Suped

What are the advantages and disadvantages of double signing DKIM by ESPs?

Summary

Double DKIM signing by ESPs offers advantages like accessing FBLs without customer coordination and improved sender reputation, often targeted at specific providers like Yahoo and Gmail. General DKIM practices ensure domain responsibility, authentication, and integrity, preventing spoofing, phishing, and tampering. It's important when a customer domain with DMARC enforcement is used. Some ESPs share control of SPF/DKIM with customers as a defensive strategy. Key considerations include proper DKIM configuration (DNS records), maintaining adequate DKIM key sizes (>=1024 bits), and aligning DKIM with SPF/DMARC.

Key findings

  • FBL Access: Double DKIM allows ESPs to access Feedback Loops (FBLs) without customer coordination.
  • Authentication & Integrity: DKIM ensures email authentication and integrity, verifying sender identity.
  • Spoofing Prevention: DKIM prevents spoofing, phishing, and unauthorized use of domains.
  • Deliverability Improvement: Properly configured DKIM improves deliverability by boosting sender reputation.
  • DMARC Enforcement: Domains with DMARC enforcement require DKIM signing of the 'From' address.
  • Shared Control: Some ESPs share control of SPF/DKIM with customers as a security measure.
  • Key Size Matters: DKIM key sizes below 1024 bits can harm deliverability.

Key considerations

  • Configuration: Correct DKIM setup requires generating and adding a DKIM record to DNS settings.
  • Double Signing Strategy: Decide whether to double sign for all providers or target specific ones (e.g., Yahoo, Gmail).
  • SPF/DMARC Alignment: Align DKIM with SPF and DMARC for comprehensive email authentication.
  • Shared Responsibility: Establish clear lines of responsibility when sharing SPF/DKIM management with customers.
  • Key Length: Ensure DKIM key sizes are at least 1024 bits or greater for good deliverability.

What email marketers say

9 marketer opinions

Double DKIM signing by ESPs involves signing emails with both the customer's domain and the ESP's domain. This practice allows access to FBLs (like Yahoo and Gmail) without customer coordination and can improve deliverability. DKIM, in general, enhances sender reputation, authenticates the sender, prevents phishing, and protects brand reputation by verifying email legitimacy and ensuring messages are authorized by the domain owner. Proper DKIM configuration involves generating a DKIM record and adding it to the domain's DNS settings. When a customer domain with DMARC enforcement is used, it must be DKIM signed.

Key opinions

  • FBL Access: Double DKIM signing allows ESPs to access Feedback Loops (FBLs) from providers like Yahoo and Gmail without needing constant coordination with their customers.
  • Deliverability: DKIM signing, including double signing, enhances email deliverability by improving sender reputation and reducing the likelihood of emails being marked as spam.
  • Authentication: DKIM authenticates the sender's identity, assures ISPs that the email is legitimate, and helps prevent phishing attacks.
  • Brand Protection: DKIM protects brand reputation by preventing unauthorized senders from using a domain to send fraudulent emails.
  • DMARC Requirement: If a customer domain has DMARC enforcement and is used in the From: address, it must be DKIM signed.

Key considerations

  • Configuration: Proper DKIM configuration requires generating a DKIM record and adding it to the domain's DNS settings.
  • ESP Practices: ESPs may choose to double sign only for specific providers like Yahoo and Gmail, or potentially for all emails.
  • Reputation Boost: Double DKIM signing can showcase that both the ESP and the sender's domains authenticate the message, potentially improving reputation.

Marketer view

Email marketer from Litmus explains that DKIM helps protect your brand's reputation by preventing unauthorized senders from using your domain to send fraudulent emails.

2 Sep 2024 - Litmus

Marketer view

Email marketer from StackOverflow explains that double DKIM signing is useful in some cases to show both the ESP's domain and the sender's domain are authenticating the message which can improve reputation.

7 Jun 2025 - StackOverflow

What the experts say

3 expert opinions

Double DKIM signing provides ESPs access to FBLs (Feedback Loops) without customer coordination. Some ESPs utilize SPF and DKIM setups with shared control as a defensive measure. Using DKIM key sizes smaller than 1024 bits can cause deliverability problems.

Key opinions

  • FBL Access: Double DKIM signing facilitates access to Feedback Loops (FBLs) like Yahoo's without needing to coordinate directly with each customer.
  • Defensive Measures: ESPs sometimes implement SPF and DKIM configurations where they maintain partial control, adding an extra layer of defense.
  • Key Size Impact: DKIM key sizes below 1024 bits can negatively impact email deliverability.

Key considerations

  • Customer Coordination: Assess the trade-offs between ease of access to FBLs and potential customer coordination requirements.
  • Shared Control: Consider the implications and benefits of sharing control of SPF and DKIM configurations between the ESP and the customer.
  • Key Size: Ensure DKIM key sizes meet minimum recommended lengths (1024 bits or greater) to maintain optimal deliverability.

Expert view

Expert from Email Geeks explains double signing DKIM allows access to Yahoo (and other DKIM based FBLs) without coordinating with the customer.

9 Nov 2021 - Email Geeks

Expert view

Expert from Spam Resource explains some ESPs like using SPF and DKIM setup where one part is controlled by them and one part by the customer as a defensive measure.

27 Aug 2022 - Spam Resource

What the documentation says

3 technical articles

DKIM signing provides a way for a domain to take responsibility for a message by associating its identity, ensuring authentication and integrity. It prevents email spoofing and phishing by allowing receiving servers to verify the sender's domain identity and confirm that the message wasn't tampered with.

Key findings

  • Domain Responsibility: DKIM allows a domain to take responsibility for the message.
  • Authentication & Integrity: DKIM provides authentication and integrity assurance for email messages.
  • Spoofing Prevention: DKIM helps prevent email spoofing and phishing.
  • Verification of Sender: Receiving servers can verify the sender's domain identity with DKIM.
  • Tamper Detection: DKIM helps in verifying that the message wasn't tampered with during transit.

Key considerations

  • Implementation: Proper implementation of DKIM requires generating and publishing a DKIM record to your DNS.
  • Key Rotation: Regularly rotating DKIM keys is crucial for security.
  • Alignment with DMARC/SPF: DKIM should be properly aligned with SPF and DMARC to achieve maximum deliverability and security benefits.

Technical article

Documentation from DKIM.org states that DKIM helps prevent email spoofing and phishing by verifying the sender's domain identity.

14 Oct 2023 - DKIM.org

Technical article

Documentation from ietf.org explains that DKIM signing allows a domain to take responsibility for a message by associating its identity with it, providing authentication and integrity assurance.

2 Jan 2022 - ietf.org

Start improving your email deliverability today

Sign up