What is the difference between double DKIM signing and oversigning?

Double DKIM signing typically means an email has two distinct DKIM signatures, one from your sending domain and another from the email service provider (ESP) or third-party sender. This is a common practice to ensure proper authentication and reputation management across both domains. It's different from 'oversigning', which involves multiple signatures of headers within a single DKIM record.

Is double DKIM signing strictly necessary for my email deliverability?

No, it's generally not required for your domain's authentication to succeed. Recipient servers will validate each signature independently, and DMARC will pass if at least one aligned DKIM signature is valid. However, it is beneficial because it ensures your ESP maintains its own sending reputation, which can indirectly help your deliverability.

Does DMARC still pass if only one of the two DKIM signatures is aligned?

Yes, for DMARC to pass, at least one of the DKIM signatures must align with your email's RFC 5322.From domain. This means the 'd=' tag in the DKIM signature must match your visible sending domain. If only the ESP's signature is valid and your domain's signature fails or isn't aligned, DMARC will not pass based on DKIM.

When is double DKIM signing explicitly necessary?

Double DKIM signing is particularly necessary for ESPs to participate in certain feedback loop programs, such as Yahoo's Feedback Loop . This specific setup allows ESPs to receive complaint data, which is vital for managing their sending reputation and helping clients maintain good deliverability.

How can I check if my double DKIM setup is working correctly?

You should ensure that your primary domain's DKIM records are correctly published and maintained with your DNS provider. Regularly review your DMARC aggregate reports to confirm that both DKIM signatures are being validated and that your domain's signature is consistently aligning. If you notice DKIM errors , investigate both your domain's setup and your ESP's configuration.

What is double DKIM signing and when is it necessary for email authentication? - Technical - Email deliverability - Knowledge base

Email authentication protocols like DKIM (DomainKeys Identified Mail) are crucial for ensuring the legitimacy of your emails and protecting your brand from spoofing. Most of the time, when we talk about DKIM, we refer to a single signature attached to an email. However, there are scenarios where you might encounter emails with multiple DKIM signatures, a practice often referred to as double DKIM signing.

This can sometimes lead to confusion, especially when an email service provider (ESP) or mail relay system adds its own signature alongside yours. Understanding what multiple DKIM signatures mean and when double DKIM signing is necessary is key to maintaining strong email deliverability and authentication.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Why do emails have multiple DKIM signatures?

The most common reason for an email to have multiple DKIM signatures is when you send emails through a third-party service provider, such as an ESP or marketing automation platform. When you configure DKIM for your domain, you publish a public key in your DNS records, which receiving mail servers use to verify the digital signature appended to your outgoing emails. This signature verifies that the email was sent by an authorized sender and has not been tampered with in transit.

When an ESP processes your email, it often adds its own DKIM signature to the message, in addition to your domain's signature. This is done for several reasons, including managing their own sending reputation, complying with their internal policies, or facilitating their own feedback loops with mailbox providers. The result is an email header containing two distinct DKIM-Signature fields.

Beyond ESPs, other scenarios can lead to multiple DKIM signatures. For example, if an email is forwarded or passes through multiple internal mail relays within an organization, each relay might add its own signature. The DKIM standard (RFC 6376) permits multiple DKIM signatures, and receiving servers are designed to handle them.The DKIM standard (RFC 6376) explicitly allows multiple signatures.

Aspect	Single DKIM Signing	Double DKIM Signing
Signature Count	One DKIM signature, typically from your sending domain.	Two or more DKIM signatures, often one from your domain and one from your ESP.
Scenario	Direct sending from your own mail server or an ESP that only signs with your domain.	Sending through most ESPs or relays that add their own authentication.
Reputation Impact	Reputation primarily tied to your domain and sending IP.	Reputation is split between your domain and the ESP's domain. Your domain still accumulates reputation for alignment.

Understanding the mechanics of double DKIM signing

When an email arrives with multiple DKIM signatures, recipient mail servers (like

Gmail or

Outlook) evaluate each one independently. For DMARC (Domain-based Message Authentication, Reporting, and Conformance) to pass, only one of the DKIM signatures needs to be aligned with the RFC 5322.From domain (the visible sender address). This means if your ESP signs the email with its domain, and you also sign it with your domain, either valid signature can contribute to a DMARC pass, provided it aligns.

The key here is alignment. Even if there are multiple DKIM signatures, only the one (or ones) that match your domain (or a subdomain of it) will contribute to your DMARC authentication. This is why it's critical to ensure your ESP properly configures custom DKIM signing for your domain, even if they also add their own signature.

Here is an example of what an email header might look like with two DKIM signatures, one from your domain and one from an ESP's domain. You can see the distinct 'd=' tags indicating the signing domains and 's=' tags for the selectors.

Example of an email header with two DKIM signaturesplaintext

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yourdomain.com; s=s1024;
	h=from:to:subject:date:mime-version:content-type:message-id;
	bh=examplehash;
	b=ExampleSignature1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=espdomain.com; s=s2023;
	h=from:to:subject:date:mime-version:content-type:message-id;
	bh=examplehash;
	b=ExampleSignature2

Double signing vs. oversigning

Sometimes, terms like 'counter DKIM signing' might come up, which can be misleading. Generally, the two distinct concepts are 'double signing' and 'oversigning'.

Double signing: Involves an email having signatures from two different domains, typically your domain and your ESP's domain.
Oversigning: Refers to signing certain email headers (like 'From', 'Subject') multiple times within a single DKIM signature, usually with different canonicalization methods. This is an advanced technique used to prevent DKIM replay attacks and ensure message integrity, as explained in our guide on what DKIM oversigning is. It's not about two separate signatures from different domains.

When double DKIM signing is necessary or beneficial

Double DKIM signing is often not a choice but a default implementation when using a third-party email sending service. Most reputable ESPs will automatically add their own DKIM signature to emails sent through their platform, regardless of whether you've set up DKIM for your domain. This practice helps them manage their overall sender reputation and ensures that even if your domain's DKIM fails for some reason, their signature can still provide a layer of authentication.

One specific scenario where double DKIM signing becomes explicitly necessary for certain advanced features is with Yahoo's Feedback Loop (FBL) program. Yahoo (now part of

Yahoo) requires a specific DKIM signature (often from a dedicated FBL domain) for ESPs to receive complaint data. This often necessitates double DKIM signing for Yahoo FBL data. You can read more about setting up Yahoo's CFBL here: How to set up Yahoo's CFBL.

While you might think having two signatures is redundant, it offers distinct advantages. The primary benefit is that your domain retains its sending reputation, which is crucial if you ever decide to switch ESPs. Your reputation, built on your domain's DKIM signature, can be carried over, minimizing the need for extensive warm-up periods. Without your own aligned DKIM signature, you're essentially relying solely on the ESP's reputation, which could impact your deliverability if they face issues.

Benefits of double DKIM signing

Enhanced Deliverability: Provides multiple paths for successful DKIM validation, increasing the likelihood of reaching the inbox.
Reputation Portability: Your domain's reputation is built under your own DKIM, making it transferable if you change sending platforms. This relates to the advantages of double signing.
Improved Trust: Dual authentication provides stronger signals of legitimacy to recipient servers.
Fraud Protection: Multiple signatures make it harder for malicious actors to spoof your domain.

Considerations for double DKIM signing

Configuration Complexity: Requires careful setup of your domain's DKIM records with your ESP.
Troubleshooting: Diagnosing DKIM errors during double DKIM implementation can be more involved.
DNS Management: Ensuring all necessary DKIM DNS records are correctly published and maintained.

Best practices for managing multiple DKIM signatures

The most important aspect of managing multiple DKIM signatures is ensuring that your domain's signature is always valid and properly aligned with your From address. Even if an ESP adds their signature, it's your domain's signature that builds your long-term reputation and ensures DMARC compliance. We always recommend setting up your own DKIM as the first step when onboarding with an ESP.

Regularly monitor your DMARC reports to verify that your DKIM signatures are passing authentication and alignment checks. These reports will show you if any of your emails are failing DKIM for reasons like incorrect configuration or message modification. It's a crucial step in understanding your email authentication health and troubleshooting DMARC reports.

Finally, ensure that your DNS records are correctly published and maintained for your DKIM selectors. Incorrect or outdated DNS entries can lead to DKIM validation failures, regardless of how many signatures an email carries. Timely updates and verification of these records are fundamental to consistent email deliverability and ensuring your domain reputation remains positive.

Views from the trenches

Best practices

Ensure your primary domain's DKIM is always correctly configured and aligning.

Always set up your own DKIM key with your ESP for reputation control.

Regularly monitor DMARC reports to identify any DKIM authentication failures.

Prioritize email authentication setup with your domain over relying solely on ESP's.

Common pitfalls

Confusing 'double signing' with 'oversigning' or 'counter-signing'.

Not setting up your own DKIM key because the ESP adds their own signature.

Ignoring the Yahoo CFL DKIM requirement for ESPs.

Not verifying that your own domain's DKIM signature is passing alignment tests.

Expert tips

Always ask your ESP if they support custom DKIM signing for your domain.

If an ESP doesn't support double signing, understand the implications for FBLs.

Verify email headers to see all DKIM signatures present on your messages.

DKIM signatures are valid even if they are not aligned with the 5322.From domain.

Marketer view

Marketer from Email Geeks says they were confused by their ESP mentioning 'counter DKIM signing' and it seemed like a run-around rather than a clear explanation.

2024-07-11 - Email Geeks

Expert view

Expert from Email Geeks says that 'double signing' means two signatures from two different domains, while 'oversigning' is about signing specific headers twice to prevent replay attacks.

2024-07-11 - Email Geeks

Key takeaways for email authentication

Double DKIM signing is a common and often beneficial practice in modern email ecosystems, particularly when leveraging ESPs. It ensures that both your domain and your service provider contribute to the email's authentication, enhancing trust and deliverability. While the terminology around multiple signatures can sometimes be confusing, the core principle remains consistent: a valid and aligned DKIM signature from your domain is paramount.

By understanding when and why double DKIM signing occurs, you can confidently navigate your email authentication strategy, ensure compliance with standards like DMARC, and ultimately improve your chances of reaching the inbox. Always prioritize your domain's authentication and monitor its performance to maintain a healthy sending reputation.