How is DKIM precedence determined when double signing emails?
Michael Ko
Co-founder & CEO, Suped
Published 14 May 2025
Updated 19 Aug 2025
7 min read
Sending emails effectively requires robust authentication. DKIM (DomainKeys Identified Mail) is a critical component, helping recipients verify that an email truly originated from the claimed domain and hasn't been tampered with. Sometimes, an email might carry more than one DKIM signature, a practice known as double signing. This often occurs when using an Email Service Provider (ESP) that adds its own signature alongside yours.
When multiple signatures are present, a common question arises: how is DKIM precedence determined? Does one signature carry more weight or get checked first? The concept of "precedence" isn't exactly how DKIM or DMARC (Domain-based Message Authentication, Reporting, and Conformance) operates. Instead, it's about validation.
The underlying principle is that if an email has multiple DKIM signatures, each one is evaluated independently. For a message to pass DMARC, at least one of these signatures must be valid and aligned with the From domain. This approach provides flexibility and redundancy in email authentication.
An email can indeed contain multiple DKIM-Signature headers. This is a legitimate scenario, and not indicative of a problem. Common reasons for this include using an ESP that signs emails with its own domain in addition to your primary sending domain.
This practice, sometimes referred to as double DKIM signing, is often necessary for various reasons. For example, some ESPs add a shared signature to help maintain their own sending reputation, even when you've configured your own dedicated DKIM record. Other times, it might be part of a migration process where you gradually roll out new keys alongside old ones. You can learn more about why double signing is necessary in certain situations.
Critically, RFC 7489, which defines DMARC, explicitly states that a message passes DMARC if any DKIM signature is verified and has DMARC identifier alignment. This means the system isn't looking for a single "best" or "primary" signature, but rather for any valid one that meets the authentication criteria. As such, there is no strict precedence order defined in the DKIM specification itself for how signatures are evaluated. Some mailbox providers may have their own internal weighting, but it is dynamic rather than fixed.
How multiple DKIM signatures are validated
When an email arrives at a recipient's mail server, each DKIM signature present in the email header is checked independently. This involves a series of steps for each signature:
Retrieve the public key: The mail server extracts the selector and domain from the DKIM-Signature header and queries the sender's DNS for the corresponding public key.
Verify header integrity: The server uses the public key to decrypt the hash of the email headers included in the signature. It then re-calculates the hash of the relevant headers and compares it.
Verify body integrity: Similarly, the server decrypts the body hash and compares it to a re-calculated hash of the email body.
If a DKIM signature passes these checks, it means the email has not been tampered with since it was signed, and it genuinely originated from the domain specified in that signature. If even one of the multiple signatures passes validation and aligns with the From domain, the email has satisfied the DKIM requirement for DMARC.
This independent validation ensures robustness. If one signature fails (e.g., due to a minor header modification or an expired key), another valid signature can still ensure the email passes authentication checks. This redundancy is a key advantage of double signing.
All valid signatures matter
When multiple DKIM signatures are present, a receiving mail server will validate each one. The email is considered authenticated via DKIM if at least one of these signatures successfully verifies and aligns with the organizational domain of the RFC 5322 From header. There is no inherent order of precedence or priority among valid DKIM signatures.
DMARC's role in multi-DKIM scenarios
Shared ESP DKIM
Many ESPs (Email Service Providers) automatically add their own DKIM signature (often referred to as a "shared" signature) to your outgoing emails. This signature is typically from the ESP's domain, not your own.
Reputation management: Helps the ESP manage its own sending reputation across its customer base.
Default setup: Often the default or easiest setup, requiring minimal configuration from the sender.
Less control: Senders have less direct control over this signature and its associated reputation.
Less direct impact: The reputation built on this signature is primarily tied to the ESP's sending infrastructure, not directly to your brand's domain.
Your brand DKIM
This is the DKIM signature that uses your own domain (d=yourdomain.com) and a selector you control. You configure the public key in your DNS records.
Brand control: Directly links your brand's domain to the email's authenticity, reinforcing your sender identity.
Direct reputation: Builds a sender reputation directly for your domain, which is crucial for long-term deliverability.
DMARC alignment: Essential for DMARC alignment, as the d= tag of the DKIM signature must match the From domain.
Preferred by receivers: Often given more weight by receiving mail servers, as it directly authenticates your brand.
DMARC unifies SPF and DKIM authentication results. Its primary goal is to ensure that the domains identified by SPF and DKIM align with the From domain visible to the recipient. When it comes to multiple DKIM signatures, DMARC's rule is clear: if any of the DKIM signatures passes authentication and aligns with the From domain, the DMARC check for DKIM will pass.
This is a crucial distinction. It means you don't need all signatures to pass, nor does one need to "win" over another. The presence of at least one valid and aligned signature is sufficient for DMARC. For instance, an ESP might add its own signature, and you might add yours. If your signature passes and aligns, the email will pass DMARC, even if the ESP's signature somehow fails. For more details on this, you can look at what is stated in the AWS email service documentation.
This mechanism offers resilience. It ensures that if one signing method encounters an issue, the other can still provide the necessary authentication for DMARC compliance. It also explains why ESPs double sign emails, sometimes to protect their own infrastructure reputation, and sometimes to provide a fallback in case the customer's DKIM setup is incorrect or revoked.
While there isn't strict precedence, the presence and validity of your own brand's DKIM signature are paramount for email deliverability. Receiving mail servers, especially major ones like Google and Yahoo, heavily rely on the reputation associated with the domain that aligns with your From address. A valid and aligned brand DKIM signature signals authenticity and trustworthiness directly from your domain.
If you are double signing, always prioritize ensuring your own domain's DKIM signature is correctly configured and working. This helps build and maintain your sender reputation directly, which is vital for getting your emails into the inbox rather than the spam folder. An ESP's shared signature can provide a baseline of trust for their IPs, but your own domain's reputation is what truly differentiates your sending.
It is wise to monitor your email authentication results regularly. DMARC reports provide invaluable insights into how your DKIM signatures are performing and which ones are being validated. This vigilance helps in troubleshooting any DKIM errors and ensuring optimal email deliverability.
Factor
Description
Impact on deliverability
Domain alignment
DKIM's d= (signing) domain matches the visible From domain. This is the cornerstone of DMARC alignment.
Provides the strongest authentication signal, directly linking email to your brand. Critical for DMARC pass.
Signing domain reputation
The sender reputation of the domain used for signing the email.
A good reputation for the signing domain (especially your own) significantly improves inbox placement and avoids blocklists (or blacklists).
Mailbox provider policies
Each ISP (Internet Service Provider) or mailbox provider has its own algorithms for weighing authentication signals.
Can influence which valid signature a particular provider might prioritize for its internal scoring, even if DMARC passes for both.
Views from the trenches
Best practices
Always aim for your brand's DKIM signature to pass and align, as it carries the most weight for your domain's reputation and deliverability.
Monitor DMARC reports regularly to identify if any of your DKIM signatures are consistently failing, even if others are passing successfully.
Ensure all domains involved in signing, including your own and any ESP domains, maintain strong and positive sending reputations.
Common pitfalls
Relying solely on an Email Service Provider's shared DKIM signature without configuring your own brand DKIM record.
Failing to configure the brand DKIM record correctly, which can lead to validation failures despite double signing.
Neglecting to monitor DMARC reports, thus missing critical issues with one or more of your DKIM signatures.
Expert tips
When migrating between ESPs, use double signing temporarily to ensure continuity of authentication and a smoother transition.
For critical transactional emails, having multiple valid DKIM signatures can serve as a redundancy, improving overall delivery rates.
Understand that while DMARC only requires one valid DKIM signature, some mailbox providers may still internally weight the significance of different signing domains dynamically.
Expert view
Expert from Email Geeks says: Some mailbox providers care about the order, but from experience, the network key (ESP's) should be checked first, then the brand key.
2020-04-28 - Email Geeks
Marketer view
Marketer from Email Geeks says: Even if the network key passes, the brand key is still checked.
2020-04-28 - Email Geeks
Final thoughts on robust email authentication
The idea of DKIM "precedence" when double signing is often a misinterpretation of how email authentication works. Instead of one signature taking priority, it's about each signature contributing to a holistic validation process. As long as at least one valid and aligned DKIM signature exists, the email meets the necessary DMARC requirements.
For optimal email deliverability and to build strong domain reputation, it is always advisable to have your own brand's DKIM signature correctly implemented and actively monitored. While ESP shared signatures provide a safety net, your brand's signature is what truly establishes your email's trustworthiness in the eyes of receiving mail servers.
Staying informed about email authentication best practices and regularly reviewing DMARC reports will help ensure your emails consistently reach their intended inboxes, regardless of how many DKIM signatures they carry.
Google and 
Yahoo, heavily rely on the reputation associated with the domain that aligns with your From address. A valid and aligned brand DKIM signature signals authenticity and trustworthiness directly from your domain.
