Summary
The majority of sources agree that DKIM can be set up on subdomains and that each domain/subdomain requires its own DKIM key. The most common recommendation is that the signing domain should match the domain used in the 'From' address to improve email authentication, deliverability, and sender reputation. Using SPF, DKIM, and DMARC together is advised for optimal protection. One source recommends signing with the 'envelope from' domain, requiring further investigation. Setting up DKIM on a subdomain helps protect the primary domain's reputation in case of email server issues.
Key findings
- DKIM on Subdomains: DKIM can be configured on subdomains.
- Individual Keys: Each domain and subdomain needs its own DKIM key.
- From Address Alignment: The DKIM signing domain should generally match the domain in the 'From' address for optimal deliverability and authentication.
- Holistic Approach: Using SPF, DKIM, and DMARC together provides the best email authentication.
- Reputation Isolation: Using a subdomain for email helps isolate reputation problems and protect the main domain.
Key considerations
- Signing Choice: Determine whether to sign with the 'From' address domain or 'envelope from' domain. Majority point to 'From' address domain.
- Key Length: Consider using a key length of 2048 bits for improved security, as recommended by Google.
- Comprehensive Setup: Implement SPF, DKIM, and DMARC together for robust email authentication.
- Validation: Verify that DKIM is implemented correctly by checking email headers after implementation.
What email marketers say
9 marketer opinions
The consensus is that DKIM can indeed be set up on subdomains. The recommended practice is to sign with the domain matching the 'From' address of the email. This means if you're sending from a subdomain (e.g., sales.example.com), you should configure DKIM for that specific subdomain. This approach improves email authentication, deliverability, and sender reputation. A few answers recommend signing with the 'envelope from' domain instead, so this warrants further investigation.
Key opinions
- Subdomain DKIM: DKIM can be set up on subdomains.
- Signing Domain: The domain used for DKIM signing should ideally match the 'From' address domain or subdomain.
- Improved Deliverability: Proper DKIM configuration enhances email deliverability and sender reputation.
- Individual Records: Each subdomain should have its own SPF/DKIM records.
Key considerations
- Domain Alignment: Ensure proper alignment between the 'From' address domain and the DKIM signing domain.
- Security: Using subdomains for email can help isolate reputation issues and protect the main domain.
- Comprehensive Authentication: Consider using SPF, DKIM, and DMARC together for the best email authentication.
- Alternative Viewpoints: A minority of answers recommend signing with the 'envelope from' domain instead, this warrants further investigation.
Marketer view
Marketer from Email Geeks clarifies that you only need to sign with the header from domain for DKIM.
28 Oct 2024 - Email Geeks
Marketer view
Email marketer from SparkPost explains that using subdomains for sending email is a common practice, and DKIM should be configured for each subdomain used. They recommend generating separate DKIM keys for each subdomain to maintain proper authentication.
10 Dec 2023 - SparkPost
What the experts say
2 expert opinions
Both sources agree that DKIM can be set up for subdomains. Each domain needs its own DKIM key. The signing domain should match the domain used in the 'From' address of the email. Therefore, if sending from a subdomain like newsletter.example.com, the DKIM signature should also be for newsletter.example.com, not the root domain.
Key opinions
- DKIM on Subdomains: DKIM can be configured on subdomains.
- Separate Keys: Each domain and subdomain requires its own unique DKIM key.
- From Address Matching: The DKIM signing domain should align with the domain used in the 'From' address of the email.
Key considerations
- Correct Configuration: Ensure that the DKIM signature is created using the key associated with the sending domain or subdomain.
- Alignment: Maintain alignment between the 'From' address domain and the DKIM signing domain for better deliverability.
Expert view
Expert from wordtothewise.com answers that DKIM signing happens on a domain. The signing domain should be the domain used in the 'From' address. If a message is sent from a subdomain like `newsletter.example.com`, then the DKIM signature should be for `newsletter.example.com` not the root domain `example.com`.
1 Jul 2024 - wordtothewise.com
Expert view
Expert from Email Geeks explains that you need to DKIM sign all domains separately with their own keys.
30 Oct 2023 - Email Geeks
What the documentation says
5 technical articles
The documentation consistently confirms that DKIM can be set up for subdomains. Each domain or subdomain should have its own DKIM key. It's recommended to sign emails with the domain or subdomain that matches the 'From' address, which helps improve email authentication and reduce the chances of emails being marked as spam. Using SPF, DKIM, and DMARC together provides the best possible protection. While the DKIM standard doesn't explicitly forbid signing with a parent domain, it implies that signing with the domain that matches the 'From' address is preferred.
Key findings
- DKIM on Subdomains: DKIM can be configured on subdomains.
- Individual Keys: Each domain/subdomain needs its own DKIM key.
- Match 'From' Address: Signing with the domain/subdomain matching the 'From' address is recommended.
- Enhanced Security: Using SPF, DKIM, and DMARC together improves protection.
Key considerations
- Key Length: Consider using a 2048-bit key length for improved security (as recommended by Google).
- Proper Alignment: Ensure alignment between the 'From' address and DKIM signing domain for optimal authentication.
- Comprehensive Approach: Implement SPF, DKIM, and DMARC for robust email authentication.
Technical article
Documentation from RFC 6376, the DKIM standard, explains the technical details of DKIM signing. While it doesn't explicitly forbid signing with a parent domain, it implies that signing with the domain that matches the 'From' address is the intended use case for optimal authentication.
21 Jan 2025 - ietf.org
Technical article
Documentation from Cloudflare explains DKIM authentication and how to add DKIM records to your DNS, but doesn't provide specific information about the use of subdomains.
16 Apr 2022 - Cloudflare
Do I need to set up DMARC for subdomains?
How can I resolve DMARC verification failures when using a subdomain for email sending?
How do DMARC records on subdomains override root domain DMARC policies?
How do I set up DMARC records for subdomains?
How to implement BIMI on a subdomain without affecting the main domain or transactional emails?
Should I add an explicit DMARC record for subdomains?
