Suped

Can DKIM be set up on a subdomain, and which domain should be used for signing?

Summary

The majority of sources agree that DKIM can be set up on subdomains and that each domain/subdomain requires its own DKIM key. The most common recommendation is that the signing domain should match the domain used in the 'From' address to improve email authentication, deliverability, and sender reputation. Using SPF, DKIM, and DMARC together is advised for optimal protection. One source recommends signing with the 'envelope from' domain, requiring further investigation. Setting up DKIM on a subdomain helps protect the primary domain's reputation in case of email server issues.

Key findings

  • DKIM on Subdomains: DKIM can be configured on subdomains.
  • Individual Keys: Each domain and subdomain needs its own DKIM key.
  • From Address Alignment: The DKIM signing domain should generally match the domain in the 'From' address for optimal deliverability and authentication.
  • Holistic Approach: Using SPF, DKIM, and DMARC together provides the best email authentication.
  • Reputation Isolation: Using a subdomain for email helps isolate reputation problems and protect the main domain.

Key considerations

  • Signing Choice: Determine whether to sign with the 'From' address domain or 'envelope from' domain. Majority point to 'From' address domain.
  • Key Length: Consider using a key length of 2048 bits for improved security, as recommended by Google.
  • Comprehensive Setup: Implement SPF, DKIM, and DMARC together for robust email authentication.
  • Validation: Verify that DKIM is implemented correctly by checking email headers after implementation.

What email marketers say

9 marketer opinions

The consensus is that DKIM can indeed be set up on subdomains. The recommended practice is to sign with the domain matching the 'From' address of the email. This means if you're sending from a subdomain (e.g., sales.example.com), you should configure DKIM for that specific subdomain. This approach improves email authentication, deliverability, and sender reputation. A few answers recommend signing with the 'envelope from' domain instead, so this warrants further investigation.

Key opinions

  • Subdomain DKIM: DKIM can be set up on subdomains.
  • Signing Domain: The domain used for DKIM signing should ideally match the 'From' address domain or subdomain.
  • Improved Deliverability: Proper DKIM configuration enhances email deliverability and sender reputation.
  • Individual Records: Each subdomain should have its own SPF/DKIM records.

Key considerations

  • Domain Alignment: Ensure proper alignment between the 'From' address domain and the DKIM signing domain.
  • Security: Using subdomains for email can help isolate reputation issues and protect the main domain.
  • Comprehensive Authentication: Consider using SPF, DKIM, and DMARC together for the best email authentication.
  • Alternative Viewpoints: A minority of answers recommend signing with the 'envelope from' domain instead, this warrants further investigation.

Marketer view

Marketer from Email Geeks clarifies that you only need to sign with the header from domain for DKIM.

10 Oct 2024 - Email Geeks

Marketer view

Email marketer from SparkPost explains that using subdomains for sending email is a common practice, and DKIM should be configured for each subdomain used. They recommend generating separate DKIM keys for each subdomain to maintain proper authentication.

22 Nov 2023 - SparkPost

What the experts say

2 expert opinions

Both sources agree that DKIM can be set up for subdomains. Each domain needs its own DKIM key. The signing domain should match the domain used in the 'From' address of the email. Therefore, if sending from a subdomain like newsletter.example.com, the DKIM signature should also be for newsletter.example.com, not the root domain.

Key opinions

  • DKIM on Subdomains: DKIM can be configured on subdomains.
  • Separate Keys: Each domain and subdomain requires its own unique DKIM key.
  • From Address Matching: The DKIM signing domain should align with the domain used in the 'From' address of the email.

Key considerations

  • Correct Configuration: Ensure that the DKIM signature is created using the key associated with the sending domain or subdomain.
  • Alignment: Maintain alignment between the 'From' address domain and the DKIM signing domain for better deliverability.

Expert view

Expert from wordtothewise.com answers that DKIM signing happens on a domain. The signing domain should be the domain used in the 'From' address. If a message is sent from a subdomain like `newsletter.example.com`, then the DKIM signature should be for `newsletter.example.com` not the root domain `example.com`.

14 Jun 2024 - wordtothewise.com

Expert view

Expert from Email Geeks explains that you need to DKIM sign all domains separately with their own keys.

12 Oct 2023 - Email Geeks

What the documentation says

5 technical articles

The documentation consistently confirms that DKIM can be set up for subdomains. Each domain or subdomain should have its own DKIM key. It's recommended to sign emails with the domain or subdomain that matches the 'From' address, which helps improve email authentication and reduce the chances of emails being marked as spam. Using SPF, DKIM, and DMARC together provides the best possible protection. While the DKIM standard doesn't explicitly forbid signing with a parent domain, it implies that signing with the domain that matches the 'From' address is preferred.

Key findings

  • DKIM on Subdomains: DKIM can be configured on subdomains.
  • Individual Keys: Each domain/subdomain needs its own DKIM key.
  • Match 'From' Address: Signing with the domain/subdomain matching the 'From' address is recommended.
  • Enhanced Security: Using SPF, DKIM, and DMARC together improves protection.

Key considerations

  • Key Length: Consider using a 2048-bit key length for improved security (as recommended by Google).
  • Proper Alignment: Ensure alignment between the 'From' address and DKIM signing domain for optimal authentication.
  • Comprehensive Approach: Implement SPF, DKIM, and DMARC for robust email authentication.

Technical article

Documentation from RFC 6376, the DKIM standard, explains the technical details of DKIM signing. While it doesn't explicitly forbid signing with a parent domain, it implies that signing with the domain that matches the 'From' address is the intended use case for optimal authentication.

4 Jan 2025 - ietf.org

Technical article

Documentation from Cloudflare explains DKIM authentication and how to add DKIM records to your DNS, but doesn't provide specific information about the use of subdomains.

29 Mar 2022 - Cloudflare

Start improving your email deliverability today

Sign up