Summary
When double-signing emails with DKIM, the DKIM specification doesn't dictate an order of precedence, although some mailbox providers might prioritize network keys over brand keys. Generally, verifiers process signatures in the order they appear in the header and validate each independently, aggregating the results to contribute to overall authentication. Signing with the same domain as the 5322.From is a positive signal. Multiple DKIM signatures can improve reputation and provide redundancy. However, be wary of DNS lookup limits. DKIM is only one part of the overall authentication process.
Key findings
- No Specification: The DKIM specification does not define an order of precedence for multiple signatures.
- Provider Variance: Some mailbox providers might prioritize network keys over brand keys, while others don't.
- Independent Validation: Verifiers typically validate each DKIM signature independently.
- Aggregated Results: Results from each signature's validation are aggregated for overall authentication assessment.
- Positive Signal: Signing with the same domain as the 5322.From address is a good signal to reputation-based spam filters.
- Reputation & Redundancy: Multiple DKIM signatures can improve reputation and provide redundancy.
Key considerations
- DNS Lookup Limits: Be mindful of DNS lookup limits when implementing multiple DKIM signatures to avoid delivery issues.
- Authentication Scope: Understand that DKIM is only one part of a broader email authentication strategy.
- ESPs and White Labeling: If using an ESP, consider white labeling the 5321.From domain to match your 5322.From for consistent DKIM signing.
What email marketers say
6 marketer opinions
When double-signing emails with DKIM, there is no specified order of precedence for signature evaluation. Mailbox providers validate each signature independently, and a valid signature contributes to the message's overall authentication. Using the same domain for DKIM signing as the visible From address (5322.From) is a positive signal. While multiple DKIM signatures can improve reputation and offer redundancy, exceeding DNS lookup limits should be avoided. The weighting of different signals is dynamic and depends on the specific filters used.
Key opinions
- No Precedence: The DKIM specification doesn't dictate a specific order for evaluating multiple signatures.
- Independent Validation: Receivers validate each DKIM signature independently.
- Positive Signal: Signing with the same domain as the 5322.From address improves reputation.
- Dynamic Weighting: Filters dynamically weight DKIM signals, with more specific signals often receiving greater weight.
- Reputation Boost: Multiple valid DKIM signatures can improve email reputation.
- Redundancy Benefit: Multiple DKIM signatures provide redundancy in case one signature fails.
Key considerations
- DNS Lookup Limits: Be mindful of DNS lookup limits when using multiple DKIM signatures to avoid delivery failures.
- Configuration Accuracy: Ensure all DKIM signatures are correctly configured for proper validation.
- Whitelabeling: If possible, have ESPs whitelabel the 5321.From domain to match your 5322.From domain.
Marketer view
Email marketer from EmailDrips explains that although it is possible to have multiple DKIM records it can be difficult, and generally it is better to have one DKIM record per domain. You should also be wary about exceeding DNS lookup limits.
28 Apr 2022 - EmailDrips.com
Marketer view
Email marketer from Stack Overflow states that when multiple DKIM signatures are present, the receiver validates each independently. There's no inherent precedence; each valid signature contributes to the message's overall authentication.
30 Jul 2022 - Stack Overflow
What the experts say
4 expert opinions
When double-signing emails with DKIM, some mailbox providers prioritize signatures, with network keys often taking precedence over brand keys. However, not all providers adhere to this order. Regardless of precedence, all DKIM keys are typically validated. Each signature is independently verified, and the results contribute to the overall authentication process. DKIM is only one component of the broader authentication landscape, and multiple DKIM records contribute to the layers of authentication.
Key opinions
- Provider Variance: Some mailbox providers consider DKIM key precedence, while others don't.
- Network Key Priority: In cases where precedence matters, network keys are often prioritized over brand keys.
- Full Validation: Both DKIM keys are generally validated, regardless of precedence.
- Independent Verification: Each DKIM signature undergoes independent verification.
- Credibility Boost: Valid DKIM signatures enhance the message's overall credibility.
- Layered Approach: Multiple DKIM records contribute to a layered authentication approach.
Key considerations
- Provider Behavior: Understand how different mailbox providers handle DKIM precedence.
- Authentication as a Whole: Consider DKIM as part of a comprehensive email authentication strategy.
Expert view
Expert from Email Geeks confirms that both DKIM keys will be validated.
11 Aug 2024 - Email Geeks
Expert view
Expert from Spam Resource explains that each DKIM signature is independently verified. The results of these verifications are used as part of the overall authentication process. There isn't a defined precedence; rather, the presence of valid signatures adds to the message's credibility.
19 Mar 2025 - Spam Resource
What the documentation says
3 technical articles
The DKIM specification doesn't define the order in which signatures should be applied or evaluated. Verifiers should process signatures in the order they appear in the header. Multiple DKIM signatures are often used when multiple mail service providers are involved. Verifiers independently evaluate each signature, aggregating the results. A key consideration is DNS lookup limits, which must be carefully managed when using multiple DKIM records to avoid delivery failures.
Key findings
- No Defined Order: The DKIM specification doesn't dictate the order of signature application or evaluation.
- Header Order: Verifiers should process signatures in the order they appear in the message header.
- Independent Evaluation: Each DKIM signature is evaluated independently by verifiers.
- Aggregation of Results: The results of the individual signature verifications are aggregated.
- Multiple Providers: Multiple DKIM signatures are often used when multiple mail service providers are involved.
Key considerations
- DNS Lookup Limits: Carefully manage DNS lookup limits when using multiple DKIM records.
- Delivery Impact: Exceeding DNS lookup limits can lead to email delivery failures.
Technical article
Documentation from GitHub notes the purpose of signing with multiple DKIMs, such as when multiple mail service providers are involved. Verifiers independently evaluate each signature and the results are considered in aggregation.
28 Dec 2021 - GitHub
Technical article
Documentation from RFC Editor explains that the order in which DKIM signatures are applied to a message is not dictated by the DKIM specification. Verifiers should process signatures in the order they appear in the message's header fields.
21 Apr 2022 - RFC Editor
Related resources
7 resources
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do I need multiple DKIM records if I use multiple ESPs like HubSpot, Sendgrid and ActiveCampaign?
How do SPF, DKIM, and DMARC email authentication standards work?
What are SPF, DKIM, and DMARC, and when are they needed?
What are the advantages and disadvantages of double signing DKIM by ESPs?
What is DKIM oversigning, how does it work, and why is it important for email authentication?
