DKIM (DomainKeys Identified Mail) is a critical email authentication method ensuring messages are unaltered and originate from the claimed domain, preventing spoofing and phishing. 'Double DKIM signing' can refer to various scenarios: two signatures from different domains (often for the ESP's benefit, not necessarily the sender's), over-signing (signing headers twice to prevent replay attacks), or multiple DKIM records to ensure at least one valid signature after forwarding or alterations. Using your own domain for signing builds a portable sender reputation. While major documentation sources focus on standard DKIM, AuthSMTP highlights using multiple records in forwarding scenarios. Properly configured DNS settings are essential for DKIM to function correctly. SPF and DMARC work alongside DKIM for comprehensive email authentication.
11 marketer opinions
DKIM (DomainKeys Identified Mail) is a crucial email authentication method that uses a digital signature to verify the sender's identity and ensure message integrity, preventing spoofing and phishing attacks. It involves signing emails with a private key and validating them with a public key in the DNS records. Double DKIM signing, which involves multiple signatures, may be used to ensure that at least one signature remains valid, even if one sending path is compromised. Signing with your own domain allows you to build and maintain your reputation, making it portable across different email service providers (ESPs). If an ESP signs with their own DKIM domain, they generally handle the FBL (Feedback Loop) setup; otherwise, you might need to configure DNS records for the FBL. A valid DKIM record at the domain or parent domain level is usually sufficient, even if multiple subdomains are used.
Marketer view
Email marketer from SocketLabs explains DKIM signing and how it works. They say that DKIM is a way to claim responsibility for a message, allowing mail servers to verify that a message was truly sent from your domain. SocketLabs does not refer to 'double DKIM signing'
16 May 2022 - SocketLabs
Marketer view
Marketer from Email Geeks explains they don’t need to bother you with the FBL set up if they are signing with THEIR DKIM domain. If they don’t, then they need to bother you.
15 Jul 2021 - Email Geeks
4 expert opinions
Double DKIM signing can refer to either an ESP signing with their domain in addition to yours (generally for their benefit, not strictly necessary for you), or to signing some headers twice to prevent DKIM replay attacks (oversigning). Multiple DKIM signatures can be useful if you use different email sending services or want to ensure at least one signature is valid if a sending path is compromised. DKIM, alongside SPF and DMARC, is crucial for email authentication and preventing spoofing. If DKIM fails, this can be caused by DNS record issues or tampering during transit. In forwarding situations, double DKIM signing can ensure at least one valid signature survives.
Expert view
Expert from Email Geeks defines over signing as when you sign some headers twice to prevent DKIM replay attacks against your domain.
1 Feb 2025 - Email Geeks
Expert view
Expert from Word to the Wise discusses DKIM authentication failure, explaining that DKIM, along with SPF and DMARC, is used to authenticate email and prevent spoofing. When DKIM fails, it could be due to various reasons, such as incorrect DNS records or tampering with the email content during transit. If there is a forwarding situation, a 'double DKIM' record can sign. This is sometimes referred to as double DKIM signing, which ensures that no matter what happens to the email in transit, at least one valid DKIM signature survives to authenticate it.
8 Jul 2024 - Word to the Wise
5 technical articles
DKIM involves adding a digital signature to outbound emails, verified by receiving mail servers to confirm message authenticity and integrity. This helps prevent tampering and spoofing. Official documentation (Google, Microsoft, RFC6376, Cloudflare) emphasizes standard DKIM practices, without explicitly discussing 'double DKIM signing'. AuthSMTP explains that multiple DKIM records signing the same message (sometimes referred to as double DKIM signing) can ensure at least one valid signature remains if the message is altered during forwarding.
Technical article
Documentation from Cloudflare explains what DKIM signing is, and how to validate a DKIM key. They specify that with DKIM, a sending mail server uses a private key to encrypt the message header. Receiving mail servers then use a public key published in the domain's DNS records to decrypt the header. This confirms the message's authenticity and verifies that it wasn't altered during transit. This doc doesnt refer to multiple or double DKIM signing.
21 Feb 2023 - Cloudflare
Technical article
Documentation from Google explains that DKIM signing adds a digital signature to outbound email messages. This signature is used by receiving mail servers to verify that the message wasn't altered during transit and that it truly came from the domain it claims to be from. They do not explicitly mention 'double DKIM signing' but rather standard DKIM practices.
8 Apr 2024 - Google
Do DKIM selectors affect email reputation?
How do ESPs collect Yahoo FBL data using double DKIM signing?
How do I fix DKIM alignment errors and configure DKIM signing for a custom domain in Microsoft 365 and is include:spf.mtasv.net required for mailchimp?
How do I troubleshoot DMARC failures and potential DKIM replay attacks affecting email deliverability?
How is DKIM precedence determined when double signing emails?