What is the core difference between individual and shared DKIM?

Individual DKIM directly links your email authentication to your specific domain, allowing mailbox providers to assess your sending reputation independently. Shared DKIM, conversely, means your emails are signed by the ESP's domain, potentially impacting your deliverability based on the collective sending behavior of all users sharing that key.

Which DKIM setup is better for email deliverability?

Individual DKIM is generally much better for email deliverability. It allows you to build a unique, strong sender reputation for your domain and ensures proper DMARC alignment, both of which are critical signals for mailbox providers to trust your emails and place them in the inbox.

Can a shared DKIM negatively affect my email deliverability?

Yes, it can. If other senders sharing the same DKIM key engage in spammy or malicious activities, their poor reputation can negatively affect your email deliverability, leading to your emails being filtered or blocked. This is a significant risk of using shared DKIM.

How does shared DKIM impact DMARC alignment?

Proper DKIM alignment, where the DKIM signing domain (d= tag) matches your email's From header domain, is a requirement for DMARC authentication to pass. Shared DKIM typically does not offer this alignment, which can lead to DMARC failures and reduced deliverability.

How do I switch from shared to individual DKIM?

I recommend contacting your email service provider. They should be able to provide you with the necessary DKIM keys and instructions for adding them as TXT records to your domain's DNS. This process ensures your domain is properly authenticated for sending.

How does individual DKIM versus shared DKIM affect email deliverability? - Sender reputation - Email deliverability - Knowledge base

When sending emails, especially in bulk, understanding the nuances of email authentication is crucial for ensuring your messages reach the inbox. DomainKeys Identified Mail (DKIM) is one of the pillars of email authentication, helping recipients verify that an email was indeed sent by the domain it claims to be from and that it hasn't been tampered with in transit.

A common question that arises, particularly for organizations using third-party email service providers (ESPs), is whether to use an individual DKIM signature tied directly to their domain or a shared DKIM signature provided by the ESP. This choice can significantly influence your email deliverability and overall sender reputation.

Let's explore the differences between individual and shared DKIM setups and how each option impacts whether your emails land in the inbox or the spam folder.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DKIM

DKIM functions by adding a digital signature to the headers of your outgoing emails. This signature is generated using a private key and can be verified by receiving mail servers using a corresponding public key published in your domain's DNS records. This cryptographic verification process ensures two critical things:

Authentication: It verifies that the email truly originated from the domain it claims to be from, combating email spoofing and phishing attempts. This is a core component of email authentication protocols.
Integrity: It confirms that the email content has not been altered since it was signed. This prevents malicious actors from injecting harmful links or changing message content.

Mailbox providers like Google and Microsoft heavily rely on DKIM, along with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), to assess the legitimacy of incoming emails. Proper email authentication is a strong signal of trustworthiness, which directly contributes to better inbox placement and helps avoid the spam folder.

Individual DKIM: advantages and implications

Individual DKIM, also known as dedicated DKIM or custom DKIM, means that your email sending domain (e.g., yourdomain.com) is responsible for its own DKIM signature. You publish the DKIM public key as a TXT record in your domain's DNS. This setup provides you with direct control and visibility over your email authentication.

The primary advantage of individual DKIM is the isolation of your sender reputation. Your email deliverability performance is solely based on your sending practices, not affected by other senders' behaviors. This allows mailbox providers to more accurately track your specific mail streams, which benefits good senders by building a strong and independent domain reputation.

Furthermore, individual DKIM is essential for proper DMARC alignment. DMARC policies require either SPF or DKIM to align with the From header domain. With individual DKIM, your d= tag in the DKIM signature will match your From domain, achieving DKIM alignment and boosting your deliverability signals.

Configuring your own DKIM

To implement individual DKIM, you'll typically generate a public and private key pair through your email service provider or your own mail server. The public key is then added as a TXT record to your domain's DNS. This record usually includes a DKIM selector that helps specify which key to use if you have multiple sending sources.

Example DKIM DNS TXT Record

v=DKIM1; h=sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnI1Uu01tM3s/sJ2N8W4Z7fX7Q2c8Z7p7k5z9b9w0z8y0j8h0k8l8m8n8o8p8q8r8s8t8u8v8w8x8y8z8A8B8C8D8E8F8G8H8I8J8K8L8M8N8O8P8Q8R8S8T8U8V8W8X8Y8Z808182838485868788898A8B8C8D8E8F8G8H8I8J8K8L8M8N8O8P8Q8R8S8T8U8V8W8X8Y8Z8==;

Shared DKIM: considerations and risks

Shared DKIM, on the other hand, means your emails are signed with a DKIM key associated with your email service provider's domain (or a subdomain they provide), rather than your own primary domain. While this might simplify initial setup, it comes with significant deliverability caveats.

The main issue with shared DKIM is the shared reputation burden. Just like shared IP addresses, if other senders using the same shared DKIM key engage in poor sending practices, their negative reputation can smear onto your legitimate emails. This increases the risk of your emails being filtered to spam or being blocked, even if your own sending hygiene is impeccable.

Another drawback is the lack of alignment with DMARC. If your emails are signed with a shared DKIM key that doesn't match your From header domain, they will fail DMARC alignment checks. This significantly reduces trust with receiving mail servers and can lead to emails being quarantined or rejected, regardless of SPF authentication. This is why one customer's DKIM signature can affect another's deliverability.

Reputation control

Your domain's sending reputation is isolated and directly tied to your own sending practices. This allows you to build a strong, independent reputation over time.

DMARC alignment

Essential for DMARC success, as the d= tag aligns with your From domain, maximizing deliverability.

Reputation vulnerability

Your reputation can be negatively impacted by the poor sending practices of other users sharing the same DKIM key.

DMARC non-alignment

Fails DMARC alignment because the signing domain differs from your From header domain, leading to lower inbox placement rates.

Choosing the right DKIM setup

For most professional senders, individual DKIM is the recommended path. It offers the best control over your sender reputation, ensures DMARC alignment, and provides the highest potential for optimal email deliverability. This is especially true for marketing emails, transactional emails from your core business, or any high-volume sending where brand reputation is paramount.

While shared DKIM might seem simpler to set up initially, the long-term deliverability challenges often outweigh the convenience. You lose direct control over a crucial aspect of your email's authenticity, subjecting your sending performance to the collective behavior of all users on the shared system.

If you are currently using shared DKIM, I recommend working with your ESP to transition to an individual DKIM setup. This usually involves adding specific DNS records to your domain. Investing in proper authentication like individual DKIM, along with SPF and DMARC, is fundamental to achieving consistent inbox placement and protecting your brand's sending reputation.

Factor	Individual DKIM	Shared DKIM
Deliverability Impact	Higher trust from ISPs, isolated reputation ensures your good sending practices are rewarded.	Reputation tied to other senders; poor practices by others can impact your inbox placement.
Control	Full control over your domain authentication and its associated sending reputation.	Limited control; relies on the ESP's overall sending hygiene and management of the shared key.
Setup	Requires adding a specific TXT record to your domain's DNS for the DKIM public key.	Often automatic or simpler through your ESP, but less transparent about the underlying mechanism.
Ideal For	Brands, high-volume senders, and anyone prioritizing strong sender reputation and DMARC compliance.	Very small senders, basic transactional emails where deliverability is not mission-critical.

Views from the trenches

Best practices

Always prioritize individual DKIM signing for your main sending domains to maintain independent reputation.

Ensure your DKIM selector matches the d= tag in your email headers for DMARC alignment.

Regularly monitor your email authentication reports to detect any DKIM failures or issues.

If using multiple sending services, ensure each service signs with your domain's individual DKIM.

Common pitfalls

Relying solely on shared DKIM, which ties your reputation to other senders on the same key.

Not aligning your DKIM with your From header domain, leading to DMARC authentication failures.

Ignoring DKIM setup for subdomains or different email streams, creating inconsistent authentication.

Assuming DKIM is configured correctly without verifying the DNS record and email headers.

Expert tips

For providers, having your own DKIM key is essential for managing Feedback Loops (FBLs) and maintaining a clean sender reputation.

DKIM is fundamental for accurate mail stream tracking, which ultimately benefits legitimate senders.

A DKIM record published in your DNS adds a layer of trust, making your email appear more legitimate to receiving mail servers.

Proper DKIM configuration is crucial for preventing email spoofing and phishing attempts that could harm your brand.

Marketer view

Marketer from Email Geeks says the deliverability impact of shared DKIM depends heavily on the overall quality and volume of mail flow from the shared IP range. They almost always recommend a sender signs with their own domain if possible.

2020-09-03 - Email Geeks

Marketer view

Marketer from Email Geeks notes that if the DKIM values are shared, reputation can be smeared across all users, which is disadvantageous for good senders but beneficial for bad senders. The main goal of DKIM is to enable more accurate tracking of mail streams.

2020-09-03 - Email Geeks

Final thoughts

The choice between individual and shared DKIM is not merely a technical preference, but a strategic decision with direct implications for your email deliverability. While shared DKIM might offer a simpler entry point, it sacrifices control over your sender reputation and can expose your email program to the risks associated with other senders.

Individual DKIM provides the autonomy and clear reputation signals necessary for consistent inbox placement. It ensures that your domain's authentication status and deliverability performance are a direct reflection of your own efforts and sending quality. This control is invaluable for maintaining trust with mailbox providers and ensuring your emails reach their intended recipients.

Ultimately, if you're serious about email deliverability and protecting your brand's online reputation, migrating to individual DKIM (and maintaining its correct configuration) is a crucial step. It solidifies your email authentication foundation, paving the way for more reliable and effective email communication.