Summary
Multiple DKIM signatures in an email indicate the message has been processed by several entities, each potentially adding their own signature from different administrative domains. This is a standard feature, commonly seen with ESPs, email forwarders, mailing lists, and when outsourcing email management. The second DKIM signature is often the ESP's. Multiple signatures can be a sign of legitimacy, with different parties vouching for the email's authenticity. Even if one signature fails, the email can still pass DKIM checks if another signature verifies correctly. Organizations may set up multiple DKIM signatures for various reasons, including different sending domains, subdomains, or email streams. Each domain can only have one DKIM record per selector, necessitating multiple records when using multiple ESPs. While multiple keys are acceptable, having multiple from the same organization may be redundant.
Key findings
- Multiple Entities: Multiple entities, such as ESPs, forwarders, and mailing lists, can add DKIM signatures.
- ESP Signatures: The second DKIM signature often comes from the ESP being used for sending.
- Legitimacy Indicator: Multiple valid signatures can suggest increased legitimacy.
- HubSpot Configuration: In HubSpot, one DKIM signature covers the sending domain, and another covers the return-path domain.
- Forwarding Implications: Forwarding systems can add their own DKIM signatures.
- Domain limits: Each domain can only have one DKIM record per selector.
- Delegated Management: Multiple DKIM Signatures can be useful when outsourcing email handling.
Key considerations
- Organizational Domains: Ensure that organizational domains associated with multiple signatures differ.
- DKIM Configuration: Properly configure DKIM to prevent spoofing.
- Verification: Even if one signature fails, the email can pass checks if another is valid.
- Third-Party Involvement: Multiple signatures are common when using third-party services.
- Redundancy: Avoid redundant DKIM keys from the same organization.
- Failure Scenarios: Understand the reasons for DKIM check failures, like invalid signatures or header modification.
What email marketers say
11 marketer opinions
Multiple DKIM signatures in an email indicate that the message has been processed by several entities, each adding its own signature. This is common when using ESPs, forwarding emails, or when various organizational domains are involved. The presence of multiple signatures can be a sign of legitimacy, confirming that different parties have verified the email's authenticity. Even if one signature fails, the email can still pass DKIM checks if another signature is valid.
Key opinions
- Multiple Entities: Multiple DKIM signatures often arise because different entities (ESPs, forwarders, etc.) have processed the email.
- ESP Signatures: The second DKIM signature frequently comes from the ESP being used.
- Legitimacy Sign: Multiple valid signatures can indicate legitimacy, implying multiple parties vouch for the email.
- HubSpot Example: In platforms like HubSpot, one DKIM signature covers the email sending domain, while another covers the return path domain tied to the dedicated IP.
- Verification: An email can still pass DKIM checks if at least one signature verifies correctly, even if others fail.
- Domain Limits: Each domain can only have one DKIM record per selector, requiring multiple DKIM records when using multiple ESPs.
Key considerations
- Organizational Domains: Pay attention to the organizational domains associated with each signature, as they should differ.
- Email Spoofing: Ensure DKIM checks are properly configured to prevent email spoofing.
- Configuration: Organizations may set up multiple DKIM signatures for different sending domains or email streams.
- Third-Party Providers: Using third-party email providers often results in multiple DKIM signatures being added to the header.
- Forwarding Implications: Email forwarding can add another DKIM signature as it passes through the system, which can be safe to use if the forwarding system adds it's own DKIM.
Marketer view
Email marketer from EmailSecuritySPF shares that emails often have multiple DKIM signatures. Even if one signature fails verification, the email can still pass the DKIM check if another signature verifies correctly.
3 Jan 2025 - EmailSecuritySPF
Marketer view
Email marketer from Email Geeks shares the second DKIM signature is often the ESP's signature.
31 Jan 2023 - Email Geeks
What the experts say
2 expert opinions
Having multiple DKIM signatures in an email is a standard feature, often seen when intermediaries like mailing lists or email forwarders are involved. It's generally acceptable, particularly when the forwarding system includes its own DKIM signature. While multiple keys are fine, it might not be necessary to have multiple from the same organization.
Key opinions
- Standard Feature: Multiple DKIM signatures are a designed aspect of the DKIM specification.
- Intermediary Involvement: Mailing lists and forwarders frequently add their own DKIM signatures.
- Forwarding Safety: It's safe if the forwarding system adds its DKIM.
- Redundancy Consideration: Having multiple DKIM keys from the same organization might be unnecessary.
Key considerations
- Forwarding System DKIM: Ensure that the forwarding system appends its own valid DKIM signature.
- Key Origin: Evaluate whether multiple keys from the same organization are truly needed.
Expert view
Expert from Word to the Wise explains that multiple DKIM signatures are a feature of the DKIM spec, and are often created by intermediaries such as mailing lists or forwarders. This is typically safe if the forwarding system adds it's own DKIM.
28 Nov 2024 - Word to the Wise
Expert view
Expert from Email Geeks explains it's fine for emails to have multiple keys, but you might not need both from the same organization.
15 Nov 2023 - Email Geeks
What the documentation says
3 technical articles
Documentation indicates that multiple DKIM signatures on an email can arise from different administrative domains or entities involved in handling the message, such as when outsourcing email management, using third-party services, or during email forwarding. A DKIM check might fail if a signature is invalid, header fields are modified, or if at least one of the multiple signatures fails verification.
Key findings
- Multiple Domains: Multiple DKIM signatures can come from different administrative domains signing the same email.
- Outsourcing Support: Multiple signatures are useful when outsourcing email handling.
- Third-Party Services: Email forwarding and third-party services often result in multiple DKIM signatures.
- Failure Reasons: DKIM checks can fail due to invalid signatures, header modifications, or at least one failed signature in a set of multiple signatures.
Key considerations
- Signature Validity: Ensure that each DKIM signature is valid to pass verification checks.
- Header Integrity: Maintain the integrity of header fields to prevent DKIM check failures.
- Domain Alignment: Verify that the DKIM signatures align with the sending domains to enhance deliverability and trust.
Technical article
Documentation from dkim.org explains that a single message might be signed by multiple DKIM signatures, possibly by different administrative domains. This is useful in a number of scenarios, such as when outsourcing handling of some or all email.
17 Dec 2022 - dkim.org
Technical article
Documentation from RFC 6376 states that a message can contain multiple DKIM signatures, each potentially from a different entity involved in handling the message, supporting scenarios like email forwarding or third-party services.
25 May 2025 - RFC Editor
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do I need multiple DKIM records if I use multiple ESPs like HubSpot, Sendgrid and ActiveCampaign?
How do ESPs collect Yahoo FBL data using double DKIM signing?
How do I fix DKIM alignment errors and configure DKIM signing for a custom domain in Microsoft 365 and is include:spf.mtasv.net required for mailchimp?
How do I sign DKIM on a sender domain that isn't the primary domain while using Hubspot?
How is DKIM precedence determined when double signing emails?
