How does double DKIM signing impact email deliverability?

Double DKIM signing typically enhances deliverability by providing redundancy and leveraging the ESP's strong sender reputation. If one signature fails, the other can still ensure authentication, improving overall inbox placement rates. It also helps ESPs access critical Feedback Loop (FBL) data from major mailbox providers.

What are the main benefits of double signing DKIM for ESPs?

The primary advantage for ESPs is gaining access to Feedback Loops (FBLs) from providers like Yahoo and Gmail . This allows ESPs to monitor complaint rates and manage their sending reputation more effectively without requiring customer coordination for each FBL. It also provides a consistent sender reputation for their own infrastructure.

Are there any disadvantages to double DKIM signing?

Double signing can slightly increase email header size and may complicate troubleshooting if an authentication failure occurs. Identifying which of the two signatures is causing a problem can require more detailed analysis. Additionally, some less common mail systems might react unexpectedly to multiple signatures, though this is rare.

How does double DKIM signing affect DMARC alignment?

For DMARC to pass, either the SPF domain or a DKIM signing domain must align with the From: domain. With double signing, if the customer's DKIM aligns, it fulfills the requirement. If it doesn't, the ESP's DKIM signature, if also aligning with the From: domain, can also ensure DMARC alignment and prevent emails from being rejected or quarantined under an enforced DMARC policy. This is important for DMARC enforcement by ESPs .

What are the advantages and disadvantages of double signing DKIM by ESPs? - Technical - Email deliverability - Knowledge base

Email authentication is a crucial aspect of ensuring messages reach their intended recipients and are not flagged as spam or phishing attempts. Among the various authentication protocols, DomainKeys Identified Mail (DKIM) stands out for its ability to verify the sender's domain and message integrity. It uses cryptographic signatures to assure recipients that an email was indeed sent by the domain it claims to be from and that it hasn't been tampered with in transit.

When sending emails through a third-party Email Service Provider (ESP), the question often arises about how DKIM signatures should be handled. Many modern ESPs offer customers the option to set up a custom DKIM signature for their 'friendly from' domain. This means the customer's domain, say yourcompany.com, is used in the DKIM 'd=' tag, providing strong brand alignment and trust.

However, some ESPs employ a practice known as double DKIM signing. This involves signing outgoing emails with both the customer's domain (e.g., d=yourcompany.com) and the ESP's own domain (e.g., d=esp-sending.net). While it might seem redundant to have two signatures, this practice has specific advantages and disadvantages that impact email deliverability and sender reputation, extending beyond just Google Postmaster Tools (GPT).

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

The role of DKIM in email authentication

DKIM functions by adding a cryptographic signature to the email header. This signature is generated using a private key held by the sending server and can be verified by the recipient server using a public key published in the sender's DNS records. This process ensures that the email content has not been altered since it was signed and that it originates from an authorized sender.

When an ESP sends email on behalf of a customer, it typically manages the sending infrastructure, including the IP addresses and mail servers. To ensure proper authentication and deliverability, the ESP needs to sign the emails. The most common approach is for the customer to delegate DKIM signing authority to the ESP by creating a CNAME record that points to the ESP's DKIM key. This allows the ESP to sign emails with the customer's domain.

The ESP's own domain also carries significant reputation. By maintaining its own DKIM signature, the ESP can protect its sending infrastructure's reputation independently of individual customer sending habits. This dual-signature approach, where both the customer's domain and the ESP's domain sign the email, allows for a layered authentication strategy that can offer benefits for both parties.

Benefits of double DKIM signatures

Double DKIM signing provides several notable advantages, particularly concerning feedback loops (FBLs) and overall deliverability. One significant benefit for ESPs is streamlined access to FBL data from major mailbox providers like

Yahoo. FBLs provide crucial insights into user complaints, helping ESPs identify and address issues that might lead to being listed on a blacklist or blocklist. If an ESP's own domain is signed, they can receive FBL reports without needing explicit coordination with each customer, allowing for more proactive reputation management. For example, double DKIM signing is a method used to collect FBLs for deliverability. Double DKIM signing can assist ESPs in collecting Yahoo FBL data.

Another key advantage lies in how mailbox providers assess sender reputation. While the customer's domain reputation is paramount for brand recognition and DMARC alignment, the ESP's sending domain also contributes to the overall deliverability of the email. If the ESP's domain maintains a strong reputation through its own DKIM signature, it can positively influence the inbox placement of all emails sent through its platform, even if a customer's specific sending practices are less than ideal. This provides a safety net, potentially reducing the impact of a single customer's poor sending behavior on the entire ESP network.

Furthermore, double signing can provide redundancy and flexibility. In scenarios where a customer's DKIM record might be misconfigured, revoked, or undergoing changes, the ESP's signature can act as a fallback, ensuring that the email still passes at least one DKIM validation check. This helps maintain a base level of authentication, preventing emails from being immediately rejected or sent to spam folders due to a single authentication failure. For more general information about DKIM, this article about the fundamentals of DKIM is quite helpful.

ESP benefits

Improved FBL access: Enables Gmail and Yahoo feedback loop access for better deliverability insights.
Consistent reputation: Builds and maintains the ESP's own sending reputation regardless of customer actions.
Fallback authentication: Provides a backup if the customer's DKIM record has issues, ensuring some level of validation.

Customer benefits

Enhanced deliverability: Leverages the ESP's established sending reputation for better inbox placement.
Simplified DMARC compliance: Supports DMARC alignment through the ESP's domain, even if the customer's DKIM fails.
Reduced effort: Less direct management of complex authentication issues for the customer.

Potential drawbacks and complexities

While double DKIM signing offers clear benefits, it also introduces certain complexities and potential drawbacks. One concern is the increase in email header size. Each DKIM signature adds a header to the email, and while typically small, multiple signatures can contribute to larger headers, which might, in rare cases, trigger size limits at some receiving mail servers or introduce slight processing delays. However, this is generally a minor concern for most modern systems.

Another potential disadvantage relates to troubleshooting and debugging. When an email fails authentication, identifying the exact cause can be more challenging with two signatures. Is the issue with the customer's DKIM setup or the ESP's? This can complicate diagnosing deliverability problems and might require more sophisticated email deliverability testing tools and expertise to pinpoint the failing signature.

Misunderstandings about DKIM precedence (how different signatures are evaluated by receiving servers) could also arise. While DMARC typically aligns with the From: domain's DKIM signature, the presence of a second signature might confuse less robust mail transfer agents (MTAs) or custom filters, potentially leading to incorrect classifications. Although generally harmless, this complexity can be a factor for highly sensitive email environments. You can learn more about this by checking out the article on DKIM precedence.

Key considerations for ESPs

DMARC alignment: Ensure that at least one of the DKIM signatures aligns with the From: domain for DMARC pass. This is crucial for email security.
Reputation management: Actively monitor the reputation of both the customer's domain and the ESP's sending domain.
Client education: Clearly communicate the benefits and implications of double signing to customers.

Optimizing email authentication and deliverability

Ultimately, the decision to implement double DKIM signing rests with the ESP, often driven by a strategic balance between maximizing deliverability for all customers and managing internal infrastructure efficiently. The primary drivers are often related to gaining comprehensive feedback loop data from major mailbox providers. This provides ESPs with a more complete picture of how their sending infrastructure is performing, enabling them to make data-driven decisions to improve deliverability across the board.

From a deliverability perspective, having multiple valid DKIM signatures can be advantageous. If one signature somehow becomes invalid or fails verification due to a transient issue, the presence of another valid signature can still ensure the email passes authentication checks. This redundancy can be a lifesaver in preventing legitimate emails from being flagged as suspicious, especially as mailbox providers continue to tighten their email authentication requirements.

For email senders, it's important to understand these mechanisms and work closely with their ESPs to ensure optimal authentication. While the complexities of double signing are largely handled by the ESP, knowing its purpose helps in understanding deliverability reports and making informed decisions about email sending practices. Implementing authentication protocols such as DMARC, SPF, and DKIM is critical for email security and deliverability. The advantages of DKIM signatures include improved deliverability, enhanced security, and brand reputation management.

Views from the trenches

Best practices

Ensure DMARC alignment is achieved through at least one DKIM signature, preferably the customer's domain, for optimal policy enforcement.

Leverage FBL data obtained via ESP-signed DKIM to proactively address complaint rates and maintain a healthy sender reputation for the ESP's infrastructure.

Regularly monitor both customer and ESP DKIM signatures to detect and resolve any authentication failures swiftly.

Common pitfalls

Overlooking the importance of ESP-signed DKIM for FBL access, particularly for major mailbox providers like Yahoo and Gmail.

Failing to clearly explain the purpose and benefits of double signing to customers, leading to confusion or resistance to implementation.

Not having robust monitoring in place to quickly identify which DKIM signature, if any, is causing authentication issues during troubleshooting.

Expert tips

Consider selective double signing: Some ESPs choose to double sign only for specific mailbox providers (e.g., Yahoo, Gmail) where the ESP's DKIM signature is crucial for FBL access or specific deliverability benefits.

Prioritize DMARC alignment: While the ESP's signature offers redundancy, always prioritize ensuring the customer's DKIM signature aligns with the 'From' domain to fully leverage DMARC's protection and reporting capabilities.

Educate clients on shared responsibility: Emphasize that while the ESP manages technical authentication, customer sending behavior still heavily impacts their own domain's reputation and overall deliverability.

Expert view

Expert from Email Geeks says that double signing provides access to Yahoo and other DKIM-based Feedback Loops, which is crucial for ESPs to receive complaint data without coordinating with customers.

March 19, 2023 - Email Geeks

Expert view

Expert from Email Geeks points out that the Gmail FBL, which predates Google Postmaster Tools, still relies on DKIM signing, making double signing beneficial for continued FBL data.

March 19, 2023 - Email Geeks