoofing.
What does Subject to DKIM mean?
When an email or a specific header field such as Subject is described as “subject to DKIM,” it means that the field is included in the DomainKeys Identified Mail (DKIM) signature and therefore protected by cryptographic authentication.
In other words, if the Subject line is “subject to DKIM,” any unauthorized change to it (for example, altering the subject after signing) would cause the DKIM verification to fail. This ensures that key parts of the email (like the From, To, Date, and Subject headers) haven’t been tampered with between sending and receiving.
How DKIM Protects the Subject Line
DKIM works by creating a hash of specific parts of the email (called signed header fields) and the message body. These elements are listed in the h= tag of the DKIM-Signature header. For example:
DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=mail2025; h=from:to:subject:date:message-id; bh=Z2...;
Here, the h= tag shows that the Subject header is included in the DKIM signature.
When the recipient’s mail server verifies the message, it retrieves the sender’s public DKIM key from DNS and recalculates the hashes. If the email’s subject has been changed since signing, the DKIM signature will no longer match, and the message will fail authentication.
Not every sender includes the Subject field in the signature, but it’s considered a best practice to do so, since the subject is often visible to recipients and can be exploited in spoofing or phishing attempts.
Why It’s Important to Include the Subject in DKIM
Protecting the subject line helps maintain message integrity and prevents subtle social engineering attacks. Attackers might otherwise modify only the subject (for example, changing “Invoice” to “Urgent payment request”) while keeping the rest of the message intact and still appearing authentic.
By signing the subject under DKIM, organizations ensure that even minor modifications invalidate the DKIM signature, providing both a technical and reputational safeguard.
For high-security communication, especially financial, governmental, or legal messages, signing the subject is not optional; it’s an essential layer of trust.
Subject and DKIM in DMARCeye
DMARCeye helps organizations confirm whether their DKIM configurations include essential headers like Subject in the signing process. Through its DMARC report analysis, DMARCeye highlights which senders are using partial or incomplete DKIM coverage, helping you identify cases where messages are not fully “subject to DKIM.”
By ensuring that critical fields like the Subject are always signed, DMARCeye helps maintain message integrity and consistency across all legitimate mail sources.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.