The majority of sources agree that DKIM can be set up on subdomains and that each domain/subdomain requires its own DKIM key. The most common recommendation is that the signing domain should match the domain used in the 'From' address to improve email authentication, deliverability, and sender reputation. Using SPF, DKIM, and DMARC together is advised for optimal protection. One source recommends signing with the 'envelope from' domain, requiring further investigation. Setting up DKIM on a subdomain helps protect the primary domain's reputation in case of email server issues.
9 marketer opinions
The consensus is that DKIM can indeed be set up on subdomains. The recommended practice is to sign with the domain matching the 'From' address of the email. This means if you're sending from a subdomain (e.g., sales.example.com), you should configure DKIM for that specific subdomain. This approach improves email authentication, deliverability, and sender reputation. A few answers recommend signing with the 'envelope from' domain instead, so this warrants further investigation.
Marketer view
Marketer from Email Geeks clarifies that you only need to sign with the header from domain for DKIM.
10 Oct 2024 - Email Geeks
Marketer view
Email marketer from SparkPost explains that using subdomains for sending email is a common practice, and DKIM should be configured for each subdomain used. They recommend generating separate DKIM keys for each subdomain to maintain proper authentication.
22 Nov 2023 - SparkPost
2 expert opinions
Both sources agree that DKIM can be set up for subdomains. Each domain needs its own DKIM key. The signing domain should match the domain used in the 'From' address of the email. Therefore, if sending from a subdomain like newsletter.example.com, the DKIM signature should also be for newsletter.example.com, not the root domain.
Expert view
Expert from wordtothewise.com answers that DKIM signing happens on a domain. The signing domain should be the domain used in the 'From' address. If a message is sent from a subdomain like `newsletter.example.com`, then the DKIM signature should be for `newsletter.example.com` not the root domain `example.com`.
14 Jun 2024 - wordtothewise.com
Expert view
Expert from Email Geeks explains that you need to DKIM sign all domains separately with their own keys.
12 Oct 2023 - Email Geeks
5 technical articles
The documentation consistently confirms that DKIM can be set up for subdomains. Each domain or subdomain should have its own DKIM key. It's recommended to sign emails with the domain or subdomain that matches the 'From' address, which helps improve email authentication and reduce the chances of emails being marked as spam. Using SPF, DKIM, and DMARC together provides the best possible protection. While the DKIM standard doesn't explicitly forbid signing with a parent domain, it implies that signing with the domain that matches the 'From' address is preferred.
Technical article
Documentation from RFC 6376, the DKIM standard, explains the technical details of DKIM signing. While it doesn't explicitly forbid signing with a parent domain, it implies that signing with the domain that matches the 'From' address is the intended use case for optimal authentication.
4 Jan 2025 - ietf.org
Technical article
Documentation from Cloudflare explains DKIM authentication and how to add DKIM records to your DNS, but doesn't provide specific information about the use of subdomains.
29 Mar 2022 - Cloudflare
Do I need to set up DMARC for subdomains?
How can I resolve DMARC verification failures when using a subdomain for email sending?
How do DMARC records on subdomains override root domain DMARC policies?
How do I set up DMARC records for subdomains?
How to implement BIMI on a subdomain without affecting the main domain or transactional emails?
Should I add an explicit DMARC record for subdomains?