Do I need a separate DKIM record for each ESP I use?

Yes, you generally need a separate DKIM record for each ESP (Email Service Provider) that sends emails on behalf of your domain. Each ESP generates its own unique cryptographic keys to sign your emails, and the public part of that key needs to be published in your DNS as a distinct DKIM record.

What happens if a sending service doesn't have a DKIM record?

DKIM authenticates the sender and verifies that the email content hasn't been altered. If a DKIM record is missing or misconfigured for a particular sender, recipient mail servers cannot verify the email's authenticity. This often leads to emails being flagged as spam, quarantined, or rejected, significantly impacting email deliverability .

Does DKIM need to align with DMARC when using multiple ESPs?

Yes, DMARC (Domain-based Message Authentication, Reporting, and Conformance) relies on both SPF and DKIM authentication to align with the From: domain . If any of your ESPs don't have proper DKIM records, their emails will fail DKIM alignment, potentially leading to DMARC failures and impacting your domain's reputation.

Is there a limit to how many DKIM records I can have?

The maximum number of DKIM records you can have depends on your DNS provider, but most providers allow for a sufficient number. The key is that each DKIM record must have a unique selector to avoid conflicts. Always refer to your ESP's documentation for the specific records to add.

Do I need multiple DKIM records if I use multiple ESPs like HubSpot, Sendgrid and ActiveCampaign? - Technical - Email deliverability - Knowledge base

Many of us operate in a world where relying on a single Email Service Provider (ESP) just isn't practical. You might use HubSpot for marketing campaigns, SendGrid for transactional emails, and ActiveCampaign for specific automation sequences. This multi-ESP strategy is common, but it often leads to questions about email authentication, especially with DKIM.

The core question is, do you need a separate DKIM record for each of these services? The short answer is typically yes. Each ESP (Email Service Provider) that sends email on behalf of your domain will likely require its own unique DKIM setup. This ensures that every email leaving your domain, regardless of its origin, is properly authenticated.

Proper email authentication is critical for deliverability. Without it, your emails are far more likely to end up in the spam folder, or worse, be rejected entirely by recipient mail servers. This article will explain why multiple DKIM records are necessary and how to manage them effectively across different ESPs.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding DKIM and multiple senders

DKIM, or DomainKeys Identified Mail, acts as a digital signature for your emails. When an email server receives a message, it uses the DKIM record published in your DNS to verify that the email truly came from your domain and hasn't been tampered with in transit. This verification process is crucial for establishing trust with receiving mail servers.

Each ESP signs emails using its own unique private key. To allow recipient servers to verify these signatures, you must publish the corresponding public key as a DKIM record in your domain's DNS. These records typically include a selector, which is a unique name that identifies the specific public key to use for verification. Since different ESPs will use different keys, they will also require different selectors.

For example, if you use ActiveCampaign and HubSpot, ActiveCampaign will provide you with one or more DKIM records (often CNAMEs pointing to their servers), and HubSpot will provide its own set. These will use different selectors. As stated by DMARCLY, you can have multiple DKIM records on your domain, as long as each uses a unique selector.

Example DKIM CNAME records for ActiveCampaign and HubSpotdns

Host name: s1._domainkey.yourdomain.com
Type: CNAME
Value: s1.domainkey.aceml.activecampaign.com

Host name: hs1._domainkey.yourdomain.com
Type: CNAME
Value: hs1._domainkey.sfdmail.com

Why each ESP needs its own DKIM

The reason each ESP requires its own DKIM record (or set of records) is that each service uses its own cryptographic keys to sign the emails it sends. When an email is sent, the ESP adds a DKIM signature header to the message. This signature is generated using the ESP's private key. The recipient's mail server then looks up the corresponding public key in your domain's DNS records, using the selector specified in the DKIM signature.

If you're using HubSpot for marketing, SendGrid for transactional emails, and ActiveCampaign for sales outreach, each of these platforms needs to sign emails with its own distinct DKIM key. Therefore, you must have separate DKIM records in your DNS for each. This applies not just to marketing ESPs but also to services like Google Workspace for your daily 1:1 communications. If Google Workspace isn't configured to DKIM sign, those emails will lack proper authentication.

Trying to use one DKIM record across multiple, unrelated ESPs would lead to authentication failures, because the public key in your DNS would not match the private key used by the sending ESP to sign the email. This misalignment signals to receiving mail servers that something is amiss, potentially leading to your emails being flagged as spam.

Scenario: single DKIM record for multiple ESPs

Email flow: Emails sent via SendGrid, ActiveCampaign, and HubSpot all try to use a single DKIM record.
Authentication result: Only the ESP associated with that single DKIM record will pass DKIM authentication. Emails from other ESPs will fail, resulting in a DKIM non-alignment.
Deliverability impact: High risk of emails landing in spam folders or being rejected outright, damaging your domain's sending reputation.

Scenario: multiple DKIM records for multiple ESPs

Email flow: Each ESP (SendGrid, ActiveCampaign, HubSpot) has its own dedicated DKIM record with a unique selector.
Authentication result: Emails sent from each ESP successfully pass DKIM authentication, leading to proper alignment for DMARC.
Deliverability impact: Improved inbox placement and stronger domain reputation, reducing the likelihood of being blocklisted (or blacklisted).

The impact of missing or misconfigured DKIM

When emails from your domain arrive at a recipient's inbox without proper DKIM authentication, it raises red flags. Mailbox providers (MBPs) like

Gmail or

Outlook see this as a potential sign of phishing or spoofing, which can severely impact your deliverability. Your messages might be shunted to the spam folder, quarantined, or even outright rejected.

A missing or misconfigured DKIM record means that the email's signature cannot be verified, leading to a DKIM authentication failure. This failure, especially when coupled with DMARC policies, can have immediate and detrimental effects. For instance, if your DMARC policy is set to quarantine or reject, emails failing DKIM will directly suffer. Even with a p=none policy, a pattern of unauthenticated mail can still negatively affect your sending reputation.

Consistently failing DKIM authentication can also lead to your domain or IP address being placed on an email blocklist (or blacklist). Once on a blocklist, your emails will face severe delivery issues, not just with specific ESPs but across all your sending activities. Regularly checking your authentication status is paramount to avoiding these pitfalls.

Warning: DKIM non-alignment risk

If a sending service is not properly configured with its own DKIM record, or if the record is incorrect, emails sent through that service will fail DKIM authentication. This can directly lead to emails going to spam or being rejected, impacting your overall email deliverability and potentially leading to your domain being placed on a blacklist.

Best practices for managing multiple DKIM records

Managing multiple DKIM records can seem complex, but it's a manageable part of maintaining excellent email deliverability. The first step is to obtain the specific DKIM DNS records from each of your ESPs. These will typically be CNAME or TXT records that you need to add to your domain's DNS settings.

Ensure that each record uses a unique selector. If two ESPs provide a record with the same selector, you'll need to contact one of them to get a different selector, or manually change it if your ESP allows it. Some DNS providers have limits on the number of records, but for DKIM, it's generally generous. If you're using Google Workspace, ensure its DKIM is set up correctly for 1:1 emails, separate from your marketing ESPs. ActiveCampaign, for instance, provides two CNAME records for DKIM, further illustrating the need for multiple entries.

After setting up your records, regularly verify their proper configuration. You can use various online DKIM checkers to confirm that your records are correctly published and valid. Continuous monitoring is key to catching any issues early and preventing potential deliverability problems.

Best practice	Action to take	Why it matters
Unique selectors	Ensure each ESP provides a DKIM record with a distinct selector (e.g., s1._domainkey, hs1._domainkey).	Prevents conflicts in DNS and ensures each signature can be properly validated.
DNS publication	Add all required CNAME or TXT records to your domain's DNS, exactly as provided by each ESP.	Makes the public keys accessible for recipient mail servers to verify email signatures.
Regular monitoring	Use email testing tools or DMARC monitoring to check DKIM validity periodically.	Identifies configuration errors or expired keys quickly, preventing deliverability drops.

Views from the trenches

Best practices

Always retrieve specific DKIM records from each individual ESP.

Verify that each DKIM selector is unique per sending service.

Regularly check your DMARC reports to identify any DKIM authentication failures.

Common pitfalls

Assuming one DKIM record is enough for all email sending services.

Not configuring DKIM for internal 1:1 emails sent via your primary email provider.

Ignoring DMARC reports that show DKIM authentication failures.

Expert tips

"I've found it's essential to have a separate DKIM record for every email service provider to ensure proper authentication across the board."

"Many clients experience deliverability issues with 1:1 emails because their Google Workspace accounts lack proper DKIM signing. It's an easy fix that makes a huge difference."

"ActiveCampaign now uses two CNAME records for DKIM, highlighting the importance of following each ESP's specific instructions for setup."

Expert view

Expert from Email Geeks says DKIM requires each mail sent to be signed, so if Google Workspace is not configured to sign DKIM, the mail sent from there is not signed. This is often an easy fix.

December 6, 2023 - Email Geeks

Marketer view

Marketer from Email Geeks says they have seen many recent client issues due to missing DKIM for their Google Workspace accounts.

December 7, 2023 - Email Geeks

Ensuring robust email authentication

In summary, if you're leveraging multiple ESPs like HubSpot, SendGrid, and ActiveCampaign, or even your internal Google Workspace for email sending, you absolutely need a unique DKIM record (or set of records) for each. This isn't overkill, it's a fundamental requirement for maintaining strong email authentication and ensuring your messages reliably reach the inbox.