How is DKIM precedence determined when double signing emails?

6 Marketer opinions 4 Expert opinions 3 Technical articles 3 Resources

Summary

When double-signing emails with DKIM, the DKIM specification doesn't dictate an order of precedence, although some mailbox providers might prioritize network keys over brand keys. Generally, verifiers process signatures in the order they appear in the header and validate each independently, aggregating the results to contribute to overall authentication. Signing with the same domain as the 5322.From is a positive signal. Multiple DKIM signatures can improve reputation and provide redundancy. However, be wary of DNS lookup limits. DKIM is only one part of the overall authentication process.

Key findings

No Specification: The DKIM specification does not define an order of precedence for multiple signatures.
Provider Variance: Some mailbox providers might prioritize network keys over brand keys, while others don't.
Independent Validation: Verifiers typically validate each DKIM signature independently.
Aggregated Results: Results from each signature's validation are aggregated for overall authentication assessment.
Positive Signal: Signing with the same domain as the 5322.From address is a good signal to reputation-based spam filters.
Reputation & Redundancy: Multiple DKIM signatures can improve reputation and provide redundancy.

Key considerations

DNS Lookup Limits: Be mindful of DNS lookup limits when implementing multiple DKIM signatures to avoid delivery issues.
Authentication Scope: Understand that DKIM is only one part of a broader email authentication strategy.
ESPs and White Labeling: If using an ESP, consider white labeling the 5321.From domain to match your 5322.From for consistent DKIM signing.

What email marketers say
6Marketer opinions

When double-signing emails with DKIM, there is no specified order of precedence for signature evaluation. Mailbox providers validate each signature independently, and a valid signature contributes to the message's overall authentication. Using the same domain for DKIM signing as the visible From address (5322.From) is a positive signal. While multiple DKIM signatures can improve reputation and offer redundancy, exceeding DNS lookup limits should be avoided. The weighting of different signals is dynamic and depends on the specific filters used.

Key opinions

No Precedence: The DKIM specification doesn't dictate a specific order for evaluating multiple signatures.
Independent Validation: Receivers validate each DKIM signature independently.
Positive Signal: Signing with the same domain as the 5322.From address improves reputation.
Dynamic Weighting: Filters dynamically weight DKIM signals, with more specific signals often receiving greater weight.
Reputation Boost: Multiple valid DKIM signatures can improve email reputation.
Redundancy Benefit: Multiple DKIM signatures provide redundancy in case one signature fails.

Key considerations

DNS Lookup Limits: Be mindful of DNS lookup limits when using multiple DKIM signatures to avoid delivery failures.
Configuration Accuracy: Ensure all DKIM signatures are correctly configured for proper validation.
Whitelabeling: If possible, have ESPs whitelabel the 5321.From domain to match your 5322.From domain.

Marketer view

Email marketer from EmailDrips explains that although it is possible to have multiple DKIM records it can be difficult, and generally it is better to have one DKIM record per domain. You should also be wary about exceeding DNS lookup limits.

January 2022 - EmailDrips.com

Marketer view

Email marketer from Stack Overflow states that when multiple DKIM signatures are present, the receiver validates each independently. There's no inherent precedence; each valid signature contributes to the message's overall authentication.

July 2024 - Stack Overflow

Marketer view

Email marketer from Reddit shares that multiple DKIM signatures can improve your reputation as it proves more authentication.

January 2024 - Reddit

Marketer view

Email marketer from MXToolbox responds that multiple DKIM signatures can provide redundancy, in case one signature fails verification, the other signature can still authenticate the message. They advise to ensure each signature is correctly configured.

July 2024 - MXToolbox.com

Marketer view

Marketer from Email Geeks explains there's nothing in the DKIM specification to allow a sender to mark the order of signature evaluation. DKIM signing with the same domain as the 5322.From is a good signal. ESPs often DKIM sign using the same domain as the 5321.From; if possible, get them to white label this domain. When DKIM signing using the same domain as both From domains, additional ESP signatures have minimal influence.

June 2022 - Email Geeks

Marketer view

Marketer from Email Geeks shares any signing domain in a signature that can serve as a meaningful signal will be used as a signal. Many filters will give more weight to more specific signals, but that weighting is dynamic rather than fixed.

August 2024 - Email Geeks

What the experts say
4Expert opinions

When double-signing emails with DKIM, some mailbox providers prioritize signatures, with network keys often taking precedence over brand keys. However, not all providers adhere to this order. Regardless of precedence, all DKIM keys are typically validated. Each signature is independently verified, and the results contribute to the overall authentication process. DKIM is only one component of the broader authentication landscape, and multiple DKIM records contribute to the layers of authentication.

Key opinions

Provider Variance: Some mailbox providers consider DKIM key precedence, while others don't.
Network Key Priority: In cases where precedence matters, network keys are often prioritized over brand keys.
Full Validation: Both DKIM keys are generally validated, regardless of precedence.
Independent Verification: Each DKIM signature undergoes independent verification.
Credibility Boost: Valid DKIM signatures enhance the message's overall credibility.
Layered Approach: Multiple DKIM records contribute to a layered authentication approach.

Key considerations

Provider Behavior: Understand how different mailbox providers handle DKIM precedence.
Authentication as a Whole: Consider DKIM as part of a comprehensive email authentication strategy.

Expert view

Expert from Email Geeks confirms that both DKIM keys will be validated.

March 2022 - Email Geeks

Expert view

Expert from Spam Resource explains that each DKIM signature is independently verified. The results of these verifications are used as part of the overall authentication process. There isn't a defined precedence; rather, the presence of valid signatures adds to the message's credibility.

July 2023 - Spam Resource

Expert view

Expert from Word to the Wise responds that authentication is not a single process and DKIM is only a portion of it. As such multiple DKIM records would add to the layers of authentication that a message would need to pass.

June 2023 - Word to the Wise

Expert view

Expert from Email Geeks shares that some mailbox providers care about DKIM key precedence, others don't. From experience, the order should be Network key first, then brand key.

May 2024 - Email Geeks

What the documentation says
3Technical articles

The DKIM specification doesn't define the order in which signatures should be applied or evaluated. Verifiers should process signatures in the order they appear in the header. Multiple DKIM signatures are often used when multiple mail service providers are involved. Verifiers independently evaluate each signature, aggregating the results. A key consideration is DNS lookup limits, which must be carefully managed when using multiple DKIM records to avoid delivery failures.

Key findings

No Defined Order: The DKIM specification doesn't dictate the order of signature application or evaluation.
Header Order: Verifiers should process signatures in the order they appear in the message header.
Independent Evaluation: Each DKIM signature is evaluated independently by verifiers.
Aggregation of Results: The results of the individual signature verifications are aggregated.
Multiple Providers: Multiple DKIM signatures are often used when multiple mail service providers are involved.

Key considerations

DNS Lookup Limits: Carefully manage DNS lookup limits when using multiple DKIM records.
Delivery Impact: Exceeding DNS lookup limits can lead to email delivery failures.

Technical article

Documentation from GitHub notes the purpose of signing with multiple DKIMs, such as when multiple mail service providers are involved. Verifiers independently evaluate each signature and the results are considered in aggregation.

October 2024 - GitHub

Technical article

Documentation from RFC Editor explains that the order in which DKIM signatures are applied to a message is not dictated by the DKIM specification. Verifiers should process signatures in the order they appear in the message's header fields.

December 2021 - RFC Editor

Technical article

Documentation from Authorea explains that with DKIM records there are DNS lookup limits. If you exceed these then the email can fail to deliver. Although you can have multiple DKIM records, you must still consider the lookup limits.

May 2021 - Authorea.com

RSpamd not signing email with dkim | Howtoforge - Linux Howtos ...

Hi everyone. And here we go again... I have a setup with Debian 10, multiserver and I recently converted it to run to rspamd instead of amavis, but it...

Howtoforge - Linux Howtos and Tutorials

How To Read Email Headers (And Understand Them!) - MailerCheck

Email headers contain a wealth of information that can help you to troubleshoot deliverability issues. In this guide, learn how to view, read and understand them.

MailerCheck