Can one customer's bad sending behavior through a shared DKIM impact other customers' emails?

Yes, if multiple customers share the same DKIM signing domain (usually the platform's or ESP's domain), then poor sending practices by one customer can negatively impact the shared domain's reputation. This can lead to decreased deliverability, increased spam flagging, or even blacklisting (blocklisting) for all customers using that shared signature. Mailbox providers see this shared DKIM as a collective identifier for the sender.

What are mail stream identifiers and how do they relate to DKIM?

A mail stream identifier is any piece of information Mailbox Providers (MBPs) use to group and assess email sending behavior. This includes explicit identifiers like the DKIM d= tag, sending IP addresses, and the Return-Path domain. MBPs use the historical performance of these identifiers to predict whether an incoming email is legitimate or spam. If a customer's actions negatively affect any shared identifier, it can harm the deliverability for all other customers associated with it.

Why do some platforms sign emails with both their own DKIM and the customer's DKIM?

Many platforms choose to sign emails with both their own DKIM key and the customer's DKIM key. This approach provides greater data visibility through feedback loops (FBLs) and postmaster tools, allowing the platform to monitor reputation effectively. While it means the platform bears some responsibility for all mail sent, it can also enhance deliverability for good customers by leveraging the platform's established reputation, especially during onboarding.

What steps can platforms take to protect other customers' deliverability?

To mitigate risks, platforms should implement robust sender segmentation (isolating risky senders), maintain strict onboarding processes, and proactively monitor email metrics (complaints, bounces) for all customers. Educating customers on email best practices and encouraging them to adopt DMARC with an enforcing policy also helps to reinforce legitimate sending and protect shared infrastructure.

Beyond DKIM, what other factors influence email deliverability in a multi-customer environment?

While DKIM is crucial for authentication, email deliverability also depends on many other factors. These include SPF and DMARC alignment, sender reputation (based on complaint rates, bounce rates, spam trap hits), email content quality, list hygiene, and recipient engagement. A robust deliverability strategy considers all these elements, not just DKIM in isolation.

How does one customer's DKIM signature affect other customers' deliverability? - Sender reputation - Email deliverability - Knowledge base

When managing email deliverability for multiple customers, especially in a Software-as-a-Service (SaaS) or Email Service Provider (ESP) environment, questions often arise about how different authentication mechanisms interact. A common concern is whether the email practices of one customer could inadvertently affect the deliverability of others. This is particularly relevant when considering DKIM (DomainKeys Identified Mail) signatures, a critical component of email authentication.

DKIM functions as a digital signature, allowing recipient mail servers to verify that an email was sent by the authorized domain owner and that its content hasn't been altered in transit. This authentication helps to build trust with Mailbox Providers (MBPs) and is crucial for maintaining good sender reputation. However, when multiple customers utilize a shared sending infrastructure, the interplay of different DKIM configurations can become complex. Each customer might have their own DKIM setup, while the platform itself also applies its own signatures.

My aim here is to explore how one customer's DKIM signature, or more broadly, their sending behavior within a shared system, can influence the email deliverability for other customers. Understanding this dynamic is key to optimizing email performance across the board and ensuring that all users can reliably reach their recipients' inboxes.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

The role of DKIM in shared environments

When you operate a platform that sends emails on behalf of multiple customers, you typically sign those emails with both your own DKIM private key and often the customer's DKIM key. Your platform's DKIM signature, identified by the d= tag in the DKIM header, asserts responsibility for the email stream. If one customer engages in sending practices that result in high spam complaints or other negative signals, this reputation can be associated with the DKIM domain you use for signing. This is because MBPs often view the DKIM signing domain as a key identifier of the sending entity, even if the From domain in the email header belongs to the customer.

This impact isn't solely theoretical. Mailbox providers like Mailgun and others rely on a combination of authentication protocols, including SPF, DKIM, and DMARC, to determine an email's legitimacy. If your shared DKIM signature's reputation deteriorates due to the actions of a single customer, it can lead to increased filtering or outright rejection of emails for all customers using that signature. Essentially, a shared DKIM signature creates a collective responsibility, and negative actions by one sender can drag down the deliverability for others.

The good news is that while one customer's DKIM practices can affect others, the degree of impact often depends on the overall sending volume and the Mailbox Provider's specific algorithms. A minor issue from one customer might not significantly alter the collective reputation, especially if your customer base is generally comprised of good senders. For a deeper dive into how DKIM affects deliverability, you might find this resource from Emfluence helpful.

Scenario 1: Shared DKIM (Platform Signed)

Mechanism: All emails sent through your platform are signed with your domain's DKIM key (e.g., tbp._domainkey.touchbasepro.email).
Reputation Impact: Negative sending behavior from any single customer can degrade the reputation of your platform's DKIM signing domain, potentially impacting all other customers using that shared signature. This can lead to increased spam filtering or blocklisting (blacklisting) for everyone.
Deliverability Outcome: Lower deliverability rates for all customers if one bad actor is present. Mailbox providers see your domain as the primary responsible entity.

Scenario 2: Individual DKIM (Customer Signed)

Mechanism: Emails are signed with each customer's unique DKIM key (e.g., tbp._domainkey.customerdomain.com).
Reputation Impact: Customer-specific sending issues primarily affect that customer's domain reputation. The platform's overall DKIM reputation remains insulated from individual customer problems to a greater extent.
Deliverability Outcome: Higher deliverability stability for the collective customer base, as each customer manages their own sending reputation tied to their DKIM. However, it requires more setup for each customer.

Understanding shared reputation and identifiers

Mailbox providers don't just look at a single data point when assessing email. They look at a variety of factors to identify mail stream identifiers. These identifiers are anything that helps an MBP predict whether an email is good based on the history of other emails associated with that identifier. This can include explicit identifiers, like the DKIM d= value or the sending IP address, and also implicit ones. When you sign emails with your platform's DKIM key, that key becomes a shared identifier across all your customers' sending activities.

Consider the scenario where your platform's IP address (the source from which emails are sent) is also shared among customers. If one customer sends a high volume of emails that generate spam complaints or bounce rates, the reputation of that shared IP address will suffer. This negative reputation, coupled with your shared DKIM signature, creates a strong correlation for MBPs. They will see the combination of that specific IP and your DKIM domain as a single sender entity, and any negative signals will affect all email traffic associated with them. This is often why a blacklist (or blocklist) entry for one customer can impact others.

Even if individual customers also sign with their own DKIM keys, if your platform's key is consistently present alongside a problematic sender, it still contributes to a collective reputation signal. Mailbox providers are sophisticated and can cross-reference multiple data points. They may observe that emails originating from your shared infrastructure, identified by your DKIM signature, tend to have higher complaint rates. This can lead to your platform's DKIM signature, and by extension, your entire sending infrastructure, being viewed less favorably, impacting everyone's inbox placement.

Identifier Type	Description	Impact in Shared Environments
DKIM d= domain	The domain responsible for the DKIM signature.	If this is your platform's domain and shared, poor performance by one customer affects its reputation for all.
Sending IP address	The IP address from which the email originates.	If shared, any negative activity (spam, bounces) directly impacts the IP's reputation, affecting all senders using it.
Return-Path domain	The domain used for bounce handling (also known as the MailFrom or Envelope From address).	Often tied to the sending infrastructure, a poor reputation here can affect all customers.
From domain (RFC 5322)	The visible sender address in the email header.	While directly tied to the customer, its alignment with other identifiers influences the overall trust score for your shared services.

Mitigating risks in multi-tenant setups

Given the potential for one customer's actions to impact others, it's crucial for platforms to implement robust strategies. Maintaining a good sender reputation (and avoiding getting on an email blocklist) requires proactive monitoring and management. If you use your own DKIM key to sign all outgoing mail, alongside your customers' keys, you gain better visibility into email performance through feedback loops (FBLs) and postmaster tools, such as Google Postmaster Tools and Microsoft SNDS. These tools provide valuable data on spam rates, IP reputation, and DKIM authentication results, allowing you to identify and address issues promptly.

While signing with your own DKIM key provides this crucial oversight, it also means you bear some responsibility for all mail sent through your platform. If your customers are generally reputable senders, this approach can actually enhance overall deliverability, especially when onboarding new customers who can benefit from your established sender reputation. Conversely, if you have customers with consistently poor sending habits, this dual-signing approach will expose your own DKIM to potential damage.

Ultimately, the choice of whether to sign with only customer keys or with both platform and customer keys involves balancing control, data visibility, and shared reputation risk. Many ESPs choose the latter because the benefits of comprehensive monitoring and potentially smoother onboarding for good customers outweigh the risks, provided they have effective systems for identifying and managing problematic senders. Regular DMARC monitoring and blocklist monitoring are essential regardless of your DKIM strategy.

Best practices for managing shared DKIM environments

Sender segmentation: Isolate high-volume or potentially risky senders onto separate IP pools and DKIM configurations where possible. This can limit the blast radius of a reputation issue.
Robust onboarding: Implement strict vetting processes for new customers, especially those with large sending volumes, to ensure they adhere to best practices.
Proactive monitoring: Continuously monitor sender reputation metrics (spam complaints, bounces, FBLs) at both the platform and individual customer level. Quickly address any anomalies.
Educate customers: Provide clear guidelines and resources on email sending best practices to your customers. Empower them to maintain their own good sending hygiene.
Implement DMARC: Encourage customers to set up DMARC records with a policy of at least quarantine, as this provides explicit instructions to MBPs on how to handle unauthenticated mail from their domain. This reinforces legitimate sending paths.

Shared responsibility in email ecosystems

Yes, one customer's DKIM signature, particularly when a platform's (or ESP's) own DKIM signature is also present on outgoing emails, can definitely affect other customers' deliverability. The core reason is that the platform's DKIM acts as a shared identifier, and its associated reputation is influenced by the aggregate sending behavior of all customers. If a single customer engages in poor sending practices, the negative signals can ripple through the shared authentication mechanisms and IP addresses, potentially impacting the inbox placement of other, well-behaved customers.

This highlights the critical importance of robust email deliverability management in multi-tenant environments. Implementing comprehensive monitoring, effective sender segmentation, and clear policies for customer email practices are essential steps. By doing so, platforms can mitigate risks, maintain a strong collective sender reputation, and ensure high deliverability for all their customers. The ongoing landscape of email security (like recent changes by Outlook and Yahoo) makes these practices more crucial than ever.

Views from the trenches

Best practices

Actively monitor spam complaints and bounce rates across all customers to identify and address problematic senders promptly.

Segment high-volume or new senders onto dedicated IP pools or with specific DKIM configurations to protect your main sending reputation.

Educate customers on email best practices to ensure they understand their role in maintaining deliverability.

Utilize FBLs and Google Postmaster Tools for comprehensive visibility into sending performance and reputation metrics.

Enforce DMARC policies for customer domains to clearly define how unauthenticated mail should be handled.

Common pitfalls

Neglecting to monitor individual customer sending behavior, allowing bad practices to impact shared infrastructure.

Using a single shared DKIM domain for all customers without proper segmentation or oversight.

Failing to respond quickly to reputation issues, such as getting listed on a public blacklist (blocklist).

Underestimating the cumulative impact of many small negative signals on a shared sending environment.

Not aligning your DMARC policy with SPF and DKIM authentication, leading to inconsistent authentication results.

Expert tips

Ensure that if you are signing emails with both your platform's DKIM and the customer's DKIM, you have a clear understanding of the data you get from each for monitoring.

Consider the trade-offs between shared and individual DKIM. While shared DKIM can simplify setup, individual DKIM offers greater isolation for sender reputation.

Always prioritize good list hygiene and engagement. These factors often have a greater long-term impact on deliverability than the specifics of DKIM setup alone.

Be prepared to adjust your sending infrastructure (e.g., dedicated IPs) if a customer consistently poses a risk to your shared reputation.

Regularly review your DMARC reports to identify authentication failures and ensure proper alignment for both your own and your customers' domains.

Expert view

Expert from Email Geeks says the platform signing with its own DKIM key means it takes responsibility for all customer emails, so unwanted mail from one customer will reflect negatively on the platform and, by extension, other customers.

2023-10-04 - Email Geeks

Expert view

Expert from Email Geeks says that while one customer's issues might be minor, the overall impact can vary by Mailbox Provider and depends on the severity of the 'bad' customers.

2023-10-04 - Email Geeks