Suped

What is double DKIM signing and when is it necessary for email authentication?

Summary

DKIM (DomainKeys Identified Mail) is a critical email authentication method ensuring messages are unaltered and originate from the claimed domain, preventing spoofing and phishing. 'Double DKIM signing' can refer to various scenarios: two signatures from different domains (often for the ESP's benefit, not necessarily the sender's), over-signing (signing headers twice to prevent replay attacks), or multiple DKIM records to ensure at least one valid signature after forwarding or alterations. Using your own domain for signing builds a portable sender reputation. While major documentation sources focus on standard DKIM, AuthSMTP highlights using multiple records in forwarding scenarios. Properly configured DNS settings are essential for DKIM to function correctly. SPF and DMARC work alongside DKIM for comprehensive email authentication.

Key findings

  • DKIM Functionality: DKIM authenticates senders and ensures message integrity.
  • Double DKIM Variations: 'Double DKIM' encompasses ESP signing, over-signing for security, and multiple records for forwarding.
  • Reputation and Control: Signing with your domain builds a portable sender reputation.
  • Standard vs. Multiple: Major platforms focus on standard DKIM, while specific scenarios benefit from multiple signatures.
  • DNS Importance: Correct DNS configuration is crucial for DKIM success.
  • Security Stack: DKIM works with SPF and DMARC for comprehensive email security.

Key considerations

  • ESP vs. Your Domain: Understand whether the ESP signs with your domain or theirs, affecting FBL setup and reputation.
  • Forwarding: Consider multiple DKIM records if emails are frequently forwarded and altered.
  • Oversigning: Consider oversigning (signing headers twice) to mitigate DKIM replay attacks
  • Syntax: Ensure correct syntax for multiple signatures for correct implementation
  • DNS Validation: Regularly check your DNS records for proper DKIM setup and validation.
  • Comprehensive Auth: Implement DKIM, SPF, and DMARC for robust email authentication.
Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What email marketers say

11 marketer opinions

DKIM (DomainKeys Identified Mail) is a crucial email authentication method that uses a digital signature to verify the sender's identity and ensure message integrity, preventing spoofing and phishing attacks. It involves signing emails with a private key and validating them with a public key in the DNS records. Double DKIM signing, which involves multiple signatures, may be used to ensure that at least one signature remains valid, even if one sending path is compromised. Signing with your own domain allows you to build and maintain your reputation, making it portable across different email service providers (ESPs). If an ESP signs with their own DKIM domain, they generally handle the FBL (Feedback Loop) setup; otherwise, you might need to configure DNS records for the FBL. A valid DKIM record at the domain or parent domain level is usually sufficient, even if multiple subdomains are used.

Key opinions

  • DKIM Importance: DKIM is essential for verifying email sender identity and preventing spoofing/phishing.
  • Double DKIM: Double DKIM signing can be used to ensure validity across multiple sending paths.
  • Domain Reputation: Signing with your own domain builds a portable sender reputation.
  • ESP Responsibility: If the ESP uses their DKIM, they typically manage the Feedback Loop setup.
  • Subdomain DKIM: A valid DKIM at the domain or parent domain covers subdomains.

Key considerations

  • Multiple Signatures: Consider using multiple DKIM signatures if you utilize various email sending services or wish to bolster signature validity across diverse pathways.
  • Domain Ownership: Ensure you're signing with your domain to accumulate reputation and maintain control when switching ESPs.
  • ESP Practices: Understand whether your ESP signs with your domain or theirs, as it impacts reputation and FBL setup responsibilities.
  • DNS Records: Verify your DNS records are correctly configured for DKIM to ensure successful authentication.
  • Security: Employ DKIM to fortify email security, guarding against threats and enhancing sender credibility.

Marketer view

Email marketer from SocketLabs explains DKIM signing and how it works. They say that DKIM is a way to claim responsibility for a message, allowing mail servers to verify that a message was truly sent from your domain. SocketLabs does not refer to 'double DKIM signing'

16 May 2022 - SocketLabs

Marketer view

Marketer from Email Geeks explains they don’t need to bother you with the FBL set up if they are signing with THEIR DKIM domain. If they don’t, then they need to bother you.

15 Jul 2021 - Email Geeks

What the experts say

4 expert opinions

Double DKIM signing can refer to either an ESP signing with their domain in addition to yours (generally for their benefit, not strictly necessary for you), or to signing some headers twice to prevent DKIM replay attacks (oversigning). Multiple DKIM signatures can be useful if you use different email sending services or want to ensure at least one signature is valid if a sending path is compromised. DKIM, alongside SPF and DMARC, is crucial for email authentication and preventing spoofing. If DKIM fails, this can be caused by DNS record issues or tampering during transit. In forwarding situations, double DKIM signing can ensure at least one valid signature survives.

Key opinions

  • Double DKIM Benefit: Double DKIM can benefit the ESP or protect against replay attacks (oversigning).
  • Multiple Services: Multiple signatures useful with diverse sending services.
  • DKIM Failure Reasons: DKIM failures arise from DNS issues or message tampering.
  • Forwarding Scenarios: Double DKIM signing is helpful when there is email forwarding.
  • DKIM, SPF, DMARC Combined: DKIM works with SPF and DMARC for email authentication.

Key considerations

  • ESP Motivation: Understand the motivations behind your ESP using double DKIM signing.
  • Security Threat: Consider oversigning to mitigate potential DKIM replay attacks.
  • Correct Syntax: Ensure correct syntax for multiple DKIM signatures is used when setting it up.
  • Email Transit Integrity: Factor in double DKIM in forwarding scenarios, especially when emails are tampered with
  • Authentication Stack: Implement DKIM, SPF, and DMARC together for robust email authentication.

Expert view

Expert from Email Geeks defines over signing as when you sign some headers twice to prevent DKIM replay attacks against your domain.

1 Feb 2025 - Email Geeks

Expert view

Expert from Word to the Wise discusses DKIM authentication failure, explaining that DKIM, along with SPF and DMARC, is used to authenticate email and prevent spoofing. When DKIM fails, it could be due to various reasons, such as incorrect DNS records or tampering with the email content during transit. If there is a forwarding situation, a 'double DKIM' record can sign. This is sometimes referred to as double DKIM signing, which ensures that no matter what happens to the email in transit, at least one valid DKIM signature survives to authenticate it.

8 Jul 2024 - Word to the Wise

What the documentation says

5 technical articles

DKIM involves adding a digital signature to outbound emails, verified by receiving mail servers to confirm message authenticity and integrity. This helps prevent tampering and spoofing. Official documentation (Google, Microsoft, RFC6376, Cloudflare) emphasizes standard DKIM practices, without explicitly discussing 'double DKIM signing'. AuthSMTP explains that multiple DKIM records signing the same message (sometimes referred to as double DKIM signing) can ensure at least one valid signature remains if the message is altered during forwarding.

Key findings

  • DKIM Function: DKIM confirms sender authenticity and message integrity.
  • Standard DKIM Focus: Major providers primarily document standard DKIM practices.
  • Double DKIM Definition: Double DKIM can refer to multiple DKIM records ensuring signature validity post-alteration during forwarding.
  • Protection against Tampering: Standard DKIM safeguards messages from alterations during transit

Key considerations

  • Standard DKIM First: Prioritize implementing standard DKIM for basic authentication.
  • Forwarding Situations: Consider double DKIM if your emails are frequently forwarded and altered.
  • Provider Documentation: Refer to specific email provider documentation for their recommended DKIM configurations.
  • Signature Validity: Ensure at least one valid DKIM signature is preserved during message transit.

Technical article

Documentation from Cloudflare explains what DKIM signing is, and how to validate a DKIM key. They specify that with DKIM, a sending mail server uses a private key to encrypt the message header. Receiving mail servers then use a public key published in the domain's DNS records to decrypt the header. This confirms the message's authenticity and verifies that it wasn't altered during transit. This doc doesnt refer to multiple or double DKIM signing.

21 Feb 2023 - Cloudflare

Technical article

Documentation from Google explains that DKIM signing adds a digital signature to outbound email messages. This signature is used by receiving mail servers to verify that the message wasn't altered during transit and that it truly came from the domain it claims to be from. They do not explicitly mention 'double DKIM signing' but rather standard DKIM practices.

8 Apr 2024 - Google

Start improving your email deliverability today

Get started