now is the time to forget the whimpering child, become the warrior
8.5. Notes
Mail headers cannot be encrypted, nor included in the signature computation. Do not write any sensitive information in the Subject when sending an encrypted message.
One important point concerns mail header security. Signature and encryption applies to the mail body only – and also to attachments, if you chose so. That is, when you sign a message, no mail header (such as the Subject, Date, all Received headers, etc.) can be included in the signature. In a similar way, when you encrypt a message, mail headers are not encrypted.
Most mail headers (e.g. the Date) are added by the Mail User Agent (mailclient) only after that Enigmail processes the payload; other mail headers (e.g. the Received) are subsequently added by the Mail Transfer Agents at each hop of the path from sender to receiver; finally, other mail headers are added by the Mail Delivery Agent at the endpoint. Even mail headers that are user-set at the time the message is composed (e.g. the Subject) may be legitimately modified by antispam or antivirus applications on the destination server.
This is to say that mail headers change in transit (therefore they cannot be signed), and they must be in cleartext (therefore they cannot be encrypted) in order for the mail message to be processed by intermediary routers and delivered.
This is not a limitation of Enigmail, neither of GnuPG. The OpenPGP standard does not describe a way to sign or encrypt the Subject or, for this purpose, any other mail header.
Thus, please remember that mail headers aren't and cannot be secured, and they could be snooped and forged in transit like any cleartext mail message.
Note that, for the same reason, Enigmail will not sign and/or encrypt a blank message: the message body is empty, so there's nothing Enigmail can process.