Do I need multiple DKIM records if I use multiple ESPs like HubSpot, Sendgrid and ActiveCampaign?

Key findings

• Separate DKIM records: Each distinct ESP you use to send emails from your domain typically requires its own unique DKIM record to ensure proper signing and authentication.
• Authentication alignment: For DMARC alignment to succeed, both SPF and DKIM must pass, and their domains must align with the 'From' header domain. This often means each ESP must sign emails with a DKIM record specific to it, or you must configure your own custom DKIM for each.
• Deliverability impact: A missing or misconfigured DKIM record for any sending source can lead to emails failing authentication checks, resulting in messages being sent to spam or rejected. This is critical for 1:1 emails sent via platforms like Google Workspace if not properly configured.
• DNS records: Each ESP will provide CNAME or TXT records for DKIM that must be added to your domain's DNS. These records contain the public keys mail servers use to verify the email's authenticity.

Key considerations

• ESP-specific setup: Each ESP has its own process for generating and adding DKIM records. Follow their specific instructions carefully. For example, setting up DKIM for SendGrid often involves multiple CNAME records.
• Google Workspace DKIM: Ensure your Google Workspace account has a properly configured DKIM record, especially for 1:1 emails, as it's not always enabled by default if you don't use Google Domains. Learn how to properly set up SPF and DKIM.
• Monitoring DMARC reports: Regularly review your DMARC reports to identify any authentication failures and determine which sending sources are causing issues due to misconfigured or missing DKIM. This helps maintain good email deliverability.
• Return path: Be aware that some ESP features, like custom return paths, might be restricted to higher-tier plans, which can influence how you manage authentication for different services.

Key opinions

• Discrepancy in deliverability: Marketers note that 1:1 emails from Google Workspace might go to spam, while marketing emails from dedicated ESPs using the same domain deliver fine, highlighting an authentication gap.
• Missing DKIM for 1:1 emails: A common observation is the absence of a DKIM record specifically for the domain when sending through Google Workspace for personal or transactional emails.
• Need for alignment: Marketers question if SPF, DKIM, and DMARC must align based on the email's origin, which is a key aspect of preventing spoofing and ensuring trust.
• Multiple DKIM records: There's a strong consensus that using multiple ESPs (e.g., HubSpot, SendGrid, ActiveCampaign) requires a unique DKIM record for each to ensure proper authentication across all platforms.

Key considerations

• Verifying each sender: Ensure every service sending on your behalf, including your primary email provider like Google Workspace, has DKIM properly set up.
• Domain authentication guide: Consult specific guides for ESPs like ActiveCampaign to authenticate your domain for DMARC, DKIM, and SPF, ensuring comprehensive setup.
• Holistic authentication strategy: Implement a strategy that covers all email sending points, not just marketing. This includes 1:1 emails, transactional emails, and any other automated sends. Read our guide on email authentication for multiple ESPs.
• DMARC policy adjustment: If issues arise, temporarily adjusting your DMARC policy from 'quarantine' to 'none' can help diagnose authentication problems without blocking emails.

Key opinions

• Individual DKIM configuration: Experts affirm that each email sent requires a DKIM signature, meaning if an ESP (like Google Workspace) isn't configured for DKIM signing, its emails will be unsigned, which can cause deliverability issues.
• Common client issues: Many clients experience deliverability problems stemming from a lack of proper DKIM setup for their Google Workspace accounts, emphasizing a common oversight.
• Confirmatory need: It is confirmed that if you use multiple ESPs (e.g., HubSpot, SendGrid, ActiveCampaign), you will indeed need a separate DKIM record for each to ensure authentication alignment.
• ESP-specific DKIM nuances: Specific ESPs, such as ActiveCampaign, may update their DKIM requirements, potentially moving to multiple CNAME records instead of a single one, highlighting the dynamic nature of these configurations.

Key considerations

• Proactive DKIM setup: While Google Workspace might default to signing with Google's domains, direct DKIM setup for your own domain is crucial, especially if you're not using Google Domains for your DNS. Learn how to set up DKIM on G Suite.
• Verifying DNS records: Always verify that the correct DKIM records provided by each ESP are accurately published in your domain's DNS. This is a common point of error. Find more information on setting up HubSpot domains, SPF, and DKIM.
• Feature limitations: Some advanced features, like custom return paths, might be limited to specific tiers of ESP services, which could influence your technical setup and deliverability strategy.
• Deliverability impact: The absence or misconfiguration of DKIM can significantly impair email deliverability, leading to legitimate emails being marked as spam or blocked by recipient mail servers.

Key findings

• Distinct signing entities: Each ESP sending on behalf of your domain is considered a separate signing entity, necessitating its own DKIM configuration.
• Public key publishing: For each ESP, a unique DKIM public key must be published in your domain's DNS, typically as a CNAME or TXT record, to allow for signature verification.
• Unique selectors: To accommodate multiple DKIM records for the same domain, each record is identified by a unique selector, allowing distinct keys for different senders. Learn about DKIM selector name examples.
• DMARC alignment: Proper DKIM configuration for all sending sources is vital for achieving DMARC alignment, which strengthens your email's authenticity and deliverability.

Key considerations

• Adherence to specifications: Follow the precise instructions provided by each ESP, as their DKIM setup processes can differ in terms of record types and values.
• DNS management: Ensure your DNS provider supports the necessary record types (CNAME, TXT) and allows for the publication of multiple DKIM records under different selectors for the same domain.
• Comprehensive authentication: Beyond DKIM, ensure SPF records are also correctly configured for all sending sources to support DMARC alignment and improve overall email authentication. More on mastering email authentication and deliverability.
• Regular validation: Periodically validate your DKIM records to ensure they are correctly published and active, as DNS changes or ESP updates can sometimes invalidate existing records.